Merge branch 'main' into reattach-pdf

packages/app-tests/e2e/pr-713-add-document-search-to-command-menu.spec.ts

@@ -15,7 +15,7 @@ test('[PR-713]: should see sent documents', async ({ page }) => {
 
   await page.keyboard.press('Meta+K');
 
-  await page.getByPlaceholder('Type a command or search...').fill('sent');
+  await page.getByPlaceholder('Type a command or search...').first().fill('sent');
   await expect(page.getByRole('option', { name: '[713] Document - Sent' })).toBeVisible();
 });
 
@@ -32,7 +32,7 @@ test('[PR-713]: should see received documents', async ({ page }) => {
 
   await page.keyboard.press('Meta+K');
 
-  await page.getByPlaceholder('Type a command or search...').fill('received');
+  await page.getByPlaceholder('Type a command or search...').first().fill('received');
   await expect(page.getByRole('option', { name: '[713] Document - Received' })).toBeVisible();
 });
 
@@ -49,6 +49,6 @@ test('[PR-713]: should be able to search by recipient', async ({ page }) => {
 
   await page.keyboard.press('Meta+K');
 
-  await page.getByPlaceholder('Type a command or search...').fill(recipient.email);
+  await page.getByPlaceholder('Type a command or search...').first().fill(recipient.email);
   await expect(page.getByRole('option', { name: '[713] Document - Sent' })).toBeVisible();
 });

packages/app-tests/e2e/test-auth-flow.spec.ts

@@ -1,20 +1,19 @@
 import { type Page, expect, test } from '@playwright/test';
 
-import { deleteUser } from '@documenso/lib/server-only/user/delete-user';
+import {
+  extractUserVerificationToken,
+  seedUser,
+  unseedUser,
+  unseedUserByEmail,
+} from '@documenso/prisma/seed/users';
 
 test.use({ storageState: { cookies: [], origins: [] } });
 
-/*
-  Using them sequentially so the 2nd test
-  uses the details from the 1st (registration) test
-*/
-test.describe.configure({ mode: 'serial' });
-
-const username = 'Test User';
-const email = 'test-user@auth-flow.documenso.com';
-const password = 'Password123#';
-
 test('user can sign up with email and password', async ({ page }: { page: Page }) => {
+  const username = 'Test User';
+  const email = `test-user-${Date.now()}@auth-flow.documenso.com`;
+  const password = 'Password123#';
+
   await page.goto('/signup');
   await page.getByLabel('Name').fill(username);
   await page.getByLabel('Email').fill(email);
@@ -31,25 +30,33 @@ test('user can sign up with email and password', async ({ page }: { page: Page }
   }
 
   await page.getByRole('button', { name: 'Sign Up', exact: true }).click();
+
+  await page.waitForURL('/unverified-account');
+
+  const { token } = await extractUserVerificationToken(email);
+
+  await page.goto(`/verify-email/${token}`);
+
+  await expect(page.getByRole('heading')).toContainText('Email Confirmed!');
+
+  await page.getByRole('link', { name: 'Go back home' }).click();
+
   await page.waitForURL('/documents');
 
   await expect(page).toHaveURL('/documents');
+  await unseedUserByEmail(email);
 });
 
 test('user can login with user and password', async ({ page }: { page: Page }) => {
+  const user = await seedUser();
+
   await page.goto('/signin');
-  await page.getByLabel('Email').fill(email);
-  await page.getByLabel('Password', { exact: true }).fill(password);
+  await page.getByLabel('Email').fill(user.email);
+  await page.getByLabel('Password', { exact: true }).fill('password');
   await page.getByRole('button', { name: 'Sign In' }).click();
 
   await page.waitForURL('/documents');
   await expect(page).toHaveURL('/documents');
-});
 
-test.afterAll('Teardown', async () => {
-  try {
-    await deleteUser({ email });
-  } catch (e) {
-    throw new Error(`Error deleting user: ${e}`);
-  }
+  await unseedUser(user.id);
 });

packages/ee/server-only/limits/client.ts

@@ -12,7 +12,7 @@ export type GetLimitsOptions = {
 export const getLimits = async ({ headers, teamId }: GetLimitsOptions = {}) => {
   const requestHeaders = headers ?? {};
 
-  const url = new URL(`${APP_BASE_URL}/api/limits`);
+  const url = new URL('/api/limits', APP_BASE_URL() ?? 'http://localhost:3000');
 
   if (teamId) {
     requestHeaders['team-id'] = teamId.toString();

packages/ee/server-only/limits/server.ts

@@ -1,11 +1,10 @@
 import { DateTime } from 'luxon';
 
 import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
-import { STRIPE_PLAN_TYPE } from '@documenso/lib/constants/billing';
 import { prisma } from '@documenso/prisma';
 import { SubscriptionStatus } from '@documenso/prisma/client';
 
-import { getPricesByPlan } from '../stripe/get-prices-by-plan';
+import { getDocumentRelatedPrices } from '../stripe/get-document-related-prices.ts';
 import { FREE_PLAN_LIMITS, SELFHOSTED_PLAN_LIMITS, TEAM_PLAN_LIMITS } from './constants';
 import { ERROR_CODES } from './errors';
 import { ZLimitsSchema } from './schema';
@@ -16,7 +15,7 @@ export type GetServerLimitsOptions = {
 };
 
 export const getServerLimits = async ({ email, teamId }: GetServerLimitsOptions) => {
-  if (!IS_BILLING_ENABLED) {
+  if (!IS_BILLING_ENABLED()) {
     return {
       quota: SELFHOSTED_PLAN_LIMITS,
       remaining: SELFHOSTED_PLAN_LIMITS,
@@ -56,10 +55,11 @@ const handleUserLimits = async ({ email }: HandleUserLimitsOptions) => {
   );
 
   if (activeSubscriptions.length > 0) {
-    const communityPlanPrices = await getPricesByPlan(STRIPE_PLAN_TYPE.COMMUNITY);
+    const documentPlanPrices = await getDocumentRelatedPrices();
 
     for (const subscription of activeSubscriptions) {
-      const price = communityPlanPrices.find((price) => price.id === subscription.priceId);
+      const price = documentPlanPrices.find((price) => price.id === subscription.priceId);
+
       if (!price || typeof price.product === 'string' || price.product.deleted) {
         continue;
       }

packages/ee/server-only/stripe/get-document-related-prices.ts.ts

@@ -0,0 +1,10 @@
+import { STRIPE_PLAN_TYPE } from '@documenso/lib/constants/billing';
+
+import { getPricesByPlan } from './get-prices-by-plan';
+
+/**
+ * Returns the Stripe prices of items that affect the amount of documents a user can create.
+ */
+export const getDocumentRelatedPrices = async () => {
+  return await getPricesByPlan([STRIPE_PLAN_TYPE.COMMUNITY, STRIPE_PLAN_TYPE.ENTERPRISE]);
+};

packages/ee/server-only/stripe/get-enterprise-plan-prices.ts

@@ -0,0 +1,13 @@
+import { STRIPE_PLAN_TYPE } from '@documenso/lib/constants/billing';
+
+import { getPricesByPlan } from './get-prices-by-plan';
+
+export const getEnterprisePlanPrices = async () => {
+  return await getPricesByPlan(STRIPE_PLAN_TYPE.ENTERPRISE);
+};
+
+export const getEnterprisePlanPriceIds = async () => {
+  const prices = await getEnterprisePlanPrices();
+
+  return prices.map((price) => price.id);
+};

packages/ee/server-only/stripe/get-prices-by-plan.ts

@@ -1,14 +1,18 @@
 import type { STRIPE_PLAN_TYPE } from '@documenso/lib/constants/billing';
 import { stripe } from '@documenso/lib/server-only/stripe';
 
-export const getPricesByPlan = async (
-  plan: (typeof STRIPE_PLAN_TYPE)[keyof typeof STRIPE_PLAN_TYPE],
-) => {
+type PlanType = (typeof STRIPE_PLAN_TYPE)[keyof typeof STRIPE_PLAN_TYPE];
+
+export const getPricesByPlan = async (plan: PlanType | PlanType[]) => {
+  const planTypes = typeof plan === 'string' ? [plan] : plan;
+
+  const query = planTypes.map((planType) => `metadata['plan']:'${planType}'`).join(' OR ');
+
   const { data: prices } = await stripe.prices.search({
-    query: `metadata['plan']:'${plan}' type:'recurring'`,
+    query,
     expand: ['data.product'],
     limit: 100,
   });
 
-  return prices;
+  return prices.filter((price) => price.type === 'recurring');
 };

packages/ee/server-only/stripe/get-primary-account-plan-prices.ts

@@ -0,0 +1,10 @@
+import { STRIPE_PLAN_TYPE } from '@documenso/lib/constants/billing';
+
+import { getPricesByPlan } from './get-prices-by-plan';
+
+/**
+ * Returns the prices of items that count as the account's primary plan.
+ */
+export const getPrimaryAccountPlanPrices = async () => {
+  return await getPricesByPlan([STRIPE_PLAN_TYPE.COMMUNITY, STRIPE_PLAN_TYPE.ENTERPRISE]);
+};

packages/ee/server-only/stripe/get-team-related-prices.ts

@@ -0,0 +1,17 @@
+import { STRIPE_PLAN_TYPE } from '@documenso/lib/constants/billing';
+
+import { getPricesByPlan } from './get-prices-by-plan';
+
+/**
+ * Returns the Stripe prices of items that affect the amount of teams a user can create.
+ */
+export const getTeamRelatedPrices = async () => {
+  return await getPricesByPlan([STRIPE_PLAN_TYPE.COMMUNITY, STRIPE_PLAN_TYPE.ENTERPRISE]);
+};
+
+/**
+ * Returns the Stripe price IDs of items that affect the amount of teams a user can create.
+ */
+export const getTeamRelatedPriceIds = async () => {
+  return await getTeamRelatedPrices().then((prices) => prices.map((price) => price.id));
+};

packages/ee/server-only/stripe/transfer-team-subscription.ts

@@ -2,13 +2,13 @@ import type Stripe from 'stripe';
 
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { stripe } from '@documenso/lib/server-only/stripe';
-import { subscriptionsContainsActiveCommunityPlan } from '@documenso/lib/utils/billing';
+import { subscriptionsContainsActivePlan } from '@documenso/lib/utils/billing';
 import { prisma } from '@documenso/prisma';
 import { type Subscription, type Team, type User } from '@documenso/prisma/client';
 
 import { deleteCustomerPaymentMethods } from './delete-customer-payment-methods';
-import { getCommunityPlanPriceIds } from './get-community-plan-prices';
 import { getTeamPrices } from './get-team-prices';
+import { getTeamRelatedPriceIds } from './get-team-related-prices';
 
 type TransferStripeSubscriptionOptions = {
   /**
@@ -46,14 +46,14 @@ export const transferTeamSubscription = async ({
     throw new AppError(AppErrorCode.NOT_FOUND, 'Missing customer ID.');
   }
 
-  const [communityPlanIds, teamSeatPrices] = await Promise.all([
-    getCommunityPlanPriceIds(),
+  const [teamRelatedPlanPriceIds, teamSeatPrices] = await Promise.all([
+    getTeamRelatedPriceIds(),
     getTeamPrices(),
   ]);
 
-  const teamSubscriptionRequired = !subscriptionsContainsActiveCommunityPlan(
+  const teamSubscriptionRequired = !subscriptionsContainsActivePlan(
     user.Subscription,
-    communityPlanIds,
+    teamRelatedPlanPriceIds,
   );
 
   let teamSubscription: Stripe.Subscription | null = null;

packages/email/template-components/template-document-self-signed.tsx

@@ -1,3 +1,5 @@
+import { env } from 'next-runtime-env';
+
 import { Button, Column, Img, Link, Section, Text } from '../components';
 import { TemplateDocumentImage } from './template-document-image';
 
@@ -10,7 +12,9 @@ export const TemplateDocumentSelfSigned = ({
   documentName,
   assetBaseUrl,
 }: TemplateDocumentSelfSignedProps) => {
-  const signUpUrl = `${process.env.NEXT_PUBLIC_WEBAPP_URL ?? 'http://localhost:3000'}/signup`;
+  const NEXT_PUBLIC_WEBAPP_URL = env('NEXT_PUBLIC_WEBAPP_URL');
+
+  const signUpUrl = `${NEXT_PUBLIC_WEBAPP_URL ?? 'http://localhost:3000'}/signup`;
 
   const getAssetUrl = (path: string) => {
     return new URL(path, assetBaseUrl).toString();

packages/email/template-components/template-reset-password.tsx

@@ -1,3 +1,5 @@
+import { env } from 'next-runtime-env';
+
 import { Button, Section, Text } from '../components';
 import { TemplateDocumentImage } from './template-document-image';
 
@@ -8,6 +10,8 @@ export interface TemplateResetPasswordProps {
 }
 
 export const TemplateResetPassword = ({ assetBaseUrl }: TemplateResetPasswordProps) => {
+  const NEXT_PUBLIC_WEBAPP_URL = env('NEXT_PUBLIC_WEBAPP_URL');
+
   return (
     <>
       <TemplateDocumentImage className="mt-6" assetBaseUrl={assetBaseUrl} />
@@ -24,7 +28,7 @@ export const TemplateResetPassword = ({ assetBaseUrl }: TemplateResetPasswordPro
         <Section className="mb-6 mt-8 text-center">
           <Button
             className="bg-documenso-500 inline-flex items-center justify-center rounded-lg px-6 py-3 text-center text-sm font-medium text-black no-underline"
-            href={`${process.env.NEXT_PUBLIC_WEBAPP_URL ?? 'http://localhost:3000'}/signin`}
+            href={`${NEXT_PUBLIC_WEBAPP_URL ?? 'http://localhost:3000'}/signin`}
           >
             Sign In
           </Button>

packages/lib/client-only/download-file.ts

@@ -0,0 +1,19 @@
+export type DownloadFileOptions = {
+  filename: string;
+  data: Blob;
+};
+
+export const downloadFile = ({ filename, data }: DownloadFileOptions) => {
+  if (typeof window === 'undefined') {
+    throw new Error('downloadFile can only be called in browser environments');
+  }
+
+  const link = window.document.createElement('a');
+
+  link.href = window.URL.createObjectURL(data);
+  link.download = filename;
+
+  link.click();
+
+  window.URL.revokeObjectURL(link.href);
+};

packages/lib/client-only/download-pdf.ts

@@ -1,6 +1,7 @@
 import type { DocumentData } from '@documenso/prisma/client';
 
 import { getFile } from '../universal/upload/get-file';
+import { downloadFile } from './download-file';
 
 type DownloadPDFProps = {
   documentData: DocumentData;
@@ -14,16 +15,12 @@ export const downloadPDF = async ({ documentData, fileName }: DownloadPDFProps)
     type: 'application/pdf',
   });
 
-  const link = window.document.createElement('a');
-
   const [baseTitle] = fileName?.includes('.pdf')
     ? fileName.split('.pdf')
     : [fileName ?? 'document'];
 
-  link.href = window.URL.createObjectURL(blob);
-  link.download = `${baseTitle}_signed.pdf`;
-
-  link.click();
-
-  window.URL.revokeObjectURL(link.href);
+  downloadFile({
+    filename: baseTitle,
+    data: blob,
+  });
 };

packages/lib/client-only/hooks/use-effect-once.ts

@@ -0,0 +1,13 @@
+import type { EffectCallback } from 'react';
+import { useEffect } from 'react';
+
+/**
+ * Dangerously runs an effect "once" by ignoring the depedencies of a given effect.
+ *
+ * DANGER: The effect will run twice in concurrent react and development environments.
+ */
+export const unsafe_useEffectOnce = (callback: EffectCallback) => {
+  // Intentionally avoiding exhaustive deps and rule of hooks here
+  // eslint-disable-next-line react-hooks/exhaustive-deps, react-hooks/rules-of-hooks
+  return useEffect(callback, []);
+};

packages/lib/constants/app.ts

@@ -1,16 +1,19 @@
-export const IS_APP_MARKETING = process.env.NEXT_PUBLIC_PROJECT === 'marketing';
-export const IS_APP_WEB = process.env.NEXT_PUBLIC_PROJECT === 'web';
-export const IS_BILLING_ENABLED = process.env.NEXT_PUBLIC_FEATURE_BILLING_ENABLED === 'true';
+import { env } from 'next-runtime-env';
 
 export const APP_DOCUMENT_UPLOAD_SIZE_LIMIT =
   Number(process.env.NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT) || 50;
 
-export const APP_FOLDER = IS_APP_MARKETING ? 'marketing' : 'web';
+export const NEXT_PUBLIC_WEBAPP_URL = () => env('NEXT_PUBLIC_WEBAPP_URL');
+export const NEXT_PUBLIC_MARKETING_URL = () => env('NEXT_PUBLIC_MARKETING_URL');
 
-export const APP_BASE_URL = IS_APP_WEB
-  ? process.env.NEXT_PUBLIC_WEBAPP_URL
-  : process.env.NEXT_PUBLIC_MARKETING_URL;
+export const IS_APP_MARKETING = process.env.NEXT_PUBLIC_PROJECT === 'marketing';
+export const IS_APP_WEB = process.env.NEXT_PUBLIC_PROJECT === 'web';
+export const IS_BILLING_ENABLED = () => env('NEXT_PUBLIC_FEATURE_BILLING_ENABLED') === 'true';
 
-export const WEBAPP_BASE_URL = process.env.NEXT_PUBLIC_WEBAPP_URL ?? 'http://localhost:3000';
+export const APP_FOLDER = () => (IS_APP_MARKETING ? 'marketing' : 'web');
 
-export const MARKETING_BASE_URL = process.env.NEXT_PUBLIC_MARKETING_URL ?? 'http://localhost:3001';
+export const APP_BASE_URL = () =>
+  IS_APP_WEB ? NEXT_PUBLIC_WEBAPP_URL() : NEXT_PUBLIC_MARKETING_URL();
+
+export const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL() ?? 'http://localhost:3000';
+export const MARKETING_BASE_URL = NEXT_PUBLIC_MARKETING_URL() ?? 'http://localhost:3001';

packages/lib/constants/billing.ts

@@ -6,6 +6,5 @@ export enum STRIPE_CUSTOMER_TYPE {
 export enum STRIPE_PLAN_TYPE {
   TEAM = 'team',
   COMMUNITY = 'community',
+  ENTERPRISE = 'enterprise',
 }
-
-export const TEAM_BILLING_DOMAIN = 'billing.team.documenso.com';

packages/lib/constants/document-audit-logs.ts

@@ -0,0 +1,19 @@
+import { DOCUMENT_EMAIL_TYPE } from '../types/document-audit-logs';
+
+export const DOCUMENT_AUDIT_LOG_EMAIL_FORMAT = {
+  [DOCUMENT_EMAIL_TYPE.SIGNING_REQUEST]: {
+    description: 'Signing request',
+  },
+  [DOCUMENT_EMAIL_TYPE.VIEW_REQUEST]: {
+    description: 'Viewing request',
+  },
+  [DOCUMENT_EMAIL_TYPE.APPROVE_REQUEST]: {
+    description: 'Approval request',
+  },
+  [DOCUMENT_EMAIL_TYPE.CC]: {
+    description: 'CC',
+  },
+  [DOCUMENT_EMAIL_TYPE.DOCUMENT_COMPLETED]: {
+    description: 'Document completed',
+  },
+} satisfies Record<keyof typeof DOCUMENT_EMAIL_TYPE, unknown>;

packages/lib/constants/feature-flags.ts

@@ -1,5 +1,10 @@
+import { env } from 'next-runtime-env';
+
 import { APP_BASE_URL } from './app';
 
+const NEXT_PUBLIC_FEATURE_BILLING_ENABLED = () => env('NEXT_PUBLIC_FEATURE_BILLING_ENABLED');
+const NEXT_PUBLIC_POSTHOG_KEY = () => env('NEXT_PUBLIC_POSTHOG_KEY');
+
 /**
  * The flag name for global session recording feature flag.
  */
@@ -16,8 +21,9 @@ export const FEATURE_FLAG_POLL_INTERVAL = 30000;
  * Does not take any person or group properties into account.
  */
 export const LOCAL_FEATURE_FLAGS: Record<string, boolean> = {
-  app_billing: process.env.NEXT_PUBLIC_FEATURE_BILLING_ENABLED === 'true',
+  app_billing: NEXT_PUBLIC_FEATURE_BILLING_ENABLED() === 'true',
   app_teams: true,
+  app_document_page_view_history_sheet: false,
   marketing_header_single_player_mode: false,
 } as const;
 
@@ -25,8 +31,8 @@ export const LOCAL_FEATURE_FLAGS: Record<string, boolean> = {
  * Extract the PostHog configuration from the environment.
  */
 export function extractPostHogConfig(): { key: string; host: string } | null {
-  const postHogKey = process.env.NEXT_PUBLIC_POSTHOG_KEY;
-  const postHogHost = `${APP_BASE_URL}/ingest`;
+  const postHogKey = NEXT_PUBLIC_POSTHOG_KEY();
+  const postHogHost = `${APP_BASE_URL()}/ingest`;
 
   if (!postHogKey || !postHogHost) {
     return null;

packages/lib/constants/pdf.ts

@@ -6,4 +6,4 @@ export const DEFAULT_HANDWRITING_FONT_SIZE = 50;
 export const MIN_STANDARD_FONT_SIZE = 8;
 export const MIN_HANDWRITING_FONT_SIZE = 20;
 
-export const CAVEAT_FONT_PATH = `${APP_BASE_URL}/fonts/caveat.ttf`;
+export const CAVEAT_FONT_PATH = () => `${APP_BASE_URL()}/fonts/caveat.ttf`;

packages/lib/constants/recipient-roles.ts

@@ -1,26 +1,34 @@
 import { RecipientRole } from '@documenso/prisma/client';
 
-export const RECIPIENT_ROLES_DESCRIPTION: {
-  [key in RecipientRole]: { actionVerb: string; progressiveVerb: string; roleName: string };
-} = {
+export const RECIPIENT_ROLES_DESCRIPTION = {
   [RecipientRole.APPROVER]: {
     actionVerb: 'Approve',
+    actioned: 'Approved',
     progressiveVerb: 'Approving',
     roleName: 'Approver',
   },
   [RecipientRole.CC]: {
     actionVerb: 'CC',
+    actioned: `CC'd`,
     progressiveVerb: 'CC',
-    roleName: 'CC',
+    roleName: 'Cc',
   },
   [RecipientRole.SIGNER]: {
     actionVerb: 'Sign',
+    actioned: 'Signed',
     progressiveVerb: 'Signing',
     roleName: 'Signer',
   },
   [RecipientRole.VIEWER]: {
     actionVerb: 'View',
+    actioned: 'Viewed',
     progressiveVerb: 'Viewing',
     roleName: 'Viewer',
   },
-};
+} satisfies Record<keyof typeof RecipientRole, unknown>;
+
+export const RECIPIENT_ROLE_TO_EMAIL_TYPE = {
+  [RecipientRole.SIGNER]: 'SIGNING_REQUEST',
+  [RecipientRole.VIEWER]: 'VIEW_REQUEST',
+  [RecipientRole.APPROVER]: 'APPROVE_REQUEST',
+} as const;

packages/lib/next-auth/auth-options.ts

@@ -7,13 +7,16 @@ import type { JWT } from 'next-auth/jwt';
 import CredentialsProvider from 'next-auth/providers/credentials';
 import type { GoogleProfile } from 'next-auth/providers/google';
 import GoogleProvider from 'next-auth/providers/google';
+import { env } from 'next-runtime-env';
 
 import { prisma } from '@documenso/prisma';
 import { IdentityProvider, UserSecurityAuditLogType } from '@documenso/prisma/client';
 
 import { isTwoFactorAuthenticationEnabled } from '../server-only/2fa/is-2fa-availble';
 import { validateTwoFactorAuthentication } from '../server-only/2fa/validate-2fa';
+import { getMostRecentVerificationTokenByUserId } from '../server-only/user/get-most-recent-verification-token-by-user-id';
 import { getUserByEmail } from '../server-only/user/get-user-by-email';
+import { sendConfirmationToken } from '../server-only/user/send-confirmation-token';
 import { extractNextAuthRequestMetadata } from '../universal/extract-request-metadata';
 import { ErrorCode } from './error-codes';
 
@@ -90,6 +93,22 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
           }
         }
 
+        if (!user.emailVerified) {
+          const mostRecentToken = await getMostRecentVerificationTokenByUserId({
+            userId: user.id,
+          });
+
+          if (
+            !mostRecentToken ||
+            mostRecentToken.expires.valueOf() <= Date.now() ||
+            DateTime.fromJSDate(mostRecentToken.createdAt).diffNow('minutes').minutes > -5
+          ) {
+            await sendConfirmationToken({ email });
+          }
+
+          throw new Error(ErrorCode.UNVERIFIED_EMAIL);
+        }
+
         return {
           id: Number(user.id),
           email: user.email,
@@ -203,7 +222,7 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
     async signIn({ user }) {
       // We do this to stop OAuth providers from creating an account
       // when signups are disabled
-      if (process.env.NEXT_PUBLIC_DISABLE_SIGNUP === 'true') {
+      if (env('NEXT_PUBLIC_DISABLE_SIGNUP') === 'true') {
         const userData = await getUserByEmail({ email: user.email! });
 
         return !!userData;

packages/lib/next-auth/error-codes.ts

@@ -19,4 +19,5 @@ export const ErrorCode = {
   INCORRECT_PASSWORD: 'INCORRECT_PASSWORD',
   MISSING_ENCRYPTION_KEY: 'MISSING_ENCRYPTION_KEY',
   MISSING_BACKUP_CODE: 'MISSING_BACKUP_CODE',
+  UNVERIFIED_EMAIL: 'UNVERIFIED_EMAIL',
 } as const;

packages/lib/server-only/2fa/setup-2fa.ts

@@ -43,7 +43,7 @@ export const setupTwoFactorAuthentication = async ({
 
   const secret = crypto.randomBytes(10);
 
-  const backupCodes = new Array(10)
+  const backupCodes = Array.from({ length: 10 })
     .fill(null)
     .map(() => crypto.randomBytes(5).toString('hex'))
     .map((code) => `${code.slice(0, 5)}-${code.slice(5)}`.toUpperCase());

packages/lib/server-only/auth/send-confirmation-email.ts

@@ -5,11 +5,16 @@ import { render } from '@documenso/email/render';
 import { ConfirmEmailTemplate } from '@documenso/email/templates/confirm-email';
 import { prisma } from '@documenso/prisma';
 
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+
 export interface SendConfirmationEmailProps {
   userId: number;
 }
 
 export const sendConfirmationEmail = async ({ userId }: SendConfirmationEmailProps) => {
+  const NEXT_PRIVATE_SMTP_FROM_NAME = process.env.NEXT_PRIVATE_SMTP_FROM_NAME;
+  const NEXT_PRIVATE_SMTP_FROM_ADDRESS = process.env.NEXT_PRIVATE_SMTP_FROM_ADDRESS;
+
   const user = await prisma.user.findFirstOrThrow({
     where: {
       id: userId,
@@ -30,10 +35,10 @@ export const sendConfirmationEmail = async ({ userId }: SendConfirmationEmailPro
     throw new Error('Verification token not found for the user');
   }
 
-  const assetBaseUrl = process.env.NEXT_PUBLIC_WEBAPP_URL || 'http://localhost:3000';
+  const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
   const confirmationLink = `${assetBaseUrl}/verify-email/${verificationToken.token}`;
-  const senderName = process.env.NEXT_PRIVATE_SMTP_FROM_NAME || 'Documenso';
-  const senderAdress = process.env.NEXT_PRIVATE_SMTP_FROM_ADDRESS || 'noreply@documenso.com';
+  const senderName = NEXT_PRIVATE_SMTP_FROM_NAME || 'Documenso';
+  const senderAdress = NEXT_PRIVATE_SMTP_FROM_ADDRESS || 'noreply@documenso.com';
 
   const confirmationTemplate = createElement(ConfirmEmailTemplate, {
     assetBaseUrl,

packages/lib/server-only/auth/send-forgot-password.ts

@@ -5,6 +5,8 @@ import { render } from '@documenso/email/render';
 import { ForgotPasswordTemplate } from '@documenso/email/templates/forgot-password';
 import { prisma } from '@documenso/prisma';
 
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+
 export interface SendForgotPasswordOptions {
   userId: number;
 }
@@ -29,8 +31,8 @@ export const sendForgotPassword = async ({ userId }: SendForgotPasswordOptions)
   }
 
   const token = user.PasswordResetToken[0].token;
-  const assetBaseUrl = process.env.NEXT_PUBLIC_WEBAPP_URL || 'http://localhost:3000';
-  const resetPasswordLink = `${process.env.NEXT_PUBLIC_WEBAPP_URL}/reset-password/${token}`;
+  const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+  const resetPasswordLink = `${NEXT_PUBLIC_WEBAPP_URL()}/reset-password/${token}`;
 
   const template = createElement(ForgotPasswordTemplate, {
     assetBaseUrl,

packages/lib/server-only/auth/send-reset-password.ts

@@ -5,6 +5,8 @@ import { render } from '@documenso/email/render';
 import { ResetPasswordTemplate } from '@documenso/email/templates/reset-password';
 import { prisma } from '@documenso/prisma';
 
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+
 export interface SendResetPasswordOptions {
   userId: number;
 }
@@ -16,7 +18,7 @@ export const sendResetPassword = async ({ userId }: SendResetPasswordOptions) =>
     },
   });
 
-  const assetBaseUrl = process.env.NEXT_PUBLIC_WEBAPP_URL || 'http://localhost:3000';
+  const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
 
   const template = createElement(ResetPasswordTemplate, {
     assetBaseUrl,

packages/lib/server-only/document-data/create-document-data.ts

@@ -1,7 +1,7 @@
 'use server';
 
 import { prisma } from '@documenso/prisma';
-import { DocumentDataType } from '@documenso/prisma/client';
+import type { DocumentDataType } from '@documenso/prisma/client';
 
 export type CreateDocumentDataOptions = {
   type: DocumentDataType;

packages/lib/server-only/document-meta/upsert-document-meta.ts

@@ -1,5 +1,11 @@
 'use server';
 
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import {
+  createDocumentAuditLogData,
+  diffDocumentMetaChanges,
+} from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 
 export type CreateDocumentMetaOptions = {
@@ -11,6 +17,7 @@ export type CreateDocumentMetaOptions = {
   dateFormat?: string;
   redirectUrl?: string;
   userId: number;
+  requestMetadata: RequestMetadata;
 };
 
 export const upsertDocumentMeta = async ({
@@ -19,50 +26,85 @@ export const upsertDocumentMeta = async ({
   timezone,
   dateFormat,
   documentId,
-  userId,
   password,
+  userId,
   redirectUrl,
+  requestMetadata,
 }: CreateDocumentMetaOptions) => {
-  await prisma.document.findFirstOrThrow({
+  const user = await prisma.user.findFirstOrThrow({
+    where: {
+      id: userId,
+    },
+    select: {
+      id: true,
+      email: true,
+      name: true,
+    },
+  });
+
+  const { documentMeta: originalDocumentMeta } = await prisma.document.findFirstOrThrow({
     where: {
       id: documentId,
       OR: [
         {
-          userId,
+          userId: user.id,
         },
         {
           team: {
             members: {
               some: {
-                userId,
+                userId: user.id,
               },
             },
           },
         },
       ],
     },
+    include: {
+      documentMeta: true,
+    },
   });
 
-  return await prisma.documentMeta.upsert({
-    where: {
-      documentId,
-    },
-    create: {
-      subject,
-      message,
-      password,
-      dateFormat,
-      timezone,
-      documentId,
-      redirectUrl,
-    },
-    update: {
-      subject,
-      message,
-      password,
-      dateFormat,
-      timezone,
-      redirectUrl,
-    },
+  return await prisma.$transaction(async (tx) => {
+    const upsertedDocumentMeta = await tx.documentMeta.upsert({
+      where: {
+        documentId,
+      },
+      create: {
+        subject,
+        message,
+        password,
+        dateFormat,
+        timezone,
+        documentId,
+        redirectUrl,
+      },
+      update: {
+        subject,
+        message,
+        password,
+        dateFormat,
+        timezone,
+        redirectUrl,
+      },
+    });
+
+    const changes = diffDocumentMetaChanges(originalDocumentMeta ?? {}, upsertedDocumentMeta);
+
+    if (changes.length > 0) {
+      await tx.documentAuditLog.create({
+        data: createDocumentAuditLogData({
+          type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_META_UPDATED,
+          documentId,
+          user,
+          requestMetadata,
+          data: {
+            changes: diffDocumentMetaChanges(originalDocumentMeta ?? {}, upsertedDocumentMeta),
+          },
+        }),
+      });
+    }
+
+    return upsertedDocumentMeta;
   });
 };

packages/lib/server-only/document/complete-document-with-token.ts

@@ -1,5 +1,8 @@
 'use server';
 
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, SigningStatus } from '@documenso/prisma/client';
 
@@ -9,11 +12,13 @@ import { sendPendingEmail } from './send-pending-email';
 export type CompleteDocumentWithTokenOptions = {
   token: string;
   documentId: number;
+  requestMetadata?: RequestMetadata;
 };
 
 export const completeDocumentWithToken = async ({
   token,
   documentId,
+  requestMetadata,
 }: CompleteDocumentWithTokenOptions) => {
   'use server';
 
@@ -70,6 +75,24 @@ export const completeDocumentWithToken = async ({
     },
   });
 
+  await prisma.documentAuditLog.create({
+    data: createDocumentAuditLogData({
+      type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_COMPLETED,
+      documentId: document.id,
+      user: {
+        name: recipient.name,
+        email: recipient.email,
+      },
+      requestMetadata,
+      data: {
+        recipientEmail: recipient.email,
+        recipientName: recipient.name,
+        recipientId: recipient.id,
+        recipientRole: recipient.role,
+      },
+    }),
+  });
+
   const pendingRecipients = await prisma.recipient.count({
     where: {
       documentId: document.id,
@@ -99,6 +122,6 @@ export const completeDocumentWithToken = async ({
   });
 
   if (documents.count > 0) {
-    await sealDocument({ documentId: document.id });
+    await sealDocument({ documentId: document.id, requestMetadata });
   }
 };

packages/lib/server-only/document/create-document.ts

@@ -1,5 +1,9 @@
 'use server';
 
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 
 export type CreateDocumentOptions = {
@@ -7,6 +11,7 @@ export type CreateDocumentOptions = {
   userId: number;
   teamId?: number;
   documentDataId: string;
+  requestMetadata?: RequestMetadata;
 };
 
 export const createDocument = async ({
@@ -14,22 +19,30 @@ export const createDocument = async ({
   title,
   documentDataId,
   teamId,
+  requestMetadata,
 }: CreateDocumentOptions) => {
-  return await prisma.$transaction(async (tx) => {
-    if (teamId !== undefined) {
-      await tx.team.findFirstOrThrow({
-        where: {
-          id: teamId,
-          members: {
-            some: {
-              userId,
-            },
-          },
+  const user = await prisma.user.findFirstOrThrow({
+    where: {
+      id: userId,
+    },
+    include: {
+      teamMembers: {
+        select: {
+          teamId: true,
         },
-      });
-    }
+      },
+    },
+  });
 
-    return await tx.document.create({
+  if (
+    teamId !== undefined &&
+    !user.teamMembers.some((teamMember) => teamMember.teamId === teamId)
+  ) {
+    throw new AppError(AppErrorCode.NOT_FOUND, 'Team not found');
+  }
+
+  return await prisma.$transaction(async (tx) => {
+    const document = await tx.document.create({
       data: {
         title,
         documentDataId,
@@ -37,5 +50,19 @@ export const createDocument = async ({
         teamId,
       },
     });
+
+    await tx.documentAuditLog.create({
+      data: createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_CREATED,
+        documentId: document.id,
+        user,
+        requestMetadata,
+        data: {
+          title,
+        },
+      }),
+    });
+
+    return document;
   });
 };

packages/lib/server-only/document/delete-document.ts

@@ -8,28 +8,74 @@ import DocumentCancelTemplate from '@documenso/email/templates/document-cancel';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus } from '@documenso/prisma/client';
 
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
 import { FROM_ADDRESS, FROM_NAME } from '../../constants/email';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
+import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
 
 export type DeleteDocumentOptions = {
   id: number;
   userId: number;
   status: DocumentStatus;
+  requestMetadata?: RequestMetadata;
 };
 
-export const deleteDocument = async ({ id, userId, status }: DeleteDocumentOptions) => {
+export const deleteDocument = async ({
+  id,
+  userId,
+  status,
+  requestMetadata,
+}: DeleteDocumentOptions) => {
+  await prisma.document.findFirstOrThrow({
+    where: {
+      id,
+      OR: [
+        {
+          userId,
+        },
+        {
+          team: {
+            members: {
+              some: {
+                userId,
+              },
+            },
+          },
+        },
+      ],
+    },
+  });
+
+  const user = await prisma.user.findFirstOrThrow({
+    where: {
+      id: userId,
+    },
+  });
+
   // if the document is a draft, hard-delete
   if (status === DocumentStatus.DRAFT) {
-    return await prisma.document.delete({ where: { id, userId, status: DocumentStatus.DRAFT } });
+    return await prisma.$transaction(async (tx) => {
+      // Currently redundant since deleting a document will delete the audit logs.
+      // However may be useful if we disassociate audit lgos and documents if required.
+      await tx.documentAuditLog.create({
+        data: createDocumentAuditLogData({
+          documentId: id,
+          type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_DELETED,
+          user,
+          requestMetadata,
+          data: {
+            type: 'HARD',
+          },
+        }),
+      });
+
+      return await tx.document.delete({ where: { id, status: DocumentStatus.DRAFT } });
+    });
   }
 
   // if the document is pending, send cancellation emails to all recipients
   if (status === DocumentStatus.PENDING) {
-    const user = await prisma.user.findFirstOrThrow({
-      where: {
-        id: userId,
-      },
-    });
-
     const document = await prisma.document.findUnique({
       where: {
         id,
@@ -49,7 +95,7 @@ export const deleteDocument = async ({ id, userId, status }: DeleteDocumentOptio
     if (document.Recipient.length > 0) {
       await Promise.all(
         document.Recipient.map(async (recipient) => {
-          const assetBaseUrl = process.env.NEXT_PUBLIC_WEBAPP_URL || 'http://localhost:3000';
+          const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
 
           const template = createElement(DocumentCancelTemplate, {
             documentName: document.title,
@@ -77,12 +123,26 @@ export const deleteDocument = async ({ id, userId, status }: DeleteDocumentOptio
   }
 
   // If the document is not a draft, only soft-delete.
-  return await prisma.document.update({
-    where: {
-      id,
-    },
-    data: {
-      deletedAt: new Date().toISOString(),
-    },
+  return await prisma.$transaction(async (tx) => {
+    await tx.documentAuditLog.create({
+      data: createDocumentAuditLogData({
+        documentId: id,
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_DELETED,
+        user,
+        requestMetadata,
+        data: {
+          type: 'SOFT',
+        },
+      }),
+    });
+
+    return await tx.document.update({
+      where: {
+        id,
+      },
+      data: {
+        deletedAt: new Date().toISOString(),
+      },
+    });
   });
 };

packages/lib/server-only/document/find-document-audit-logs.ts

@@ -0,0 +1,115 @@
+import type { FindResultSet } from '@documenso/lib/types/find-result-set';
+import { prisma } from '@documenso/prisma';
+import type { DocumentAuditLog } from '@documenso/prisma/client';
+import type { Prisma } from '@documenso/prisma/client';
+
+import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
+import { parseDocumentAuditLogData } from '../../utils/document-audit-logs';
+
+export interface FindDocumentAuditLogsOptions {
+  userId: number;
+  documentId: number;
+  page?: number;
+  perPage?: number;
+  orderBy?: {
+    column: keyof DocumentAuditLog;
+    direction: 'asc' | 'desc';
+  };
+  cursor?: string;
+  filterForRecentActivity?: boolean;
+}
+
+export const findDocumentAuditLogs = async ({
+  userId,
+  documentId,
+  page = 1,
+  perPage = 30,
+  orderBy,
+  cursor,
+  filterForRecentActivity,
+}: FindDocumentAuditLogsOptions) => {
+  const orderByColumn = orderBy?.column ?? 'createdAt';
+  const orderByDirection = orderBy?.direction ?? 'desc';
+
+  await prisma.document.findFirstOrThrow({
+    where: {
+      id: documentId,
+      OR: [
+        {
+          userId,
+        },
+        {
+          team: {
+            members: {
+              some: {
+                userId,
+              },
+            },
+          },
+        },
+      ],
+    },
+  });
+
+  const whereClause: Prisma.DocumentAuditLogWhereInput = {
+    documentId,
+  };
+
+  // Filter events down to what we consider recent activity.
+  if (filterForRecentActivity) {
+    whereClause.OR = [
+      {
+        type: {
+          in: [
+            DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_COMPLETED,
+            DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_CREATED,
+            DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_DELETED,
+            DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_OPENED,
+            DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_COMPLETED,
+            DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_SENT,
+          ],
+        },
+      },
+      {
+        type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
+        data: {
+          path: ['isResending'],
+          equals: true,
+        },
+      },
+    ];
+  }
+
+  const [data, count] = await Promise.all([
+    prisma.documentAuditLog.findMany({
+      where: whereClause,
+      skip: Math.max(page - 1, 0) * perPage,
+      take: perPage + 1,
+      orderBy: {
+        [orderByColumn]: orderByDirection,
+      },
+      cursor: cursor ? { id: cursor } : undefined,
+    }),
+    prisma.documentAuditLog.count({
+      where: whereClause,
+    }),
+  ]);
+
+  let nextCursor: string | undefined = undefined;
+
+  const parsedData = data.map((auditLog) => parseDocumentAuditLogData(auditLog));
+
+  if (parsedData.length > perPage) {
+    const nextItem = parsedData.pop();
+    nextCursor = nextItem!.id;
+  }
+
+  return {
+    data: parsedData,
+    count,
+    currentPage: Math.max(page, 1),
+    perPage,
+    totalPages: Math.ceil(count / perPage),
+    nextCursor,
+  } satisfies FindResultSet<typeof parsedData> & { nextCursor?: string };
+};

packages/lib/server-only/document/get-document-by-id.ts

@@ -21,6 +21,19 @@ export const getDocumentById = async ({ id, userId, teamId }: GetDocumentByIdOpt
     include: {
       documentData: true,
       documentMeta: true,
+      User: {
+        select: {
+          id: true,
+          name: true,
+          email: true,
+        },
+      },
+      team: {
+        select: {
+          id: true,
+          url: true,
+        },
+      },
     },
   });
 };

packages/lib/server-only/document/resend-document.tsx

@@ -4,12 +4,19 @@ import { mailer } from '@documenso/email/mailer';
 import { render } from '@documenso/email/render';
 import { DocumentInviteEmailTemplate } from '@documenso/email/templates/document-invite';
 import { FROM_ADDRESS, FROM_NAME } from '@documenso/lib/constants/email';
+import {
+  RECIPIENT_ROLES_DESCRIPTION,
+  RECIPIENT_ROLE_TO_EMAIL_TYPE,
+} from '@documenso/lib/constants/recipient-roles';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { renderCustomEmailTemplate } from '@documenso/lib/utils/render-custom-email-template';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, RecipientRole, SigningStatus } from '@documenso/prisma/client';
 import type { Prisma } from '@documenso/prisma/client';
 
-import { RECIPIENT_ROLES_DESCRIPTION } from '../../constants/recipient-roles';
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
 import { getDocumentWhereInput } from './get-document-by-id';
 
 export type ResendDocumentOptions = {
@@ -17,6 +24,7 @@ export type ResendDocumentOptions = {
   userId: number;
   recipients: number[];
   teamId?: number;
+  requestMetadata: RequestMetadata;
 };
 
 export const resendDocument = async ({
@@ -24,6 +32,7 @@ export const resendDocument = async ({
   userId,
   recipients,
   teamId,
+  requestMetadata,
 }: ResendDocumentOptions) => {
   const user = await prisma.user.findFirstOrThrow({
     where: {
@@ -76,6 +85,8 @@ export const resendDocument = async ({
         return;
       }
 
+      const recipientEmailType = RECIPIENT_ROLE_TO_EMAIL_TYPE[recipient.role];
+
       const { email, name } = recipient;
 
       const customEmailTemplate = {
@@ -84,8 +95,8 @@ export const resendDocument = async ({
         'document.name': document.title,
       };
 
-      const assetBaseUrl = process.env.NEXT_PUBLIC_WEBAPP_URL || 'http://localhost:3000';
-      const signDocumentLink = `${process.env.NEXT_PUBLIC_WEBAPP_URL}/sign/${recipient.token}`;
+      const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+      const signDocumentLink = `${NEXT_PUBLIC_WEBAPP_URL()}/sign/${recipient.token}`;
 
       const template = createElement(DocumentInviteEmailTemplate, {
         documentName: document.title,
@@ -99,21 +110,43 @@ export const resendDocument = async ({
 
       const { actionVerb } = RECIPIENT_ROLES_DESCRIPTION[recipient.role];
 
-      await mailer.sendMail({
-        to: {
-          address: email,
-          name,
+      await prisma.$transaction(
+        async (tx) => {
+          await mailer.sendMail({
+            to: {
+              address: email,
+              name,
+            },
+            from: {
+              name: FROM_NAME,
+              address: FROM_ADDRESS,
+            },
+            subject: customEmail?.subject
+              ? renderCustomEmailTemplate(customEmail.subject, customEmailTemplate)
+              : `Please ${actionVerb.toLowerCase()} this document`,
+            html: render(template),
+            text: render(template, { plainText: true }),
+          });
+
+          await tx.documentAuditLog.create({
+            data: createDocumentAuditLogData({
+              type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
+              documentId: document.id,
+              user,
+              requestMetadata,
+              data: {
+                emailType: recipientEmailType,
+                recipientEmail: recipient.email,
+                recipientName: recipient.name,
+                recipientRole: recipient.role,
+                recipientId: recipient.id,
+                isResending: true,
+              },
+            }),
+          });
         },
-        from: {
-          name: FROM_NAME,
-          address: FROM_ADDRESS,
-        },
-        subject: customEmail?.subject
-          ? renderCustomEmailTemplate(customEmail.subject, customEmailTemplate)
-          : `Please ${actionVerb.toLowerCase()} this document`,
-        html: render(template),
-        text: render(template, { plainText: true }),
-      });
+        { timeout: 30_000 },
+      );
     }),
   );
 };

packages/lib/server-only/document/seal-document.ts

@@ -5,10 +5,13 @@ import path from 'node:path';
 import { PDFDocument } from 'pdf-lib';
 
 import PostHogServerClient from '@documenso/lib/server-only/feature-flags/get-post-hog-server-client';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, RecipientRole, SigningStatus } from '@documenso/prisma/client';
 import { signPdf } from '@documenso/signing';
 
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { getFile } from '../../universal/upload/get-file';
 import { putFile } from '../../universal/upload/put-file';
 import { insertFieldInPDF } from '../pdf/insert-field-in-pdf';
@@ -17,9 +20,14 @@ import { sendCompletedEmail } from './send-completed-email';
 export type SealDocumentOptions = {
   documentId: number;
   sendEmail?: boolean;
+  requestMetadata?: RequestMetadata;
 };
 
-export const sealDocument = async ({ documentId, sendEmail = true }: SealDocumentOptions) => {
+export const sealDocument = async ({
+  documentId,
+  sendEmail = true,
+  requestMetadata,
+}: SealDocumentOptions) => {
   'use server';
 
   const document = await prisma.document.findFirstOrThrow({
@@ -100,16 +108,30 @@ export const sealDocument = async ({ documentId, sendEmail = true }: SealDocumen
     });
   }
 
-  await prisma.documentData.update({
-    where: {
-      id: documentData.id,
-    },
-    data: {
-      data: newData,
-    },
+  await prisma.$transaction(async (tx) => {
+    await tx.documentData.update({
+      where: {
+        id: documentData.id,
+      },
+      data: {
+        data: newData,
+      },
+    });
+
+    await tx.documentAuditLog.create({
+      data: createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_COMPLETED,
+        documentId: document.id,
+        requestMetadata,
+        user: null,
+        data: {
+          transactionId: nanoid(),
+        },
+      }),
+    });
   });
 
   if (sendEmail) {
-    await sendCompletedEmail({ documentId });
+    await sendCompletedEmail({ documentId, requestMetadata });
   }
 };

packages/lib/server-only/document/send-completed-email.ts

@@ -5,13 +5,18 @@ import { render } from '@documenso/email/render';
 import { DocumentCompletedEmailTemplate } from '@documenso/email/templates/document-completed';
 import { prisma } from '@documenso/prisma';
 
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { getFile } from '../../universal/upload/get-file';
+import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
 
 export interface SendDocumentOptions {
   documentId: number;
+  requestMetadata?: RequestMetadata;
 }
 
-export const sendCompletedEmail = async ({ documentId }: SendDocumentOptions) => {
+export const sendCompletedEmail = async ({ documentId, requestMetadata }: SendDocumentOptions) => {
   const document = await prisma.document.findUnique({
     where: {
       id: documentId,
@@ -36,33 +41,55 @@ export const sendCompletedEmail = async ({ documentId }: SendDocumentOptions) =>
     document.Recipient.map(async (recipient) => {
       const { email, name, token } = recipient;
 
-      const assetBaseUrl = process.env.NEXT_PUBLIC_WEBAPP_URL || 'http://localhost:3000';
+      const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
 
       const template = createElement(DocumentCompletedEmailTemplate, {
         documentName: document.title,
         assetBaseUrl,
-        downloadLink: `${process.env.NEXT_PUBLIC_WEBAPP_URL}/sign/${token}/complete`,
+        downloadLink: `${NEXT_PUBLIC_WEBAPP_URL()}/sign/${token}/complete`,
       });
 
-      await mailer.sendMail({
-        to: {
-          address: email,
-          name,
+      await prisma.$transaction(
+        async (tx) => {
+          await mailer.sendMail({
+            to: {
+              address: email,
+              name,
+            },
+            from: {
+              name: process.env.NEXT_PRIVATE_SMTP_FROM_NAME || 'Documenso',
+              address: process.env.NEXT_PRIVATE_SMTP_FROM_ADDRESS || 'noreply@documenso.com',
+            },
+            subject: 'Signing Complete!',
+            html: render(template),
+            text: render(template, { plainText: true }),
+            attachments: [
+              {
+                filename: document.title,
+                content: Buffer.from(buffer),
+              },
+            ],
+          });
+
+          await tx.documentAuditLog.create({
+            data: createDocumentAuditLogData({
+              type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
+              documentId: document.id,
+              user: null,
+              requestMetadata,
+              data: {
+                emailType: 'DOCUMENT_COMPLETED',
+                recipientEmail: recipient.email,
+                recipientName: recipient.name,
+                recipientId: recipient.id,
+                recipientRole: recipient.role,
+                isResending: false,
+              },
+            }),
+          });
         },
-        from: {
-          name: process.env.NEXT_PRIVATE_SMTP_FROM_NAME || 'Documenso',
-          address: process.env.NEXT_PRIVATE_SMTP_FROM_ADDRESS || 'noreply@documenso.com',
-        },
-        subject: 'Signing Complete!',
-        html: render(template),
-        text: render(template, { plainText: true }),
-        attachments: [
-          {
-            filename: document.title,
-            content: Buffer.from(buffer),
-          },
-        ],
-      });
+        { timeout: 30_000 },
+      );
     }),
   );
 };

packages/lib/server-only/document/send-document.tsx

@@ -4,22 +4,39 @@ import { mailer } from '@documenso/email/mailer';
 import { render } from '@documenso/email/render';
 import { DocumentInviteEmailTemplate } from '@documenso/email/templates/document-invite';
 import { FROM_ADDRESS, FROM_NAME } from '@documenso/lib/constants/email';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { renderCustomEmailTemplate } from '@documenso/lib/utils/render-custom-email-template';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, RecipientRole, SendStatus } from '@documenso/prisma/client';
 
-import { RECIPIENT_ROLES_DESCRIPTION } from '../../constants/recipient-roles';
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+import {
+  RECIPIENT_ROLES_DESCRIPTION,
+  RECIPIENT_ROLE_TO_EMAIL_TYPE,
+} from '../../constants/recipient-roles';
 
 export type SendDocumentOptions = {
   documentId: number;
   userId: number;
+  requestMetadata?: RequestMetadata;
 };
 
-export const sendDocument = async ({ documentId, userId }: SendDocumentOptions) => {
+export const sendDocument = async ({
+  documentId,
+  userId,
+  requestMetadata,
+}: SendDocumentOptions) => {
   const user = await prisma.user.findFirstOrThrow({
     where: {
       id: userId,
     },
+    select: {
+      id: true,
+      name: true,
+      email: true,
+    },
   });
 
   const document = await prisma.document.findUnique({
@@ -66,6 +83,8 @@ export const sendDocument = async ({ documentId, userId }: SendDocumentOptions)
         return;
       }
 
+      const recipientEmailType = RECIPIENT_ROLE_TO_EMAIL_TYPE[recipient.role];
+
       const { email, name } = recipient;
 
       const customEmailTemplate = {
@@ -74,8 +93,8 @@ export const sendDocument = async ({ documentId, userId }: SendDocumentOptions)
         'document.name': document.title,
       };
 
-      const assetBaseUrl = process.env.NEXT_PUBLIC_WEBAPP_URL || 'http://localhost:3000';
-      const signDocumentLink = `${process.env.NEXT_PUBLIC_WEBAPP_URL}/sign/${recipient.token}`;
+      const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+      const signDocumentLink = `${NEXT_PUBLIC_WEBAPP_URL()}/sign/${recipient.token}`;
 
       const template = createElement(DocumentInviteEmailTemplate, {
         documentName: document.title,
@@ -89,40 +108,76 @@ export const sendDocument = async ({ documentId, userId }: SendDocumentOptions)
 
       const { actionVerb } = RECIPIENT_ROLES_DESCRIPTION[recipient.role];
 
-      await mailer.sendMail({
-        to: {
-          address: email,
-          name,
-        },
-        from: {
-          name: FROM_NAME,
-          address: FROM_ADDRESS,
-        },
-        subject: customEmail?.subject
-          ? renderCustomEmailTemplate(customEmail.subject, customEmailTemplate)
-          : `Please ${actionVerb.toLowerCase()} this document`,
-        html: render(template),
-        text: render(template, { plainText: true }),
-      });
+      await prisma.$transaction(
+        async (tx) => {
+          await mailer.sendMail({
+            to: {
+              address: email,
+              name,
+            },
+            from: {
+              name: FROM_NAME,
+              address: FROM_ADDRESS,
+            },
+            subject: customEmail?.subject
+              ? renderCustomEmailTemplate(customEmail.subject, customEmailTemplate)
+              : `Please ${actionVerb.toLowerCase()} this document`,
+            html: render(template),
+            text: render(template, { plainText: true }),
+          });
 
-      await prisma.recipient.update({
-        where: {
-          id: recipient.id,
+          await tx.recipient.update({
+            where: {
+              id: recipient.id,
+            },
+            data: {
+              sendStatus: SendStatus.SENT,
+            },
+          });
+
+          await tx.documentAuditLog.create({
+            data: createDocumentAuditLogData({
+              type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
+              documentId: document.id,
+              user,
+              requestMetadata,
+              data: {
+                emailType: recipientEmailType,
+                recipientEmail: recipient.email,
+                recipientName: recipient.name,
+                recipientRole: recipient.role,
+                recipientId: recipient.id,
+                isResending: false,
+              },
+            }),
+          });
         },
-        data: {
-          sendStatus: SendStatus.SENT,
-        },
-      });
+        { timeout: 30_000 },
+      );
     }),
   );
 
-  const updatedDocument = await prisma.document.update({
-    where: {
-      id: documentId,
-    },
-    data: {
-      status: DocumentStatus.PENDING,
-    },
+  const updatedDocument = await prisma.$transaction(async (tx) => {
+    if (document.status === DocumentStatus.DRAFT) {
+      await tx.documentAuditLog.create({
+        data: createDocumentAuditLogData({
+          type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_SENT,
+          documentId: document.id,
+          requestMetadata,
+          user,
+          data: {},
+        }),
+      });
+    }
+
+    return await tx.document.update({
+      where: {
+        id: documentId,
+      },
+      data: {
+        status: DocumentStatus.PENDING,
+      },
+    });
   });
 
   return updatedDocument;

packages/lib/server-only/document/send-pending-email.ts

@@ -5,6 +5,8 @@ import { render } from '@documenso/email/render';
 import { DocumentPendingEmailTemplate } from '@documenso/email/templates/document-pending';
 import { prisma } from '@documenso/prisma';
 
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+
 export interface SendPendingEmailOptions {
   documentId: number;
   recipientId: number;
@@ -41,7 +43,7 @@ export const sendPendingEmail = async ({ documentId, recipientId }: SendPendingE
 
   const { email, name } = recipient;
 
-  const assetBaseUrl = process.env.NEXT_PUBLIC_WEBAPP_URL || 'http://localhost:3000';
+  const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
 
   const template = createElement(DocumentPendingEmailTemplate, {
     documentName: document.title,

packages/lib/server-only/document/update-title.ts

@@ -1,15 +1,30 @@
 'use server';
 
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 
 export type UpdateTitleOptions = {
   userId: number;
   documentId: number;
   title: string;
+  requestMetadata?: RequestMetadata;
 };
 
-export const updateTitle = async ({ userId, documentId, title }: UpdateTitleOptions) => {
-  return await prisma.document.update({
+export const updateTitle = async ({
+  userId,
+  documentId,
+  title,
+  requestMetadata,
+}: UpdateTitleOptions) => {
+  const user = await prisma.user.findFirstOrThrow({
+    where: {
+      id: userId,
+    },
+  });
+
+  const document = await prisma.document.findFirstOrThrow({
     where: {
       id: documentId,
       OR: [
@@ -27,8 +42,39 @@ export const updateTitle = async ({ userId, documentId, title }: UpdateTitleOpti
         },
       ],
     },
-    data: {
-      title,
-    },
+  });
+
+  if (document.title === title) {
+    return document;
+  }
+
+  return await prisma.$transaction(async (tx) => {
+    // Instead of doing everything in a transaction we can use our knowledge
+    // of the current document title to ensure we aren't performing a conflicting
+    // update.
+    const updatedDocument = await tx.document.update({
+      where: {
+        id: documentId,
+        title: document.title,
+      },
+      data: {
+        title,
+      },
+    });
+
+    await tx.documentAuditLog.create({
+      data: createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_TITLE_UPDATED,
+        documentId,
+        user,
+        requestMetadata,
+        data: {
+          from: document.title,
+          to: updatedDocument.title,
+        },
+      }),
+    });
+
+    return updatedDocument;
   });
 };

packages/lib/server-only/document/viewed-document.ts

@@ -1,11 +1,15 @@
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 import { ReadStatus } from '@documenso/prisma/client';
 
 export type ViewedDocumentOptions = {
   token: string;
+  requestMetadata?: RequestMetadata;
 };
 
-export const viewedDocument = async ({ token }: ViewedDocumentOptions) => {
+export const viewedDocument = async ({ token, requestMetadata }: ViewedDocumentOptions) => {
   const recipient = await prisma.recipient.findFirst({
     where: {
       token,
@@ -13,16 +17,38 @@ export const viewedDocument = async ({ token }: ViewedDocumentOptions) => {
     },
   });
 
-  if (!recipient) {
+  if (!recipient || !recipient.documentId) {
     return;
   }
 
-  await prisma.recipient.update({
-    where: {
-      id: recipient.id,
-    },
-    data: {
-      readStatus: ReadStatus.OPENED,
-    },
+  const { documentId } = recipient;
+
+  await prisma.$transaction(async (tx) => {
+    await tx.recipient.update({
+      where: {
+        id: recipient.id,
+      },
+      data: {
+        readStatus: ReadStatus.OPENED,
+      },
+    });
+
+    await tx.documentAuditLog.create({
+      data: createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_OPENED,
+        documentId,
+        user: {
+          name: recipient.name,
+          email: recipient.email,
+        },
+        requestMetadata,
+        data: {
+          recipientEmail: recipient.email,
+          recipientId: recipient.id,
+          recipientName: recipient.name,
+          recipientRole: recipient.role,
+        },
+      }),
+    });
   });
 };

packages/lib/server-only/feature-flags/all.ts

@@ -5,6 +5,7 @@ import { getToken } from 'next-auth/jwt';
 import { LOCAL_FEATURE_FLAGS } from '@documenso/lib/constants/feature-flags';
 import PostHogServerClient from '@documenso/lib/server-only/feature-flags/get-post-hog-server-client';
 
+import { NEXT_PUBLIC_MARKETING_URL, NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
 import { extractDistinctUserId, mapJwtToFlagProperties } from './get';
 
 /**
@@ -38,11 +39,11 @@ export default async function handlerFeatureFlagAll(req: Request) {
   const origin = req.headers.get('origin');
 
   if (origin) {
-    if (origin.startsWith(process.env.NEXT_PUBLIC_WEBAPP_URL ?? 'http://localhost:3000')) {
+    if (origin.startsWith(NEXT_PUBLIC_WEBAPP_URL() ?? 'http://localhost:3000')) {
       res.headers.set('Access-Control-Allow-Origin', origin);
     }
 
-    if (origin.startsWith(process.env.NEXT_PUBLIC_MARKETING_URL ?? 'http://localhost:3001')) {
+    if (origin.startsWith(NEXT_PUBLIC_MARKETING_URL() ?? 'http://localhost:3001')) {
       res.headers.set('Access-Control-Allow-Origin', origin);
     }
   }

packages/lib/server-only/feature-flags/get.ts

@@ -1,11 +1,14 @@
 import { NextRequest, NextResponse } from 'next/server';
 
 import { nanoid } from 'nanoid';
-import { JWT, getToken } from 'next-auth/jwt';
+import type { JWT } from 'next-auth/jwt';
+import { getToken } from 'next-auth/jwt';
 
 import { LOCAL_FEATURE_FLAGS, extractPostHogConfig } from '@documenso/lib/constants/feature-flags';
 import PostHogServerClient from '@documenso/lib/server-only/feature-flags/get-post-hog-server-client';
 
+import { NEXT_PUBLIC_MARKETING_URL, NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+
 /**
  * Evaluate a single feature flag based on the current user if possible.
  *
@@ -57,11 +60,11 @@ export default async function handleFeatureFlagGet(req: Request) {
   const origin = req.headers.get('Origin');
 
   if (origin) {
-    if (origin.startsWith(process.env.NEXT_PUBLIC_WEBAPP_URL ?? 'http://localhost:3000')) {
+    if (origin.startsWith(NEXT_PUBLIC_WEBAPP_URL() ?? 'http://localhost:3000')) {
       res.headers.set('Access-Control-Allow-Origin', origin);
     }
 
-    if (origin.startsWith(process.env.NEXT_PUBLIC_MARKETING_URL ?? 'http://localhost:3001')) {
+    if (origin.startsWith(NEXT_PUBLIC_MARKETING_URL() ?? 'http://localhost:3001')) {
       res.headers.set('Access-Control-Allow-Origin', origin);
     }
   }

packages/lib/server-only/field/remove-signed-field-with-token.ts

@@ -1,16 +1,21 @@
 'use server';
 
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, SigningStatus } from '@documenso/prisma/client';
 
 export type RemovedSignedFieldWithTokenOptions = {
   token: string;
   fieldId: number;
+  requestMetadata?: RequestMetadata;
 };
 
 export const removeSignedFieldWithToken = async ({
   token,
   fieldId,
+  requestMetadata,
 }: RemovedSignedFieldWithTokenOptions) => {
   const field = await prisma.field.findFirstOrThrow({
     where: {
@@ -44,8 +49,8 @@ export const removeSignedFieldWithToken = async ({
     throw new Error(`Field ${fieldId} has no recipientId`);
   }
 
-  await Promise.all([
-    prisma.field.update({
+  await prisma.$transaction(async (tx) => {
+    await tx.field.update({
       where: {
         id: field.id,
       },
@@ -53,11 +58,28 @@ export const removeSignedFieldWithToken = async ({
         customText: '',
         inserted: false,
       },
-    }),
-    prisma.signature.deleteMany({
+    });
+
+    await tx.signature.deleteMany({
       where: {
         fieldId: field.id,
       },
-    }),
-  ]);
+    });
+
+    await tx.documentAuditLog.create({
+      data: createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_FIELD_UNINSERTED,
+        documentId: document.id,
+        user: {
+          name: recipient?.name,
+          email: recipient?.email,
+        },
+        requestMetadata,
+        data: {
+          field: field.type,
+          fieldId: field.secondaryId,
+        },
+      }),
+    });
+  });
 };

packages/lib/server-only/field/set-fields-for-document.ts

@@ -1,3 +1,9 @@
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import {
+  createDocumentAuditLogData,
+  diffFieldChanges,
+} from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 import type { FieldType } from '@documenso/prisma/client';
 import { SendStatus, SigningStatus } from '@documenso/prisma/client';
@@ -15,12 +21,14 @@ export interface SetFieldsForDocumentOptions {
     pageWidth: number;
     pageHeight: number;
   }[];
+  requestMetadata?: RequestMetadata;
 }
 
 export const setFieldsForDocument = async ({
   userId,
   documentId,
   fields,
+  requestMetadata,
 }: SetFieldsForDocumentOptions) => {
   const document = await prisma.document.findFirst({
     where: {
@@ -42,6 +50,17 @@ export const setFieldsForDocument = async ({
     },
   });
 
+  const user = await prisma.user.findFirstOrThrow({
+    where: {
+      id: userId,
+    },
+    select: {
+      id: true,
+      name: true,
+      email: true,
+    },
+  });
+
   if (!document) {
     throw new Error('Document not found');
   }
@@ -79,56 +98,123 @@ export const setFieldsForDocument = async ({
       );
     });
 
-  const persistedFields = await prisma.$transaction(
-    // Disabling as wrapping promises here causes type issues
-    // eslint-disable-next-line @typescript-eslint/promise-function-async
-    linkedFields.map((field) =>
-      prisma.field.upsert({
-        where: {
-          id: field._persisted?.id ?? -1,
-          documentId,
-        },
-        update: {
-          page: field.pageNumber,
-          positionX: field.pageX,
-          positionY: field.pageY,
-          width: field.pageWidth,
-          height: field.pageHeight,
-        },
-        create: {
-          type: field.type,
-          page: field.pageNumber,
-          positionX: field.pageX,
-          positionY: field.pageY,
-          width: field.pageWidth,
-          height: field.pageHeight,
-          customText: '',
-          inserted: false,
-          Document: {
-            connect: {
-              id: documentId,
-            },
+  const persistedFields = await prisma.$transaction(async (tx) => {
+    await Promise.all(
+      linkedFields.map(async (field) => {
+        const fieldSignerEmail = field.signerEmail.toLowerCase();
+
+        const upsertedField = await tx.field.upsert({
+          where: {
+            id: field._persisted?.id ?? -1,
+            documentId,
           },
-          Recipient: {
-            connect: {
-              documentId_email: {
-                documentId,
-                email: field.signerEmail.toLowerCase(),
+          update: {
+            page: field.pageNumber,
+            positionX: field.pageX,
+            positionY: field.pageY,
+            width: field.pageWidth,
+            height: field.pageHeight,
+          },
+          create: {
+            type: field.type,
+            page: field.pageNumber,
+            positionX: field.pageX,
+            positionY: field.pageY,
+            width: field.pageWidth,
+            height: field.pageHeight,
+            customText: '',
+            inserted: false,
+            Document: {
+              connect: {
+                id: documentId,
+              },
+            },
+            Recipient: {
+              connect: {
+                documentId_email: {
+                  documentId,
+                  email: fieldSignerEmail,
+                },
               },
             },
           },
-        },
+        });
+
+        if (upsertedField.recipientId === null) {
+          throw new Error('Not possible');
+        }
+
+        const baseAuditLog = {
+          fieldId: upsertedField.secondaryId,
+          fieldRecipientEmail: fieldSignerEmail,
+          fieldRecipientId: upsertedField.recipientId,
+          fieldType: upsertedField.type,
+        };
+
+        const changes = field._persisted ? diffFieldChanges(field._persisted, upsertedField) : [];
+
+        // Handle field updated audit log.
+        if (field._persisted && changes.length > 0) {
+          await tx.documentAuditLog.create({
+            data: createDocumentAuditLogData({
+              type: DOCUMENT_AUDIT_LOG_TYPE.FIELD_UPDATED,
+              documentId: documentId,
+              user,
+              requestMetadata,
+              data: {
+                changes,
+                ...baseAuditLog,
+              },
+            }),
+          });
+        }
+
+        // Handle field created audit log.
+        if (!field._persisted) {
+          await tx.documentAuditLog.create({
+            data: createDocumentAuditLogData({
+              type: DOCUMENT_AUDIT_LOG_TYPE.FIELD_CREATED,
+              documentId: documentId,
+              user,
+              requestMetadata,
+              data: {
+                ...baseAuditLog,
+              },
+            }),
+          });
+        }
+
+        return upsertedField;
       }),
-    ),
-  );
+    );
+  });
 
   if (removedFields.length > 0) {
-    await prisma.field.deleteMany({
-      where: {
-        id: {
-          in: removedFields.map((field) => field.id),
+    await prisma.$transaction(async (tx) => {
+      await tx.field.deleteMany({
+        where: {
+          id: {
+            in: removedFields.map((field) => field.id),
+          },
         },
-      },
+      });
+
+      await tx.documentAuditLog.createMany({
+        data: removedFields.map((field) =>
+          createDocumentAuditLogData({
+            type: DOCUMENT_AUDIT_LOG_TYPE.FIELD_DELETED,
+            documentId: documentId,
+            user,
+            requestMetadata,
+            data: {
+              fieldId: field.secondaryId,
+              fieldRecipientEmail: field.Recipient?.email ?? '',
+              fieldRecipientId: field.recipientId ?? -1,
+              fieldType: field.type,
+            },
+          }),
+        ),
+      });
     });
   }
 

packages/lib/server-only/field/sign-field-with-token.ts

@@ -1,18 +1,23 @@
 'use server';
 
 import { DateTime } from 'luxon';
+import { match } from 'ts-pattern';
 
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, FieldType, SigningStatus } from '@documenso/prisma/client';
 
 import { DEFAULT_DOCUMENT_DATE_FORMAT } from '../../constants/date-formats';
 import { DEFAULT_DOCUMENT_TIME_ZONE } from '../../constants/time-zones';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
+import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
 
 export type SignFieldWithTokenOptions = {
   token: string;
   fieldId: number;
   value: string;
   isBase64?: boolean;
+  requestMetadata?: RequestMetadata;
 };
 
 export const signFieldWithToken = async ({
@@ -20,6 +25,7 @@ export const signFieldWithToken = async ({
   fieldId,
   value,
   isBase64,
+  requestMetadata,
 }: SignFieldWithTokenOptions) => {
   const field = await prisma.field.findFirstOrThrow({
     where: {
@@ -40,6 +46,10 @@ export const signFieldWithToken = async ({
     throw new Error(`Document not found for field ${field.id}`);
   }
 
+  if (!recipient) {
+    throw new Error(`Recipient not found for field ${field.id}`);
+  }
+
   if (document.status === DocumentStatus.COMPLETED) {
     throw new Error(`Document ${document.id} has already been completed`);
   }
@@ -123,6 +133,38 @@ export const signFieldWithToken = async ({
       });
     }
 
+    await tx.documentAuditLog.create({
+      data: createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_FIELD_INSERTED,
+        documentId: document.id,
+        user: {
+          email: recipient.email,
+          name: recipient.name,
+        },
+        requestMetadata,
+        data: {
+          recipientEmail: recipient.email,
+          recipientId: recipient.id,
+          recipientName: recipient.name,
+          recipientRole: recipient.role,
+          fieldId: updatedField.secondaryId,
+          field: match(updatedField.type)
+            .with(FieldType.SIGNATURE, FieldType.FREE_SIGNATURE, (type) => ({
+              type,
+              data: signatureImageAsBase64 || typedSignature || '',
+            }))
+            .with(FieldType.DATE, FieldType.EMAIL, FieldType.NAME, FieldType.TEXT, (type) => ({
+              type,
+              data: updatedField.customText,
+            }))
+            .exhaustive(),
+          fieldSecurity: {
+            type: 'NONE',
+          },
+        },
+      }),
+    });
+
     return updatedField;
   });
 };

packages/lib/server-only/pdf/insert-text-in-pdf.ts

@@ -12,7 +12,7 @@ export async function insertTextInPDF(
   useHandwritingFont = true,
 ): Promise<string> {
   // Fetch the font file from the public URL.
-  const fontResponse = await fetch(CAVEAT_FONT_PATH);
+  const fontResponse = await fetch(CAVEAT_FONT_PATH());
   const fontCaveat = await fontResponse.arrayBuffer();
 
   const pdfDoc = await PDFDocument.load(pdfAsBase64);

packages/lib/server-only/recipient/set-recipients-for-document.ts

@@ -1,9 +1,14 @@
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { nanoid } from '@documenso/lib/universal/id';
+import {
+  createDocumentAuditLogData,
+  diffRecipientChanges,
+} from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 import { RecipientRole } from '@documenso/prisma/client';
 import { SendStatus, SigningStatus } from '@documenso/prisma/client';
 
-import { nanoid } from '../../universal/id';
-
 export interface SetRecipientsForDocumentOptions {
   userId: number;
   documentId: number;
@@ -13,12 +18,14 @@ export interface SetRecipientsForDocumentOptions {
     name: string;
     role: RecipientRole;
   }[];
+  requestMetadata?: RequestMetadata;
 }
 
 export const setRecipientsForDocument = async ({
   userId,
   documentId,
   recipients,
+  requestMetadata,
 }: SetRecipientsForDocumentOptions) => {
   const document = await prisma.document.findFirst({
     where: {
@@ -40,6 +47,17 @@ export const setRecipientsForDocument = async ({
     },
   });
 
+  const user = await prisma.user.findFirstOrThrow({
+    where: {
+      id: userId,
+    },
+    select: {
+      id: true,
+      name: true,
+      email: true,
+    },
+  });
+
   if (!document) {
     throw new Error('Document not found');
   }
@@ -87,45 +105,121 @@ export const setRecipientsForDocument = async ({
       );
     });
 
-  const persistedRecipients = await prisma.$transaction(
-    // Disabling as wrapping promises here causes type issues
-    // eslint-disable-next-line @typescript-eslint/promise-function-async
-    linkedRecipients.map((recipient) =>
-      prisma.recipient.upsert({
-        where: {
-          id: recipient._persisted?.id ?? -1,
-          documentId,
-        },
-        update: {
-          name: recipient.name,
-          email: recipient.email,
-          role: recipient.role,
-          documentId,
-          sendStatus: recipient.role === RecipientRole.CC ? SendStatus.SENT : SendStatus.NOT_SENT,
-          signingStatus:
-            recipient.role === RecipientRole.CC ? SigningStatus.SIGNED : SigningStatus.NOT_SIGNED,
-        },
-        create: {
-          name: recipient.name,
-          email: recipient.email,
-          role: recipient.role,
-          token: nanoid(),
-          documentId,
-          sendStatus: recipient.role === RecipientRole.CC ? SendStatus.SENT : SendStatus.NOT_SENT,
-          signingStatus:
-            recipient.role === RecipientRole.CC ? SigningStatus.SIGNED : SigningStatus.NOT_SIGNED,
-        },
+  const persistedRecipients = await prisma.$transaction(async (tx) => {
+    await Promise.all(
+      linkedRecipients.map(async (recipient) => {
+        const upsertedRecipient = await tx.recipient.upsert({
+          where: {
+            id: recipient._persisted?.id ?? -1,
+            documentId,
+          },
+          update: {
+            name: recipient.name,
+            email: recipient.email,
+            role: recipient.role,
+            documentId,
+            sendStatus: recipient.role === RecipientRole.CC ? SendStatus.SENT : SendStatus.NOT_SENT,
+            signingStatus:
+              recipient.role === RecipientRole.CC ? SigningStatus.SIGNED : SigningStatus.NOT_SIGNED,
+          },
+          create: {
+            name: recipient.name,
+            email: recipient.email,
+            role: recipient.role,
+            token: nanoid(),
+            documentId,
+            sendStatus: recipient.role === RecipientRole.CC ? SendStatus.SENT : SendStatus.NOT_SENT,
+            signingStatus:
+              recipient.role === RecipientRole.CC ? SigningStatus.SIGNED : SigningStatus.NOT_SIGNED,
+          },
+        });
+
+        const recipientId = upsertedRecipient.id;
+
+        // Clear all fields if the recipient role is changed to a type that cannot have fields.
+        if (
+          recipient._persisted &&
+          recipient._persisted.role !== recipient.role &&
+          (recipient.role === RecipientRole.CC || recipient.role === RecipientRole.VIEWER)
+        ) {
+          await tx.field.deleteMany({
+            where: {
+              recipientId,
+            },
+          });
+        }
+
+        const baseAuditLog = {
+          recipientEmail: upsertedRecipient.email,
+          recipientName: upsertedRecipient.name,
+          recipientId,
+          recipientRole: upsertedRecipient.role,
+        };
+
+        const changes = recipient._persisted
+          ? diffRecipientChanges(recipient._persisted, upsertedRecipient)
+          : [];
+
+        // Handle recipient updated audit log.
+        if (recipient._persisted && changes.length > 0) {
+          await tx.documentAuditLog.create({
+            data: createDocumentAuditLogData({
+              type: DOCUMENT_AUDIT_LOG_TYPE.RECIPIENT_UPDATED,
+              documentId: documentId,
+              user,
+              requestMetadata,
+              data: {
+                changes,
+                ...baseAuditLog,
+              },
+            }),
+          });
+        }
+
+        // Handle recipient created audit log.
+        if (!recipient._persisted) {
+          await tx.documentAuditLog.create({
+            data: createDocumentAuditLogData({
+              type: DOCUMENT_AUDIT_LOG_TYPE.RECIPIENT_CREATED,
+              documentId: documentId,
+              user,
+              requestMetadata,
+              data: baseAuditLog,
+            }),
+          });
+        }
+
+        return upsertedRecipient;
       }),
-    ),
-  );
+    );
+  });
 
   if (removedRecipients.length > 0) {
-    await prisma.recipient.deleteMany({
-      where: {
-        id: {
-          in: removedRecipients.map((recipient) => recipient.id),
+    await prisma.$transaction(async (tx) => {
+      await tx.recipient.deleteMany({
+        where: {
+          id: {
+            in: removedRecipients.map((recipient) => recipient.id),
+          },
         },
-      },
+      });
+
+      await tx.documentAuditLog.createMany({
+        data: removedRecipients.map((recipient) =>
+          createDocumentAuditLogData({
+            type: DOCUMENT_AUDIT_LOG_TYPE.RECIPIENT_DELETED,
+            documentId: documentId,
+            user,
+            requestMetadata,
+            data: {
+              recipientEmail: recipient.email,
+              recipientName: recipient.name,
+              recipientId: recipient.id,
+              recipientRole: recipient.role,
+            },
+          }),
+        ),
+      });
     });
   }
 

packages/lib/server-only/team/accept-team-invitation.ts

@@ -9,55 +9,58 @@ export type AcceptTeamInvitationOptions = {
 };
 
 export const acceptTeamInvitation = async ({ userId, teamId }: AcceptTeamInvitationOptions) => {
-  await prisma.$transaction(async (tx) => {
-    const user = await tx.user.findFirstOrThrow({
-      where: {
-        id: userId,
-      },
-    });
+  await prisma.$transaction(
+    async (tx) => {
+      const user = await tx.user.findFirstOrThrow({
+        where: {
+          id: userId,
+        },
+      });
 
-    const teamMemberInvite = await tx.teamMemberInvite.findFirstOrThrow({
-      where: {
-        teamId,
-        email: user.email,
-      },
-      include: {
-        team: {
-          include: {
-            subscription: true,
+      const teamMemberInvite = await tx.teamMemberInvite.findFirstOrThrow({
+        where: {
+          teamId,
+          email: user.email,
+        },
+        include: {
+          team: {
+            include: {
+              subscription: true,
+            },
           },
         },
-      },
-    });
+      });
 
-    const { team } = teamMemberInvite;
+      const { team } = teamMemberInvite;
 
-    await tx.teamMember.create({
-      data: {
-        teamId: teamMemberInvite.teamId,
-        userId: user.id,
-        role: teamMemberInvite.role,
-      },
-    });
-
-    await tx.teamMemberInvite.delete({
-      where: {
-        id: teamMemberInvite.id,
-      },
-    });
-
-    if (IS_BILLING_ENABLED && team.subscription) {
-      const numberOfSeats = await tx.teamMember.count({
-        where: {
+      await tx.teamMember.create({
+        data: {
           teamId: teamMemberInvite.teamId,
+          userId: user.id,
+          role: teamMemberInvite.role,
         },
       });
 
-      await updateSubscriptionItemQuantity({
-        priceId: team.subscription.priceId,
-        subscriptionId: team.subscription.planId,
-        quantity: numberOfSeats,
+      await tx.teamMemberInvite.delete({
+        where: {
+          id: teamMemberInvite.id,
+        },
       });
-    }
-  });
+
+      if (IS_BILLING_ENABLED() && team.subscription) {
+        const numberOfSeats = await tx.teamMember.count({
+          where: {
+            teamId: teamMemberInvite.teamId,
+          },
+        });
+
+        await updateSubscriptionItemQuantity({
+          priceId: team.subscription.priceId,
+          subscriptionId: team.subscription.planId,
+          quantity: numberOfSeats,
+        });
+      }
+    },
+    { timeout: 30_000 },
+  );
 };

packages/lib/server-only/team/create-team-billing-portal.ts

@@ -12,7 +12,7 @@ export const createTeamBillingPortal = async ({
   userId,
   teamId,
 }: CreateTeamBillingPortalOptions) => {
-  if (!IS_BILLING_ENABLED) {
+  if (!IS_BILLING_ENABLED()) {
     throw new Error('Billing is not enabled');
   }
 

packages/lib/server-only/team/create-team-email-verification.ts

@@ -28,56 +28,59 @@ export const createTeamEmailVerification = async ({
   data,
 }: CreateTeamEmailVerificationOptions) => {
   try {
-    await prisma.$transaction(async (tx) => {
-      const team = await tx.team.findFirstOrThrow({
-        where: {
-          id: teamId,
-          members: {
-            some: {
-              userId,
-              role: {
-                in: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+    await prisma.$transaction(
+      async (tx) => {
+        const team = await tx.team.findFirstOrThrow({
+          where: {
+            id: teamId,
+            members: {
+              some: {
+                userId,
+                role: {
+                  in: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+                },
               },
             },
           },
-        },
-        include: {
-          teamEmail: true,
-          emailVerification: true,
-        },
-      });
+          include: {
+            teamEmail: true,
+            emailVerification: true,
+          },
+        });
 
-      if (team.teamEmail || team.emailVerification) {
-        throw new AppError(
-          AppErrorCode.INVALID_REQUEST,
-          'Team already has an email or existing email verification.',
-        );
-      }
+        if (team.teamEmail || team.emailVerification) {
+          throw new AppError(
+            AppErrorCode.INVALID_REQUEST,
+            'Team already has an email or existing email verification.',
+          );
+        }
 
-      const existingTeamEmail = await tx.teamEmail.findFirst({
-        where: {
-          email: data.email,
-        },
-      });
+        const existingTeamEmail = await tx.teamEmail.findFirst({
+          where: {
+            email: data.email,
+          },
+        });
 
-      if (existingTeamEmail) {
-        throw new AppError(AppErrorCode.ALREADY_EXISTS, 'Email already taken by another team.');
-      }
+        if (existingTeamEmail) {
+          throw new AppError(AppErrorCode.ALREADY_EXISTS, 'Email already taken by another team.');
+        }
 
-      const { token, expiresAt } = createTokenVerification({ hours: 1 });
+        const { token, expiresAt } = createTokenVerification({ hours: 1 });
 
-      await tx.teamEmailVerification.create({
-        data: {
-          token,
-          expiresAt,
-          email: data.email,
-          name: data.name,
-          teamId,
-        },
-      });
+        await tx.teamEmailVerification.create({
+          data: {
+            token,
+            expiresAt,
+            email: data.email,
+            name: data.name,
+            teamId,
+          },
+        });
 
-      await sendTeamEmailVerificationEmail(data.email, token, team.name, team.url);
-    });
+        await sendTeamEmailVerificationEmail(data.email, token, team.name, team.url);
+      },
+      { timeout: 30_000 },
+    );
   } catch (err) {
     console.error(err);
 

packages/lib/server-only/team/create-team.ts

@@ -2,11 +2,11 @@ import type Stripe from 'stripe';
 import { z } from 'zod';
 
 import { createTeamCustomer } from '@documenso/ee/server-only/stripe/create-team-customer';
-import { getCommunityPlanPriceIds } from '@documenso/ee/server-only/stripe/get-community-plan-prices';
+import { getTeamRelatedPrices } from '@documenso/ee/server-only/stripe/get-team-related-prices';
 import { mapStripeSubscriptionToPrismaUpsertAction } from '@documenso/ee/server-only/stripe/webhook/on-subscription-updated';
 import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
-import { subscriptionsContainsActiveCommunityPlan } from '@documenso/lib/utils/billing';
+import { subscriptionsContainsActivePlan } from '@documenso/lib/utils/billing';
 import { prisma } from '@documenso/prisma';
 import { Prisma, TeamMemberRole } from '@documenso/prisma/client';
 
@@ -57,17 +57,16 @@ export const createTeam = async ({
     },
   });
 
-  let isPaymentRequired = IS_BILLING_ENABLED;
+  let isPaymentRequired = IS_BILLING_ENABLED();
   let customerId: string | null = null;
 
-  if (IS_BILLING_ENABLED) {
-    const communityPlanPriceIds = await getCommunityPlanPriceIds();
-
-    isPaymentRequired = !subscriptionsContainsActiveCommunityPlan(
-      user.Subscription,
-      communityPlanPriceIds,
+  if (IS_BILLING_ENABLED()) {
+    const teamRelatedPriceIds = await getTeamRelatedPrices().then((prices) =>
+      prices.map((price) => price.id),
     );
 
+    isPaymentRequired = !subscriptionsContainsActivePlan(user.Subscription, teamRelatedPriceIds);
+
     customerId = await createTeamCustomer({
       name: user.name ?? teamName,
       email: user.email,

packages/lib/server-only/team/delete-team-members.ts

@@ -27,76 +27,81 @@ export const deleteTeamMembers = async ({
   teamId,
   teamMemberIds,
 }: DeleteTeamMembersOptions) => {
-  await prisma.$transaction(async (tx) => {
-    // Find the team and validate that the user is allowed to remove members.
-    const team = await tx.team.findFirstOrThrow({
-      where: {
-        id: teamId,
-        members: {
-          some: {
-            userId,
-            role: {
-              in: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+  await prisma.$transaction(
+    async (tx) => {
+      // Find the team and validate that the user is allowed to remove members.
+      const team = await tx.team.findFirstOrThrow({
+        where: {
+          id: teamId,
+          members: {
+            some: {
+              userId,
+              role: {
+                in: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+              },
             },
           },
         },
-      },
-      include: {
-        members: {
-          select: {
-            id: true,
-            userId: true,
-            role: true,
+        include: {
+          members: {
+            select: {
+              id: true,
+              userId: true,
+              role: true,
+            },
+          },
+          subscription: true,
+        },
+      });
+
+      const currentTeamMember = team.members.find((member) => member.userId === userId);
+      const teamMembersToRemove = team.members.filter((member) =>
+        teamMemberIds.includes(member.id),
+      );
+
+      if (!currentTeamMember) {
+        throw new AppError(AppErrorCode.NOT_FOUND, 'Team member record does not exist');
+      }
+
+      if (teamMembersToRemove.find((member) => member.userId === team.ownerUserId)) {
+        throw new AppError(AppErrorCode.UNAUTHORIZED, 'Cannot remove the team owner');
+      }
+
+      const isMemberToRemoveHigherRole = teamMembersToRemove.some(
+        (member) => !isTeamRoleWithinUserHierarchy(currentTeamMember.role, member.role),
+      );
+
+      if (isMemberToRemoveHigherRole) {
+        throw new AppError(AppErrorCode.UNAUTHORIZED, 'Cannot remove a member with a higher role');
+      }
+
+      // Remove the team members.
+      await tx.teamMember.deleteMany({
+        where: {
+          id: {
+            in: teamMemberIds,
+          },
+          teamId,
+          userId: {
+            not: team.ownerUserId,
           },
         },
-        subscription: true,
-      },
-    });
-
-    const currentTeamMember = team.members.find((member) => member.userId === userId);
-    const teamMembersToRemove = team.members.filter((member) => teamMemberIds.includes(member.id));
-
-    if (!currentTeamMember) {
-      throw new AppError(AppErrorCode.NOT_FOUND, 'Team member record does not exist');
-    }
-
-    if (teamMembersToRemove.find((member) => member.userId === team.ownerUserId)) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, 'Cannot remove the team owner');
-    }
-
-    const isMemberToRemoveHigherRole = teamMembersToRemove.some(
-      (member) => !isTeamRoleWithinUserHierarchy(currentTeamMember.role, member.role),
-    );
-
-    if (isMemberToRemoveHigherRole) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, 'Cannot remove a member with a higher role');
-    }
-
-    // Remove the team members.
-    await tx.teamMember.deleteMany({
-      where: {
-        id: {
-          in: teamMemberIds,
-        },
-        teamId,
-        userId: {
-          not: team.ownerUserId,
-        },
-      },
-    });
-
-    if (IS_BILLING_ENABLED && team.subscription) {
-      const numberOfSeats = await tx.teamMember.count({
-        where: {
-          teamId,
-        },
       });
 
-      await updateSubscriptionItemQuantity({
-        priceId: team.subscription.priceId,
-        subscriptionId: team.subscription.planId,
-        quantity: numberOfSeats,
-      });
-    }
-  });
+      if (IS_BILLING_ENABLED() && team.subscription) {
+        const numberOfSeats = await tx.teamMember.count({
+          where: {
+            teamId,
+          },
+        });
+
+        await updateSubscriptionItemQuantity({
+          priceId: team.subscription.priceId,
+          subscriptionId: team.subscription.planId,
+          quantity: numberOfSeats,
+        });
+      }
+    },
+    { timeout: 30_000 },
+  );
 };

packages/lib/server-only/team/delete-team.ts

@@ -9,34 +9,37 @@ export type DeleteTeamOptions = {
 };
 
 export const deleteTeam = async ({ userId, teamId }: DeleteTeamOptions) => {
-  await prisma.$transaction(async (tx) => {
-    const team = await tx.team.findFirstOrThrow({
-      where: {
-        id: teamId,
-        ownerUserId: userId,
-      },
-      include: {
-        subscription: true,
-      },
-    });
+  await prisma.$transaction(
+    async (tx) => {
+      const team = await tx.team.findFirstOrThrow({
+        where: {
+          id: teamId,
+          ownerUserId: userId,
+        },
+        include: {
+          subscription: true,
+        },
+      });
 
-    if (team.subscription) {
-      await stripe.subscriptions
-        .cancel(team.subscription.planId, {
-          prorate: false,
-          invoice_now: true,
-        })
-        .catch((err) => {
-          console.error(err);
-          throw AppError.parseError(err);
-        });
-    }
+      if (team.subscription) {
+        await stripe.subscriptions
+          .cancel(team.subscription.planId, {
+            prorate: false,
+            invoice_now: true,
+          })
+          .catch((err) => {
+            console.error(err);
+            throw AppError.parseError(err);
+          });
+      }
 
-    await tx.team.delete({
-      where: {
-        id: teamId,
-        ownerUserId: userId,
-      },
-    });
-  });
+      await tx.team.delete({
+        where: {
+          id: teamId,
+          ownerUserId: userId,
+        },
+      });
+    },
+    { timeout: 30_000 },
+  );
 };

packages/lib/server-only/team/get-team.ts

@@ -72,8 +72,20 @@ export const getTeamByUrl = async ({ userId, teamUrl }: GetTeamByUrlOptions) =>
     where: whereFilter,
     include: {
       teamEmail: true,
-      emailVerification: true,
-      transferVerification: true,
+      emailVerification: {
+        select: {
+          expiresAt: true,
+          name: true,
+          email: true,
+        },
+      },
+      transferVerification: {
+        select: {
+          expiresAt: true,
+          name: true,
+          email: true,
+        },
+      },
       subscription: true,
       members: {
         where: {

packages/lib/server-only/team/leave-team.ts

@@ -15,45 +15,48 @@ export type LeaveTeamOptions = {
 };
 
 export const leaveTeam = async ({ userId, teamId }: LeaveTeamOptions) => {
-  await prisma.$transaction(async (tx) => {
-    const team = await tx.team.findFirstOrThrow({
-      where: {
-        id: teamId,
-        ownerUserId: {
-          not: userId,
-        },
-      },
-      include: {
-        subscription: true,
-      },
-    });
-
-    await tx.teamMember.delete({
-      where: {
-        userId_teamId: {
-          userId,
-          teamId,
-        },
-        team: {
+  await prisma.$transaction(
+    async (tx) => {
+      const team = await tx.team.findFirstOrThrow({
+        where: {
+          id: teamId,
           ownerUserId: {
             not: userId,
           },
         },
-      },
-    });
-
-    if (IS_BILLING_ENABLED && team.subscription) {
-      const numberOfSeats = await tx.teamMember.count({
-        where: {
-          teamId,
+        include: {
+          subscription: true,
         },
       });
 
-      await updateSubscriptionItemQuantity({
-        priceId: team.subscription.priceId,
-        subscriptionId: team.subscription.planId,
-        quantity: numberOfSeats,
+      await tx.teamMember.delete({
+        where: {
+          userId_teamId: {
+            userId,
+            teamId,
+          },
+          team: {
+            ownerUserId: {
+              not: userId,
+            },
+          },
+        },
       });
-    }
-  });
+
+      if (IS_BILLING_ENABLED() && team.subscription) {
+        const numberOfSeats = await tx.teamMember.count({
+          where: {
+            teamId,
+          },
+        });
+
+        await updateSubscriptionItemQuantity({
+          priceId: team.subscription.priceId,
+          subscriptionId: team.subscription.planId,
+          quantity: numberOfSeats,
+        });
+      }
+    },
+    { timeout: 30_000 },
+  );
 };

packages/lib/server-only/team/request-team-ownership-transfer.ts

@@ -44,63 +44,66 @@ export const requestTeamOwnershipTransfer = async ({
   // Todo: Clear payment methods disabled for now.
   const clearPaymentMethods = false;
 
-  await prisma.$transaction(async (tx) => {
-    const team = await tx.team.findFirstOrThrow({
-      where: {
-        id: teamId,
-        ownerUserId: userId,
-        members: {
-          some: {
-            userId: newOwnerUserId,
+  await prisma.$transaction(
+    async (tx) => {
+      const team = await tx.team.findFirstOrThrow({
+        where: {
+          id: teamId,
+          ownerUserId: userId,
+          members: {
+            some: {
+              userId: newOwnerUserId,
+            },
           },
         },
-      },
-    });
+      });
 
-    const newOwnerUser = await tx.user.findFirstOrThrow({
-      where: {
-        id: newOwnerUserId,
-      },
-    });
+      const newOwnerUser = await tx.user.findFirstOrThrow({
+        where: {
+          id: newOwnerUserId,
+        },
+      });
 
-    const { token, expiresAt } = createTokenVerification({ minute: 10 });
+      const { token, expiresAt } = createTokenVerification({ minute: 10 });
 
-    const teamVerificationPayload = {
-      teamId,
-      token,
-      expiresAt,
-      userId: newOwnerUserId,
-      name: newOwnerUser.name ?? '',
-      email: newOwnerUser.email,
-      clearPaymentMethods,
-    };
-
-    await tx.teamTransferVerification.upsert({
-      where: {
+      const teamVerificationPayload = {
         teamId,
-      },
-      create: teamVerificationPayload,
-      update: teamVerificationPayload,
-    });
+        token,
+        expiresAt,
+        userId: newOwnerUserId,
+        name: newOwnerUser.name ?? '',
+        email: newOwnerUser.email,
+        clearPaymentMethods,
+      };
 
-    const template = createElement(TeamTransferRequestTemplate, {
-      assetBaseUrl: WEBAPP_BASE_URL,
-      baseUrl: WEBAPP_BASE_URL,
-      senderName: userName,
-      teamName: team.name,
-      teamUrl: team.url,
-      token,
-    });
+      await tx.teamTransferVerification.upsert({
+        where: {
+          teamId,
+        },
+        create: teamVerificationPayload,
+        update: teamVerificationPayload,
+      });
 
-    await mailer.sendMail({
-      to: newOwnerUser.email,
-      from: {
-        name: FROM_NAME,
-        address: FROM_ADDRESS,
-      },
-      subject: `You have been requested to take ownership of team ${team.name} on Documenso`,
-      html: render(template),
-      text: render(template, { plainText: true }),
-    });
-  });
+      const template = createElement(TeamTransferRequestTemplate, {
+        assetBaseUrl: WEBAPP_BASE_URL,
+        baseUrl: WEBAPP_BASE_URL,
+        senderName: userName,
+        teamName: team.name,
+        teamUrl: team.url,
+        token,
+      });
+
+      await mailer.sendMail({
+        to: newOwnerUser.email,
+        from: {
+          name: FROM_NAME,
+          address: FROM_ADDRESS,
+        },
+        subject: `You have been requested to take ownership of team ${team.name} on Documenso`,
+        html: render(template),
+        text: render(template, { plainText: true }),
+      });
+    },
+    { timeout: 30_000 },
+  );
 };

packages/lib/server-only/team/resend-team-email-verification.ts

@@ -17,49 +17,52 @@ export const resendTeamEmailVerification = async ({
   userId,
   teamId,
 }: ResendTeamMemberInvitationOptions) => {
-  await prisma.$transaction(async (tx) => {
-    const team = await tx.team.findUniqueOrThrow({
-      where: {
-        id: teamId,
-        members: {
-          some: {
-            userId,
-            role: {
-              in: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+  await prisma.$transaction(
+    async (tx) => {
+      const team = await tx.team.findUniqueOrThrow({
+        where: {
+          id: teamId,
+          members: {
+            some: {
+              userId,
+              role: {
+                in: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+              },
             },
           },
         },
-      },
-      include: {
-        emailVerification: true,
-      },
-    });
+        include: {
+          emailVerification: true,
+        },
+      });
 
-    if (!team) {
-      throw new AppError('TeamNotFound', 'User is not a member of the team.');
-    }
+      if (!team) {
+        throw new AppError('TeamNotFound', 'User is not a member of the team.');
+      }
 
-    const { emailVerification } = team;
+      const { emailVerification } = team;
 
-    if (!emailVerification) {
-      throw new AppError(
-        'VerificationNotFound',
-        'No team email verification exists for this team.',
-      );
-    }
+      if (!emailVerification) {
+        throw new AppError(
+          'VerificationNotFound',
+          'No team email verification exists for this team.',
+        );
+      }
 
-    const { token, expiresAt } = createTokenVerification({ hours: 1 });
+      const { token, expiresAt } = createTokenVerification({ hours: 1 });
 
-    await tx.teamEmailVerification.update({
-      where: {
-        teamId,
-      },
-      data: {
-        token,
-        expiresAt,
-      },
-    });
+      await tx.teamEmailVerification.update({
+        where: {
+          teamId,
+        },
+        data: {
+          token,
+          expiresAt,
+        },
+      });
 
-    await sendTeamEmailVerificationEmail(emailVerification.email, token, team.name, team.url);
-  });
+      await sendTeamEmailVerificationEmail(emailVerification.email, token, team.name, team.url);
+    },
+    { timeout: 30_000 },
+  );
 };

packages/lib/server-only/team/resend-team-member-invitation.ts

@@ -35,42 +35,45 @@ export const resendTeamMemberInvitation = async ({
   teamId,
   invitationId,
 }: ResendTeamMemberInvitationOptions) => {
-  await prisma.$transaction(async (tx) => {
-    const team = await tx.team.findUniqueOrThrow({
-      where: {
-        id: teamId,
-        members: {
-          some: {
-            userId,
-            role: {
-              in: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+  await prisma.$transaction(
+    async (tx) => {
+      const team = await tx.team.findUniqueOrThrow({
+        where: {
+          id: teamId,
+          members: {
+            some: {
+              userId,
+              role: {
+                in: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+              },
             },
           },
         },
-      },
-    });
+      });
 
-    if (!team) {
-      throw new AppError('TeamNotFound', 'User is not a valid member of the team.');
-    }
+      if (!team) {
+        throw new AppError('TeamNotFound', 'User is not a valid member of the team.');
+      }
 
-    const teamMemberInvite = await tx.teamMemberInvite.findUniqueOrThrow({
-      where: {
-        id: invitationId,
-        teamId,
-      },
-    });
+      const teamMemberInvite = await tx.teamMemberInvite.findUniqueOrThrow({
+        where: {
+          id: invitationId,
+          teamId,
+        },
+      });
 
-    if (!teamMemberInvite) {
-      throw new AppError('InviteNotFound', 'No invite exists for this user.');
-    }
+      if (!teamMemberInvite) {
+        throw new AppError('InviteNotFound', 'No invite exists for this user.');
+      }
 
-    await sendTeamMemberInviteEmail({
-      email: teamMemberInvite.email,
-      token: teamMemberInvite.token,
-      teamName: team.name,
-      teamUrl: team.url,
-      senderName: userName,
-    });
-  });
+      await sendTeamMemberInviteEmail({
+        email: teamMemberInvite.email,
+        token: teamMemberInvite.token,
+        teamName: team.name,
+        teamUrl: team.url,
+        senderName: userName,
+      });
+    },
+    { timeout: 30_000 },
+  );
 };

packages/lib/server-only/team/transfer-team-ownership.ts

@@ -11,78 +11,81 @@ export type TransferTeamOwnershipOptions = {
 };
 
 export const transferTeamOwnership = async ({ token }: TransferTeamOwnershipOptions) => {
-  await prisma.$transaction(async (tx) => {
-    const teamTransferVerification = await tx.teamTransferVerification.findFirstOrThrow({
-      where: {
-        token,
-      },
-      include: {
-        team: {
-          include: {
-            subscription: true,
+  await prisma.$transaction(
+    async (tx) => {
+      const teamTransferVerification = await tx.teamTransferVerification.findFirstOrThrow({
+        where: {
+          token,
+        },
+        include: {
+          team: {
+            include: {
+              subscription: true,
+            },
           },
         },
-      },
-    });
-
-    const { team, userId: newOwnerUserId } = teamTransferVerification;
-
-    await tx.teamTransferVerification.delete({
-      where: {
-        teamId: team.id,
-      },
-    });
-
-    const newOwnerUser = await tx.user.findFirstOrThrow({
-      where: {
-        id: newOwnerUserId,
-        teamMembers: {
-          some: {
-            teamId: team.id,
-          },
-        },
-      },
-      include: {
-        Subscription: true,
-      },
-    });
-
-    let teamSubscription: Stripe.Subscription | null = null;
-
-    if (IS_BILLING_ENABLED) {
-      teamSubscription = await transferTeamSubscription({
-        user: newOwnerUser,
-        team,
-        clearPaymentMethods: teamTransferVerification.clearPaymentMethods,
       });
-    }
 
-    if (teamSubscription) {
-      await tx.subscription.upsert(
-        mapStripeSubscriptionToPrismaUpsertAction(teamSubscription, undefined, team.id),
-      );
-    }
+      const { team, userId: newOwnerUserId } = teamTransferVerification;
 
-    await tx.team.update({
-      where: {
-        id: team.id,
-      },
-      data: {
-        ownerUserId: newOwnerUserId,
-        members: {
-          update: {
-            where: {
-              userId_teamId: {
-                teamId: team.id,
-                userId: newOwnerUserId,
+      await tx.teamTransferVerification.delete({
+        where: {
+          teamId: team.id,
+        },
+      });
+
+      const newOwnerUser = await tx.user.findFirstOrThrow({
+        where: {
+          id: newOwnerUserId,
+          teamMembers: {
+            some: {
+              teamId: team.id,
+            },
+          },
+        },
+        include: {
+          Subscription: true,
+        },
+      });
+
+      let teamSubscription: Stripe.Subscription | null = null;
+
+      if (IS_BILLING_ENABLED()) {
+        teamSubscription = await transferTeamSubscription({
+          user: newOwnerUser,
+          team,
+          clearPaymentMethods: teamTransferVerification.clearPaymentMethods,
+        });
+      }
+
+      if (teamSubscription) {
+        await tx.subscription.upsert(
+          mapStripeSubscriptionToPrismaUpsertAction(teamSubscription, undefined, team.id),
+        );
+      }
+
+      await tx.team.update({
+        where: {
+          id: team.id,
+        },
+        data: {
+          ownerUserId: newOwnerUserId,
+          members: {
+            update: {
+              where: {
+                userId_teamId: {
+                  teamId: team.id,
+                  userId: newOwnerUserId,
+                },
+              },
+              data: {
+                role: TeamMemberRole.ADMIN,
               },
             },
-            data: {
-              role: TeamMemberRole.ADMIN,
-            },
           },
         },
-      },
-    });
-  });
+      });
+    },
+    { timeout: 30_000 },
+  );
 };

packages/lib/server-only/user/create-user.ts

@@ -53,47 +53,50 @@ export const createUser = async ({ name, email, password, signature }: CreateUse
   await Promise.allSettled(
     acceptedTeamInvites.map(async (invite) =>
       prisma
-        .$transaction(async (tx) => {
-          await tx.teamMember.create({
-            data: {
-              teamId: invite.teamId,
-              userId: user.id,
-              role: invite.role,
-            },
-          });
-
-          await tx.teamMemberInvite.delete({
-            where: {
-              id: invite.id,
-            },
-          });
-
-          if (!IS_BILLING_ENABLED) {
-            return;
-          }
-
-          const team = await tx.team.findFirstOrThrow({
-            where: {
-              id: invite.teamId,
-            },
-            include: {
-              members: {
-                select: {
-                  id: true,
-                },
+        .$transaction(
+          async (tx) => {
+            await tx.teamMember.create({
+              data: {
+                teamId: invite.teamId,
+                userId: user.id,
+                role: invite.role,
               },
-              subscription: true,
-            },
-          });
-
-          if (team.subscription) {
-            await updateSubscriptionItemQuantity({
-              priceId: team.subscription.priceId,
-              subscriptionId: team.subscription.planId,
-              quantity: team.members.length,
             });
-          }
-        })
+
+            await tx.teamMemberInvite.delete({
+              where: {
+                id: invite.id,
+              },
+            });
+
+            if (!IS_BILLING_ENABLED()) {
+              return;
+            }
+
+            const team = await tx.team.findFirstOrThrow({
+              where: {
+                id: invite.teamId,
+              },
+              include: {
+                members: {
+                  select: {
+                    id: true,
+                  },
+                },
+                subscription: true,
+              },
+            });
+
+            if (team.subscription) {
+              await updateSubscriptionItemQuantity({
+                priceId: team.subscription.priceId,
+                subscriptionId: team.subscription.planId,
+                quantity: team.members.length,
+              });
+            }
+          },
+          { timeout: 30_000 },
+        )
         .catch(async () => {
           await prisma.teamMemberInvite.update({
             where: {
@@ -108,7 +111,7 @@ export const createUser = async ({ name, email, password, signature }: CreateUse
   );
 
   // Update the user record with a new or existing Stripe customer record.
-  if (IS_BILLING_ENABLED) {
+  if (IS_BILLING_ENABLED()) {
     try {
       return await getStripeCustomerByUser(user).then((session) => session.user);
     } catch (err) {

packages/lib/server-only/user/get-most-recent-verification-token-by-user-id.ts

@@ -0,0 +1,18 @@
+import { prisma } from '@documenso/prisma';
+
+export type GetMostRecentVerificationTokenByUserIdOptions = {
+  userId: number;
+};
+
+export const getMostRecentVerificationTokenByUserId = async ({
+  userId,
+}: GetMostRecentVerificationTokenByUserIdOptions) => {
+  return await prisma.verificationToken.findFirst({
+    where: {
+      userId,
+    },
+    orderBy: {
+      createdAt: 'desc',
+    },
+  });
+};

packages/lib/server-only/user/send-confirmation-token.ts

@@ -1,13 +1,20 @@
 import crypto from 'crypto';
+import { DateTime } from 'luxon';
 
 import { prisma } from '@documenso/prisma';
 
 import { ONE_HOUR } from '../../constants/time';
 import { sendConfirmationEmail } from '../auth/send-confirmation-email';
+import { getMostRecentVerificationTokenByUserId } from './get-most-recent-verification-token-by-user-id';
 
 const IDENTIFIER = 'confirmation-email';
 
-export const sendConfirmationToken = async ({ email }: { email: string }) => {
+type SendConfirmationTokenOptions = { email: string; force?: boolean };
+
+export const sendConfirmationToken = async ({
+  email,
+  force = false,
+}: SendConfirmationTokenOptions) => {
   const token = crypto.randomBytes(20).toString('hex');
 
   const user = await prisma.user.findFirst({
@@ -20,6 +27,21 @@ export const sendConfirmationToken = async ({ email }: { email: string }) => {
     throw new Error('User not found');
   }
 
+  if (user.emailVerified) {
+    throw new Error('Email verified');
+  }
+
+  const mostRecentToken = await getMostRecentVerificationTokenByUserId({ userId: user.id });
+
+  // If we've sent a token in the last 5 minutes, don't send another one
+  if (
+    !force &&
+    mostRecentToken?.createdAt &&
+    DateTime.fromJSDate(mostRecentToken.createdAt).diffNow('minutes').minutes > -5
+  ) {
+    return;
+  }
+
   const createdToken = await prisma.verificationToken.create({
     data: {
       identifier: IDENTIFIER,
@@ -37,5 +59,11 @@ export const sendConfirmationToken = async ({ email }: { email: string }) => {
     throw new Error(`Failed to create the verification token`);
   }
 
-  return sendConfirmationEmail({ userId: user.id });
+  try {
+    await sendConfirmationEmail({ userId: user.id });
+
+    return { success: true };
+  } catch (err) {
+    throw new Error(`Failed to send the confirmation email`);
+  }
 };

packages/lib/types/document-audit-logs.ts

@@ -0,0 +1,385 @@
+/////////////////////////////////////////////////////////////////////////////////////////////
+//
+// Be aware that any changes to this file may require migrations since we are storing JSON
+// data in Prisma.
+//
+/////////////////////////////////////////////////////////////////////////////////////////////
+import { z } from 'zod';
+
+import { FieldType } from '@documenso/prisma/client';
+
+export const ZDocumentAuditLogTypeSchema = z.enum([
+  // Document actions.
+  'EMAIL_SENT',
+
+  // Document modification events.
+  'FIELD_CREATED',
+  'FIELD_DELETED',
+  'FIELD_UPDATED',
+  'RECIPIENT_CREATED',
+  'RECIPIENT_DELETED',
+  'RECIPIENT_UPDATED',
+
+  // Document events.
+  'DOCUMENT_COMPLETED', // When the document is sealed and fully completed.
+  'DOCUMENT_CREATED', // When the document is created.
+  'DOCUMENT_DELETED', // When the document is soft deleted.
+  'DOCUMENT_FIELD_INSERTED', // When a field is inserted (signed/approved/etc) by a recipient.
+  'DOCUMENT_FIELD_UNINSERTED', // When a field is uninserted by a recipient.
+  'DOCUMENT_META_UPDATED', // When the document meta data is updated.
+  'DOCUMENT_OPENED', // When the document is opened by a recipient.
+  'DOCUMENT_RECIPIENT_COMPLETED', // When a recipient completes all their required tasks for the document.
+  'DOCUMENT_SENT', // When the document transitions from DRAFT to PENDING.
+  'DOCUMENT_TITLE_UPDATED', // When the document title is updated.
+]);
+
+export const ZDocumentAuditLogEmailTypeSchema = z.enum([
+  'SIGNING_REQUEST',
+  'VIEW_REQUEST',
+  'APPROVE_REQUEST',
+  'CC',
+  'DOCUMENT_COMPLETED',
+]);
+
+export const ZDocumentMetaDiffTypeSchema = z.enum([
+  'DATE_FORMAT',
+  'MESSAGE',
+  'PASSWORD',
+  'REDIRECT_URL',
+  'SUBJECT',
+  'TIMEZONE',
+]);
+
+export const ZFieldDiffTypeSchema = z.enum(['DIMENSION', 'POSITION']);
+export const ZRecipientDiffTypeSchema = z.enum(['NAME', 'ROLE', 'EMAIL']);
+
+export const DOCUMENT_AUDIT_LOG_TYPE = ZDocumentAuditLogTypeSchema.Enum;
+export const DOCUMENT_EMAIL_TYPE = ZDocumentAuditLogEmailTypeSchema.Enum;
+export const DOCUMENT_META_DIFF_TYPE = ZDocumentMetaDiffTypeSchema.Enum;
+export const FIELD_DIFF_TYPE = ZFieldDiffTypeSchema.Enum;
+export const RECIPIENT_DIFF_TYPE = ZRecipientDiffTypeSchema.Enum;
+
+export const ZFieldDiffDimensionSchema = z.object({
+  type: z.literal(FIELD_DIFF_TYPE.DIMENSION),
+  from: z.object({
+    width: z.number(),
+    height: z.number(),
+  }),
+  to: z.object({
+    width: z.number(),
+    height: z.number(),
+  }),
+});
+
+export const ZFieldDiffPositionSchema = z.object({
+  type: z.literal(FIELD_DIFF_TYPE.POSITION),
+  from: z.object({
+    page: z.number(),
+    positionX: z.number(),
+    positionY: z.number(),
+  }),
+  to: z.object({
+    page: z.number(),
+    positionX: z.number(),
+    positionY: z.number(),
+  }),
+});
+
+export const ZDocumentAuditLogDocumentMetaSchema = z.union([
+  z.object({
+    type: z.union([
+      z.literal(DOCUMENT_META_DIFF_TYPE.DATE_FORMAT),
+      z.literal(DOCUMENT_META_DIFF_TYPE.MESSAGE),
+      z.literal(DOCUMENT_META_DIFF_TYPE.REDIRECT_URL),
+      z.literal(DOCUMENT_META_DIFF_TYPE.SUBJECT),
+      z.literal(DOCUMENT_META_DIFF_TYPE.TIMEZONE),
+    ]),
+    from: z.string().nullable(),
+    to: z.string().nullable(),
+  }),
+  z.object({
+    type: z.literal(DOCUMENT_META_DIFF_TYPE.PASSWORD),
+  }),
+]);
+
+export const ZDocumentAuditLogFieldDiffSchema = z.union([
+  ZFieldDiffDimensionSchema,
+  ZFieldDiffPositionSchema,
+]);
+
+export const ZRecipientDiffNameSchema = z.object({
+  type: z.literal(RECIPIENT_DIFF_TYPE.NAME),
+  from: z.string(),
+  to: z.string(),
+});
+
+export const ZRecipientDiffRoleSchema = z.object({
+  type: z.literal(RECIPIENT_DIFF_TYPE.ROLE),
+  from: z.string(),
+  to: z.string(),
+});
+
+export const ZRecipientDiffEmailSchema = z.object({
+  type: z.literal(RECIPIENT_DIFF_TYPE.EMAIL),
+  from: z.string(),
+  to: z.string(),
+});
+
+export const ZDocumentAuditLogRecipientDiffSchema = z.union([
+  ZRecipientDiffNameSchema,
+  ZRecipientDiffRoleSchema,
+  ZRecipientDiffEmailSchema,
+]);
+
+const ZBaseFieldEventDataSchema = z.object({
+  fieldId: z.string(), // Note: This is the secondary field ID, which will get migrated in the future.
+  fieldRecipientEmail: z.string(),
+  fieldRecipientId: z.number(),
+  fieldType: z.string(), // We specifically don't want to use enums to allow for more flexibility.
+});
+
+const ZBaseRecipientDataSchema = z.object({
+  recipientEmail: z.string(),
+  recipientName: z.string(),
+  recipientId: z.number(),
+  recipientRole: z.string(),
+});
+
+/**
+ * Event: Email sent.
+ */
+export const ZDocumentAuditLogEventEmailSentSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT),
+  data: ZBaseRecipientDataSchema.extend({
+    emailType: ZDocumentAuditLogEmailTypeSchema,
+    isResending: z.boolean(),
+  }),
+});
+
+/**
+ * Event: Document completed.
+ */
+export const ZDocumentAuditLogEventDocumentCompletedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_COMPLETED),
+  data: z.object({
+    transactionId: z.string(),
+  }),
+});
+
+/**
+ * Event: Document created.
+ */
+export const ZDocumentAuditLogEventDocumentCreatedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_CREATED),
+  data: z.object({
+    title: z.string(),
+  }),
+});
+
+/**
+ * Event: Document deleted.
+ */
+export const ZDocumentAuditLogEventDocumentDeletedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_DELETED),
+  data: z.object({
+    type: z.enum(['SOFT', 'HARD']),
+  }),
+});
+
+/**
+ * Event: Document field inserted.
+ */
+export const ZDocumentAuditLogEventDocumentFieldInsertedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_FIELD_INSERTED),
+  data: ZBaseRecipientDataSchema.extend({
+    fieldId: z.string(),
+
+    // Organised into union to allow us to extend each field if required.
+    field: z.union([
+      z.object({
+        type: z.literal(FieldType.EMAIL),
+        data: z.string(),
+      }),
+      z.object({
+        type: z.literal(FieldType.DATE),
+        data: z.string(),
+      }),
+      z.object({
+        type: z.literal(FieldType.NAME),
+        data: z.string(),
+      }),
+      z.object({
+        type: z.literal(FieldType.TEXT),
+        data: z.string(),
+      }),
+      z.object({
+        type: z.union([z.literal(FieldType.SIGNATURE), z.literal(FieldType.FREE_SIGNATURE)]),
+        data: z.string(),
+      }),
+    ]),
+
+    // Todo: Replace with union once we have more field security types.
+    fieldSecurity: z.object({
+      type: z.literal('NONE'),
+    }),
+  }),
+});
+
+/**
+ * Event: Document field uninserted.
+ */
+export const ZDocumentAuditLogEventDocumentFieldUninsertedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_FIELD_UNINSERTED),
+  data: z.object({
+    field: z.nativeEnum(FieldType),
+    fieldId: z.string(),
+  }),
+});
+
+/**
+ * Event: Document meta updated.
+ */
+export const ZDocumentAuditLogEventDocumentMetaUpdatedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_META_UPDATED),
+  data: z.object({
+    changes: z.array(ZDocumentAuditLogDocumentMetaSchema),
+  }),
+});
+
+/**
+ * Event: Document opened.
+ */
+export const ZDocumentAuditLogEventDocumentOpenedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_OPENED),
+  data: ZBaseRecipientDataSchema,
+});
+
+/**
+ * Event: Document recipient completed the document (the recipient has fully actioned and completed their required steps for the document).
+ */
+export const ZDocumentAuditLogEventDocumentRecipientCompleteSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_COMPLETED),
+  data: ZBaseRecipientDataSchema,
+});
+
+/**
+ * Event: Document sent.
+ */
+export const ZDocumentAuditLogEventDocumentSentSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_SENT),
+  data: z.object({}),
+});
+
+/**
+ * Event: Document title updated.
+ */
+export const ZDocumentAuditLogEventDocumentTitleUpdatedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_TITLE_UPDATED),
+  data: z.object({
+    from: z.string(),
+    to: z.string(),
+  }),
+});
+
+/**
+ * Event: Field created.
+ */
+export const ZDocumentAuditLogEventFieldCreatedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.FIELD_CREATED),
+  data: ZBaseFieldEventDataSchema,
+});
+
+/**
+ * Event: Field deleted.
+ */
+export const ZDocumentAuditLogEventFieldRemovedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.FIELD_DELETED),
+  data: ZBaseFieldEventDataSchema,
+});
+
+/**
+ * Event: Field updated.
+ */
+export const ZDocumentAuditLogEventFieldUpdatedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.FIELD_UPDATED),
+  data: ZBaseFieldEventDataSchema.extend({
+    changes: z.array(ZDocumentAuditLogFieldDiffSchema),
+  }),
+});
+
+/**
+ * Event: Recipient added.
+ */
+export const ZDocumentAuditLogEventRecipientAddedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.RECIPIENT_CREATED),
+  data: ZBaseRecipientDataSchema,
+});
+
+/**
+ * Event: Recipient updated.
+ */
+export const ZDocumentAuditLogEventRecipientUpdatedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.RECIPIENT_UPDATED),
+  data: ZBaseRecipientDataSchema.extend({
+    changes: z.array(ZDocumentAuditLogRecipientDiffSchema),
+  }),
+});
+
+/**
+ * Event: Recipient deleted.
+ */
+export const ZDocumentAuditLogEventRecipientRemovedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.RECIPIENT_DELETED),
+  data: ZBaseRecipientDataSchema,
+});
+
+export const ZDocumentAuditLogBaseSchema = z.object({
+  id: z.string(),
+  createdAt: z.date(),
+  documentId: z.number(),
+  name: z.string().optional().nullable(),
+  email: z.string().optional().nullable(),
+  userId: z.number().optional().nullable(),
+  userAgent: z.string().optional().nullable(),
+  ipAddress: z.string().optional().nullable(),
+});
+
+export const ZDocumentAuditLogSchema = ZDocumentAuditLogBaseSchema.and(
+  z.union([
+    ZDocumentAuditLogEventEmailSentSchema,
+    ZDocumentAuditLogEventDocumentCompletedSchema,
+    ZDocumentAuditLogEventDocumentCreatedSchema,
+    ZDocumentAuditLogEventDocumentDeletedSchema,
+    ZDocumentAuditLogEventDocumentFieldInsertedSchema,
+    ZDocumentAuditLogEventDocumentFieldUninsertedSchema,
+    ZDocumentAuditLogEventDocumentMetaUpdatedSchema,
+    ZDocumentAuditLogEventDocumentOpenedSchema,
+    ZDocumentAuditLogEventDocumentRecipientCompleteSchema,
+    ZDocumentAuditLogEventDocumentSentSchema,
+    ZDocumentAuditLogEventDocumentTitleUpdatedSchema,
+    ZDocumentAuditLogEventFieldCreatedSchema,
+    ZDocumentAuditLogEventFieldRemovedSchema,
+    ZDocumentAuditLogEventFieldUpdatedSchema,
+    ZDocumentAuditLogEventRecipientAddedSchema,
+    ZDocumentAuditLogEventRecipientUpdatedSchema,
+    ZDocumentAuditLogEventRecipientRemovedSchema,
+  ]),
+);
+
+export type TDocumentAuditLog = z.infer<typeof ZDocumentAuditLogSchema>;
+export type TDocumentAuditLogType = z.infer<typeof ZDocumentAuditLogTypeSchema>;
+
+export type TDocumentAuditLogFieldDiffSchema = z.infer<typeof ZDocumentAuditLogFieldDiffSchema>;
+
+export type TDocumentAuditLogDocumentMetaDiffSchema = z.infer<
+  typeof ZDocumentAuditLogDocumentMetaSchema
+>;
+
+export type TDocumentAuditLogRecipientDiffSchema = z.infer<
+  typeof ZDocumentAuditLogRecipientDiffSchema
+>;
+
+export type DocumentAuditLogByType<T = TDocumentAuditLog['type']> = Extract<
+  TDocumentAuditLog,
+  { type: T }
+>;

packages/lib/universal/extract-request-metadata.ts

@@ -25,10 +25,16 @@ export const extractNextApiRequestMetadata = (req: NextApiRequest): RequestMetad
 export const extractNextAuthRequestMetadata = (
   req: Pick<RequestInternal, 'body' | 'query' | 'headers' | 'method'>,
 ): RequestMetadata => {
-  const parsedIp = ZIpSchema.safeParse(req.headers?.['x-forwarded-for']);
+  return extractNextHeaderRequestMetadata(req.headers ?? {});
+};
+
+export const extractNextHeaderRequestMetadata = (
+  headers: Record<string, string>,
+): RequestMetadata => {
+  const parsedIp = ZIpSchema.safeParse(headers?.['x-forwarded-for']);
 
   const ipAddress = parsedIp.success ? parsedIp.data : undefined;
-  const userAgent = req.headers?.['user-agent'];
+  const userAgent = headers?.['user-agent'];
 
   return {
     ipAddress,

packages/lib/universal/get-base-url.ts

@@ -1,4 +1,6 @@
 /* eslint-disable turbo/no-undeclared-env-vars */
+import { NEXT_PUBLIC_WEBAPP_URL } from '../constants/app';
+
 export const getBaseUrl = () => {
   if (typeof window !== 'undefined') {
     return '';
@@ -8,8 +10,10 @@ export const getBaseUrl = () => {
     return `https://${process.env.VERCEL_URL}`;
   }
 
-  if (process.env.NEXT_PUBLIC_WEBAPP_URL) {
-    return process.env.NEXT_PUBLIC_WEBAPP_URL;
+  const webAppUrl = NEXT_PUBLIC_WEBAPP_URL();
+
+  if (webAppUrl) {
+    return webAppUrl;
   }
 
   return `http://localhost:${process.env.PORT ?? 3000}`;

packages/lib/universal/get-feature-flag.ts

@@ -22,7 +22,7 @@ export const getFlag = async (
     return LOCAL_FEATURE_FLAGS[flag] ?? true;
   }
 
-  const url = new URL(`${APP_BASE_URL}/api/feature-flag/get`);
+  const url = new URL(`${APP_BASE_URL()}/api/feature-flag/get`);
   url.searchParams.set('flag', flag);
 
   const response = await fetch(url, {
@@ -55,7 +55,7 @@ export const getAllFlags = async (
     return LOCAL_FEATURE_FLAGS;
   }
 
-  const url = new URL(`${APP_BASE_URL}/api/feature-flag/all`);
+  const url = new URL(`${APP_BASE_URL()}/api/feature-flag/all`);
 
   return fetch(url, {
     headers: {
@@ -80,7 +80,7 @@ export const getAllAnonymousFlags = async (): Promise<Record<string, TFeatureFla
     return LOCAL_FEATURE_FLAGS;
   }
 
-  const url = new URL(`${APP_BASE_URL}/api/feature-flag/all`);
+  const url = new URL(`${APP_BASE_URL()}/api/feature-flag/all`);
 
   return fetch(url, {
     next: {

packages/lib/universal/upload/put-file.ts

@@ -1,4 +1,5 @@
 import { base64 } from '@scure/base';
+import { env } from 'next-runtime-env';
 import { match } from 'ts-pattern';
 
 import { DocumentDataType } from '@documenso/prisma/client';
@@ -12,7 +13,9 @@ type File = {
 };
 
 export const putFile = async (file: File) => {
-  const { type, data } = await match(process.env.NEXT_PUBLIC_UPLOAD_TRANSPORT)
+  const NEXT_PUBLIC_UPLOAD_TRANSPORT = env('NEXT_PUBLIC_UPLOAD_TRANSPORT');
+
+  const { type, data } = await match(NEXT_PUBLIC_UPLOAD_TRANSPORT)
     .with('s3', async () => putFileInS3(file))
     .otherwise(async () => putFileInDatabase(file));
 

packages/lib/universal/upload/server-actions.ts

@@ -11,6 +11,7 @@ import {
 } from '@aws-sdk/client-s3';
 import slugify from '@sindresorhus/slugify';
 import { type JWT, getToken } from 'next-auth/jwt';
+import { env } from 'next-runtime-env';
 import path from 'node:path';
 
 import { APP_BASE_URL } from '../../constants/app';
@@ -25,8 +26,10 @@ export const getPresignPostUrl = async (fileName: string, contentType: string) =
   let token: JWT | null = null;
 
   try {
+    const baseUrl = APP_BASE_URL() ?? 'http://localhost:3000';
+
     token = await getToken({
-      req: new NextRequest(APP_BASE_URL ?? 'http://localhost:3000', {
+      req: new NextRequest(baseUrl, {
         headers: headers(),
       }),
     });
@@ -117,7 +120,9 @@ export const deleteS3File = async (key: string) => {
 };
 
 const getS3Client = () => {
-  if (process.env.NEXT_PUBLIC_UPLOAD_TRANSPORT !== 's3') {
+  const NEXT_PUBLIC_UPLOAD_TRANSPORT = env('NEXT_PUBLIC_UPLOAD_TRANSPORT');
+
+  if (NEXT_PUBLIC_UPLOAD_TRANSPORT !== 's3') {
     throw new Error('Invalid upload transport');
   }
 

packages/lib/utils/billing.ts

@@ -2,15 +2,14 @@ import type { Subscription } from '.prisma/client';
 import { SubscriptionStatus } from '.prisma/client';
 
 /**
- * Returns true if there is a subscription that is active and is a community plan.
+ * Returns true if there is a subscription that is active and is one of the provided price IDs.
  */
-export const subscriptionsContainsActiveCommunityPlan = (
+export const subscriptionsContainsActivePlan = (
   subscriptions: Subscription[],
-  communityPlanPriceIds: string[],
+  priceIds: string[],
 ) => {
   return subscriptions.some(
     (subscription) =>
-      subscription.status === SubscriptionStatus.ACTIVE &&
-      communityPlanPriceIds.includes(subscription.priceId),
+      subscription.status === SubscriptionStatus.ACTIVE && priceIds.includes(subscription.priceId),
   );
 };

packages/lib/utils/document-audit-logs.ts

@@ -0,0 +1,327 @@
+import { match } from 'ts-pattern';
+
+import type {
+  DocumentAuditLog,
+  DocumentMeta,
+  Field,
+  Recipient,
+  RecipientRole,
+} from '@documenso/prisma/client';
+
+import { RECIPIENT_ROLES_DESCRIPTION } from '../constants/recipient-roles';
+import type {
+  TDocumentAuditLog,
+  TDocumentAuditLogDocumentMetaDiffSchema,
+  TDocumentAuditLogFieldDiffSchema,
+  TDocumentAuditLogRecipientDiffSchema,
+} from '../types/document-audit-logs';
+import {
+  DOCUMENT_AUDIT_LOG_TYPE,
+  DOCUMENT_META_DIFF_TYPE,
+  FIELD_DIFF_TYPE,
+  RECIPIENT_DIFF_TYPE,
+  ZDocumentAuditLogSchema,
+} from '../types/document-audit-logs';
+import type { RequestMetadata } from '../universal/extract-request-metadata';
+
+type CreateDocumentAuditLogDataOptions<T = TDocumentAuditLog['type']> = {
+  documentId: number;
+  type: T;
+  data: Extract<TDocumentAuditLog, { type: T }>['data'];
+  user: { email?: string; id?: number | null; name?: string | null } | null;
+  requestMetadata?: RequestMetadata;
+};
+
+type CreateDocumentAuditLogDataResponse = Pick<
+  DocumentAuditLog,
+  'type' | 'ipAddress' | 'userAgent' | 'email' | 'userId' | 'name' | 'documentId'
+> & {
+  data: TDocumentAuditLog['data'];
+};
+
+export const createDocumentAuditLogData = ({
+  documentId,
+  type,
+  data,
+  user,
+  requestMetadata,
+}: CreateDocumentAuditLogDataOptions): CreateDocumentAuditLogDataResponse => {
+  return {
+    type,
+    data,
+    documentId,
+    userId: user?.id ?? null,
+    email: user?.email ?? null,
+    name: user?.name ?? null,
+    userAgent: requestMetadata?.userAgent ?? null,
+    ipAddress: requestMetadata?.ipAddress ?? null,
+  };
+};
+
+/**
+ * Parse a raw document audit log from Prisma, to a typed audit log.
+ *
+ * @param auditLog raw audit log from Prisma.
+ */
+export const parseDocumentAuditLogData = (auditLog: DocumentAuditLog): TDocumentAuditLog => {
+  const data = ZDocumentAuditLogSchema.safeParse(auditLog);
+
+  // Handle any required migrations here.
+  if (!data.success) {
+    console.error(data.error);
+    throw new Error('Migration required');
+  }
+
+  return data.data;
+};
+
+type PartialRecipient = Pick<Recipient, 'email' | 'name' | 'role'>;
+
+export const diffRecipientChanges = (
+  oldRecipient: PartialRecipient,
+  newRecipient: PartialRecipient,
+): TDocumentAuditLogRecipientDiffSchema[] => {
+  const diffs: TDocumentAuditLogRecipientDiffSchema[] = [];
+
+  if (oldRecipient.email !== newRecipient.email) {
+    diffs.push({
+      type: RECIPIENT_DIFF_TYPE.EMAIL,
+      from: oldRecipient.email,
+      to: newRecipient.email,
+    });
+  }
+
+  if (oldRecipient.role !== newRecipient.role) {
+    diffs.push({
+      type: RECIPIENT_DIFF_TYPE.ROLE,
+      from: oldRecipient.role,
+      to: newRecipient.role,
+    });
+  }
+
+  if (oldRecipient.name !== newRecipient.name) {
+    diffs.push({
+      type: RECIPIENT_DIFF_TYPE.NAME,
+      from: oldRecipient.name,
+      to: newRecipient.name,
+    });
+  }
+
+  return diffs;
+};
+
+export const diffFieldChanges = (
+  oldField: Field,
+  newField: Field,
+): TDocumentAuditLogFieldDiffSchema[] => {
+  const diffs: TDocumentAuditLogFieldDiffSchema[] = [];
+
+  if (
+    oldField.page !== newField.page ||
+    !oldField.positionX.equals(newField.positionX) ||
+    !oldField.positionY.equals(newField.positionY)
+  ) {
+    diffs.push({
+      type: FIELD_DIFF_TYPE.POSITION,
+      from: {
+        page: oldField.page,
+        positionX: oldField.positionX.toNumber(),
+        positionY: oldField.positionY.toNumber(),
+      },
+      to: {
+        page: newField.page,
+        positionX: newField.positionX.toNumber(),
+        positionY: newField.positionY.toNumber(),
+      },
+    });
+  }
+
+  if (!oldField.width.equals(newField.width) || !oldField.height.equals(newField.height)) {
+    diffs.push({
+      type: FIELD_DIFF_TYPE.DIMENSION,
+      from: {
+        width: oldField.width.toNumber(),
+        height: oldField.height.toNumber(),
+      },
+      to: {
+        width: newField.width.toNumber(),
+        height: newField.height.toNumber(),
+      },
+    });
+  }
+
+  return diffs;
+};
+
+export const diffDocumentMetaChanges = (
+  oldData: Partial<DocumentMeta> = {},
+  newData: DocumentMeta,
+): TDocumentAuditLogDocumentMetaDiffSchema[] => {
+  const diffs: TDocumentAuditLogDocumentMetaDiffSchema[] = [];
+
+  const oldDateFormat = oldData?.dateFormat ?? '';
+  const oldMessage = oldData?.message ?? '';
+  const oldSubject = oldData?.subject ?? '';
+  const oldTimezone = oldData?.timezone ?? '';
+  const oldPassword = oldData?.password ?? null;
+  const oldRedirectUrl = oldData?.redirectUrl ?? '';
+
+  if (oldDateFormat !== newData.dateFormat) {
+    diffs.push({
+      type: DOCUMENT_META_DIFF_TYPE.DATE_FORMAT,
+      from: oldData?.dateFormat ?? '',
+      to: newData.dateFormat,
+    });
+  }
+
+  if (oldMessage !== newData.message) {
+    diffs.push({
+      type: DOCUMENT_META_DIFF_TYPE.MESSAGE,
+      from: oldMessage,
+      to: newData.message,
+    });
+  }
+
+  if (oldSubject !== newData.subject) {
+    diffs.push({
+      type: DOCUMENT_META_DIFF_TYPE.SUBJECT,
+      from: oldSubject,
+      to: newData.subject,
+    });
+  }
+
+  if (oldTimezone !== newData.timezone) {
+    diffs.push({
+      type: DOCUMENT_META_DIFF_TYPE.TIMEZONE,
+      from: oldTimezone,
+      to: newData.timezone,
+    });
+  }
+
+  if (oldRedirectUrl !== newData.redirectUrl) {
+    diffs.push({
+      type: DOCUMENT_META_DIFF_TYPE.REDIRECT_URL,
+      from: oldRedirectUrl,
+      to: newData.redirectUrl,
+    });
+  }
+
+  if (oldPassword !== newData.password) {
+    diffs.push({
+      type: DOCUMENT_META_DIFF_TYPE.PASSWORD,
+    });
+  }
+
+  return diffs;
+};
+
+/**
+ * Formats the audit log into a description of the action.
+ *
+ * Provide a userId to prefix the action with the user, example 'X did Y'.
+ */
+export const formatDocumentAuditLogActionString = (
+  auditLog: TDocumentAuditLog,
+  userId?: number,
+) => {
+  const { prefix, description } = formatDocumentAuditLogAction(auditLog, userId);
+
+  return prefix ? `${prefix} ${description}` : description;
+};
+
+/**
+ * Formats the audit log into a description of the action.
+ *
+ * Provide a userId to prefix the action with the user, example 'X did Y'.
+ */
+export const formatDocumentAuditLogAction = (auditLog: TDocumentAuditLog, userId?: number) => {
+  let prefix = userId === auditLog.userId ? 'You' : auditLog.name || auditLog.email || '';
+
+  const description = match(auditLog)
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.FIELD_CREATED }, () => ({
+      anonymous: 'A field was added',
+      identified: 'added a field',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.FIELD_DELETED }, () => ({
+      anonymous: 'A field was removed',
+      identified: 'removed a field',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.FIELD_UPDATED }, () => ({
+      anonymous: 'A field was updated',
+      identified: 'updated a field',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.RECIPIENT_CREATED }, () => ({
+      anonymous: 'A recipient was added',
+      identified: 'added a recipient',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.RECIPIENT_DELETED }, () => ({
+      anonymous: 'A recipient was removed',
+      identified: 'removed a recipient',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.RECIPIENT_UPDATED }, () => ({
+      anonymous: 'A recipient was updated',
+      identified: 'updated a recipient',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_CREATED }, () => ({
+      anonymous: 'Document created',
+      identified: 'created the document',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_DELETED }, () => ({
+      anonymous: 'Document deleted',
+      identified: 'deleted the document',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_FIELD_INSERTED }, () => ({
+      anonymous: 'Field signed',
+      identified: 'signed a field',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_FIELD_UNINSERTED }, () => ({
+      anonymous: 'Field unsigned',
+      identified: 'unsigned a field',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_META_UPDATED }, () => ({
+      anonymous: 'Document updated',
+      identified: 'updated the document',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_OPENED }, () => ({
+      anonymous: 'Document opened',
+      identified: 'opened the document',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_TITLE_UPDATED }, () => ({
+      anonymous: 'Document title updated',
+      identified: 'updated the document title',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_SENT }, () => ({
+      anonymous: 'Document sent',
+      identified: 'sent the document',
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_COMPLETED }, ({ data }) => {
+      // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+      const action = RECIPIENT_ROLES_DESCRIPTION[data.recipientRole as RecipientRole]?.actioned;
+
+      const value = action ? `${action.toLowerCase()} the document` : 'completed their task';
+
+      return {
+        anonymous: `Recipient ${value}`,
+        identified: value,
+      };
+    })
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT }, ({ data }) => ({
+      anonymous: `Email ${data.isResending ? 'resent' : 'sent'}`,
+      identified: `${data.isResending ? 'resent' : 'sent'} an email`,
+    }))
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_COMPLETED }, () => {
+      // Clear the prefix since this should be considered an 'anonymous' event.
+      prefix = '';
+
+      return {
+        anonymous: 'Document completed',
+        identified: 'Document completed',
+      };
+    })
+    .exhaustive();
+
+  return {
+    prefix,
+    description: prefix ? description.identified : description.anonymous,
+  };
+};

packages/prisma/migrations/20240209023519_add_document_audit_logs/migration.sql

@@ -0,0 +1,37 @@
+/*
+  Warnings:
+
+  - A unique constraint covering the columns `[secondaryId]` on the table `Field` will be added. If there are existing duplicate values, this will fail.
+  - The required column `secondaryId` was added to the `Field` table with a prisma-level default value. This is not possible if the table is not empty. Please add this column as optional, then populate it before making it required.
+
+*/
+-- AlterTable
+ALTER TABLE "Field" ADD COLUMN     "secondaryId" TEXT;
+
+-- Set all null secondaryId fields to a uuid
+UPDATE "Field" SET "secondaryId" = gen_random_uuid()::text WHERE "secondaryId" IS NULL;
+
+-- Restrict the Field to required
+ALTER TABLE "Field" ALTER COLUMN "secondaryId" SET NOT NULL;
+
+-- CreateTable
+CREATE TABLE "DocumentAuditLog" (
+    "id" TEXT NOT NULL,
+    "documentId" INTEGER NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "type" TEXT NOT NULL,
+    "data" JSONB NOT NULL,
+    "name" TEXT,
+    "email" TEXT,
+    "userId" INTEGER,
+    "userAgent" TEXT,
+    "ipAddress" TEXT,
+
+    CONSTRAINT "DocumentAuditLog_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Field_secondaryId_key" ON "Field"("secondaryId");
+
+-- AddForeignKey
+ALTER TABLE "DocumentAuditLog" ADD CONSTRAINT "DocumentAuditLog_documentId_fkey" FOREIGN KEY ("documentId") REFERENCES "Document"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/prisma/schema.prisma

@@ -170,11 +170,30 @@ model Document {
   teamId         Int?
   team           Team?               @relation(fields: [teamId], references: [id])
 
+  auditLogs DocumentAuditLog[]
+
   @@unique([documentDataId])
   @@index([userId])
   @@index([status])
 }
 
+model DocumentAuditLog {
+  id         String   @id @default(cuid())
+  documentId Int
+  createdAt  DateTime @default(now())
+  type       String
+  data       Json
+
+  // Details of the person who performed the action which caused the audit log.
+  name      String?
+  email     String?
+  userId    Int?
+  userAgent String?
+  ipAddress String?
+
+  Document Document @relation(fields: [documentId], references: [id], onDelete: Cascade)
+}
+
 enum DocumentDataType {
   S3_PATH
   BYTES
@@ -260,6 +279,7 @@ enum FieldType {
 
 model Field {
   id          Int        @id @default(autoincrement())
+  secondaryId String     @unique @default(cuid())
   documentId  Int?
   templateId  Int?
   recipientId Int?

packages/prisma/seed/users.ts

@@ -32,3 +32,22 @@ export const unseedUser = async (userId: number) => {
     },
   });
 };
+
+export const unseedUserByEmail = async (email: string) => {
+  await prisma.user.delete({
+    where: {
+      email,
+    },
+  });
+};
+
+export const extractUserVerificationToken = async (email: string) => {
+  return await prisma.verificationToken.findFirstOrThrow({
+    where: {
+      identifier: 'confirmation-email',
+      user: {
+        email,
+      },
+    },
+  });
+};

packages/trpc/server/auth-router/router.ts

@@ -1,4 +1,5 @@
 import { TRPCError } from '@trpc/server';
+import { env } from 'next-runtime-env';
 
 import { ErrorCode } from '@documenso/lib/next-auth/error-codes';
 import { compareSync } from '@documenso/lib/server-only/auth/hash';
@@ -8,10 +9,12 @@ import { sendConfirmationToken } from '@documenso/lib/server-only/user/send-conf
 import { authenticatedProcedure, procedure, router } from '../trpc';
 import { ZSignUpMutationSchema, ZVerifyPasswordMutationSchema } from './schema';
 
+const NEXT_PUBLIC_DISABLE_SIGNUP = () => env('NEXT_PUBLIC_DISABLE_SIGNUP');
+
 export const authRouter = router({
   signup: procedure.input(ZSignUpMutationSchema).mutation(async ({ input }) => {
     try {
-      if (process.env.NEXT_PUBLIC_DISABLE_SIGNUP === 'true') {
+      if (NEXT_PUBLIC_DISABLE_SIGNUP() === 'true') {
         throw new TRPCError({
           code: 'BAD_REQUEST',
           message: 'Signups are disabled.',

packages/trpc/server/document-router/router.ts

@@ -6,6 +6,7 @@ import { upsertDocumentMeta } from '@documenso/lib/server-only/document-meta/ups
 import { createDocument } from '@documenso/lib/server-only/document/create-document';
 import { deleteDocument } from '@documenso/lib/server-only/document/delete-document';
 import { duplicateDocumentById } from '@documenso/lib/server-only/document/duplicate-document-by-id';
+import { findDocumentAuditLogs } from '@documenso/lib/server-only/document/find-document-audit-logs';
 import { getDocumentById } from '@documenso/lib/server-only/document/get-document-by-id';
 import { getDocumentAndSenderByToken } from '@documenso/lib/server-only/document/get-document-by-token';
 import { resendDocument } from '@documenso/lib/server-only/document/resend-document';
@@ -15,11 +16,13 @@ import { updateTitle } from '@documenso/lib/server-only/document/update-title';
 import { setFieldsForDocument } from '@documenso/lib/server-only/field/set-fields-for-document';
 import { setRecipientsForDocument } from '@documenso/lib/server-only/recipient/set-recipients-for-document';
 import { symmetricEncrypt } from '@documenso/lib/universal/crypto';
+import { extractNextApiRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 
 import { authenticatedProcedure, procedure, router } from '../trpc';
 import {
   ZCreateDocumentMutationSchema,
   ZDeleteDraftDocumentMutationSchema,
+  ZFindDocumentAuditLogsQuerySchema,
   ZGetDocumentByIdQuerySchema,
   ZGetDocumentByTokenQuerySchema,
   ZResendDocumentMutationSchema,
@@ -88,6 +91,7 @@ export const documentRouter = router({
           teamId,
           title,
           documentDataId,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         if (err instanceof TRPCError) {
@@ -109,7 +113,12 @@ export const documentRouter = router({
 
         const userId = ctx.user.id;
 
-        return await deleteDocument({ id, userId, status });
+        return await deleteDocument({
+          id,
+          userId,
+          status,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
+        });
       } catch (err) {
         console.error(err);
 
@@ -120,6 +129,31 @@ export const documentRouter = router({
       }
     }),
 
+  findDocumentAuditLogs: authenticatedProcedure
+    .input(ZFindDocumentAuditLogsQuerySchema)
+    .query(async ({ input, ctx }) => {
+      try {
+        const { page, perPage, documentId, cursor, filterForRecentActivity, orderBy } = input;
+
+        return await findDocumentAuditLogs({
+          page,
+          perPage,
+          documentId,
+          cursor,
+          filterForRecentActivity,
+          orderBy,
+          userId: ctx.user.id,
+        });
+      } catch (err) {
+        console.error(err);
+
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: 'We were unable to find audit logs for this document. Please try again later.',
+        });
+      }
+    }),
+
   setTitleForDocument: authenticatedProcedure
     .input(ZSetTitleForDocumentMutationSchema)
     .mutation(async ({ input, ctx }) => {
@@ -131,6 +165,7 @@ export const documentRouter = router({
         title,
         userId,
         documentId,
+        requestMetadata: extractNextApiRequestMetadata(ctx.req),
       });
     }),
 
@@ -144,6 +179,7 @@ export const documentRouter = router({
           userId: ctx.user.id,
           documentId,
           recipients,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         console.error(err);
@@ -166,6 +202,7 @@ export const documentRouter = router({
           userId: ctx.user.id,
           documentId,
           fields,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         console.error(err);
@@ -198,6 +235,7 @@ export const documentRouter = router({
           documentId,
           password: securePassword,
           userId: ctx.user.id,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         console.error(err);
@@ -224,12 +262,14 @@ export const documentRouter = router({
             timezone: meta.timezone,
             redirectUrl: meta.redirectUrl,
             userId: ctx.user.id,
+            requestMetadata: extractNextApiRequestMetadata(ctx.req),
           });
         }
 
         return await sendDocument({
           userId: ctx.user.id,
           documentId,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         console.error(err);
@@ -248,6 +288,7 @@ export const documentRouter = router({
         return await resendDocument({
           userId: ctx.user.id,
           ...input,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         console.error(err);

packages/trpc/server/document-router/schema.ts

@@ -1,8 +1,21 @@
 import { z } from 'zod';
 
 import { URL_REGEX } from '@documenso/lib/constants/url-regex';
+import { ZBaseTableSearchParamsSchema } from '@documenso/lib/types/search-params';
 import { DocumentStatus, FieldType, RecipientRole } from '@documenso/prisma/client';
 
+export const ZFindDocumentAuditLogsQuerySchema = ZBaseTableSearchParamsSchema.extend({
+  documentId: z.number().min(1),
+  cursor: z.string().optional(),
+  filterForRecentActivity: z.boolean().optional(),
+  orderBy: z
+    .object({
+      column: z.enum(['createdAt', 'type']),
+      direction: z.enum(['asc', 'desc']),
+    })
+    .optional(),
+});
+
 export const ZGetDocumentByIdQuerySchema = z.object({
   id: z.number().min(1),
   teamId: z.number().min(1).optional(),
@@ -77,7 +90,7 @@ export const ZSendDocumentMutationSchema = z.object({
     redirectUrl: z
       .string()
       .optional()
-      .refine((value) => value === undefined || URL_REGEX.test(value), {
+      .refine((value) => value === undefined || value === '' || URL_REGEX.test(value), {
         message: 'Please enter a valid URL',
       }),
   }),

packages/trpc/server/field-router/router.ts

@@ -4,6 +4,7 @@ import { removeSignedFieldWithToken } from '@documenso/lib/server-only/field/rem
 import { setFieldsForDocument } from '@documenso/lib/server-only/field/set-fields-for-document';
 import { setFieldsForTemplate } from '@documenso/lib/server-only/field/set-fields-for-template';
 import { signFieldWithToken } from '@documenso/lib/server-only/field/sign-field-with-token';
+import { extractNextApiRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 
 import { authenticatedProcedure, procedure, router } from '../trpc';
 import {
@@ -33,6 +34,7 @@ export const fieldRouter = router({
             pageWidth: field.pageWidth,
             pageHeight: field.pageHeight,
           })),
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         console.error(err);
@@ -67,7 +69,7 @@ export const fieldRouter = router({
 
   signFieldWithToken: procedure
     .input(ZSignFieldWithTokenMutationSchema)
-    .mutation(async ({ input }) => {
+    .mutation(async ({ input, ctx }) => {
       try {
         const { token, fieldId, value, isBase64 } = input;
 
@@ -76,6 +78,7 @@ export const fieldRouter = router({
           fieldId,
           value,
           isBase64,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         console.error(err);
@@ -89,13 +92,14 @@ export const fieldRouter = router({
 
   removeSignedFieldWithToken: procedure
     .input(ZRemovedSignedFieldWithTokenMutationSchema)
-    .mutation(async ({ input }) => {
+    .mutation(async ({ input, ctx }) => {
       try {
         const { token, fieldId } = input;
 
         return await removeSignedFieldWithToken({
           token,
           fieldId,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         console.error(err);

packages/trpc/server/profile-router/router.ts

@@ -141,7 +141,7 @@ export const profileRouter = router({
       try {
         const { email } = input;
 
-        return sendConfirmationToken({ email });
+        return await sendConfirmationToken({ email });
       } catch (err) {
         let message = 'We were unable to send a confirmation email. Please try again.';
 

packages/trpc/server/recipient-router/router.ts

@@ -3,6 +3,7 @@ import { TRPCError } from '@trpc/server';
 import { completeDocumentWithToken } from '@documenso/lib/server-only/document/complete-document-with-token';
 import { setRecipientsForDocument } from '@documenso/lib/server-only/recipient/set-recipients-for-document';
 import { setRecipientsForTemplate } from '@documenso/lib/server-only/recipient/set-recipients-for-template';
+import { extractNextApiRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 
 import { authenticatedProcedure, procedure, router } from '../trpc';
 import {
@@ -27,6 +28,7 @@ export const recipientRouter = router({
             name: signer.name,
             role: signer.role,
           })),
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         console.error(err);
@@ -65,13 +67,14 @@ export const recipientRouter = router({
 
   completeDocumentWithToken: procedure
     .input(ZCompleteDocumentWithTokenMutationSchema)
-    .mutation(async ({ input }) => {
+    .mutation(async ({ input, ctx }) => {
       try {
         const { token, documentId } = input;
 
         return await completeDocumentWithToken({
           token,
           documentId,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         console.error(err);

packages/trpc/server/singleplayer-router/router.ts

@@ -5,6 +5,7 @@ import { PDFDocument } from 'pdf-lib';
 import { mailer } from '@documenso/email/mailer';
 import { renderAsync } from '@documenso/email/render';
 import { DocumentSelfSignedEmailTemplate } from '@documenso/email/templates/document-self-signed';
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
 import { FROM_ADDRESS, FROM_NAME, SERVICE_USER_EMAIL } from '@documenso/lib/constants/email';
 import { insertFieldInPDF } from '@documenso/lib/server-only/pdf/insert-field-in-pdf';
 import { alphaid } from '@documenso/lib/universal/id';
@@ -62,6 +63,7 @@ export const singleplayerRouter = router({
             : null,
           // Dummy data.
           id: -1,
+          secondaryId: '-1',
           documentId: -1,
           templateId: null,
           recipientId: -1,
@@ -148,7 +150,7 @@ export const singleplayerRouter = router({
 
       const template = createElement(DocumentSelfSignedEmailTemplate, {
         documentName: documentName,
-        assetBaseUrl: process.env.NEXT_PUBLIC_WEBAPP_URL || 'http://localhost:3000',
+        assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000',
       });
 
       const [html, text] = await Promise.all([

packages/trpc/server/team-router/schema.ts

@@ -3,10 +3,11 @@ import { z } from 'zod';
 import { PROTECTED_TEAM_URLS } from '@documenso/lib/constants/teams';
 import { TeamMemberRole } from '@documenso/prisma/client';
 
+// Consider refactoring to use ZBaseTableSearchParamsSchema.
 const GenericFindQuerySchema = z.object({
   term: z.string().optional(),
-  page: z.number().optional(),
-  perPage: z.number().optional(),
+  page: z.number().min(1).optional(),
+  perPage: z.number().min(1).optional(),
 });
 
 /**

packages/ui/components/document/document-share-button.tsx

@@ -7,6 +7,7 @@ import { Copy, Sparkles } from 'lucide-react';
 import { FaXTwitter } from 'react-icons/fa6';
 
 import { useCopyShareLink } from '@documenso/lib/client-only/hooks/use-copy-share-link';
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
 import {
   TOAST_DOCUMENT_SHARE_ERROR,
   TOAST_DOCUMENT_SHARE_SUCCESS,
@@ -68,7 +69,7 @@ export const DocumentShareButton = ({
 
   const onCopyClick = async () => {
     if (shareLink) {
-      await copyShareLink(`${process.env.NEXT_PUBLIC_WEBAPP_URL}/share/${shareLink.slug}`);
+      await copyShareLink(`${NEXT_PUBLIC_WEBAPP_URL()}/share/${shareLink.slug}`);
     } else {
       await createAndCopyShareLink({
         token,
@@ -92,7 +93,7 @@ export const DocumentShareButton = ({
     }
 
     // Ensuring we've prewarmed the opengraph image for the Twitter
-    await fetch(`${process.env.NEXT_PUBLIC_WEBAPP_URL}/share/${slug}/opengraph`, {
+    await fetch(`${NEXT_PUBLIC_WEBAPP_URL()}/share/${slug}/opengraph`, {
       // We don't care about the response, so we can use no-cors
       mode: 'no-cors',
     });
@@ -100,7 +101,7 @@ export const DocumentShareButton = ({
     window.open(
       generateTwitterIntent(
         `I just ${token ? 'signed' : 'sent'} a document in style with @documenso. Check it out!`,
-        `${process.env.NEXT_PUBLIC_WEBAPP_URL}/share/${slug}`,
+        `${NEXT_PUBLIC_WEBAPP_URL()}/share/${slug}`,
       ),
       '_blank',
     );
@@ -148,7 +149,7 @@ export const DocumentShareButton = ({
                 'animate-pulse': !shareLink?.slug,
               })}
             >
-              {process.env.NEXT_PUBLIC_WEBAPP_URL}/share/{shareLink?.slug || '...'}
+              {NEXT_PUBLIC_WEBAPP_URL()}/share/{shareLink?.slug || '...'}
             </span>
             <div
               className={cn(
@@ -160,7 +161,7 @@ export const DocumentShareButton = ({
             >
               {shareLink?.slug && (
                 <img
-                  src={`${process.env.NEXT_PUBLIC_WEBAPP_URL}/share/${shareLink.slug}/opengraph`}
+                  src={`${NEXT_PUBLIC_WEBAPP_URL()}/share/${shareLink.slug}/opengraph`}
                   alt="sharing link"
                   className="h-full w-full object-cover"
                 />

packages/ui/primitives/badge.tsx

@@ -6,16 +6,20 @@ import { cva } from 'class-variance-authority';
 import { cn } from '../lib/utils';
 
 const badgeVariants = cva(
-  'inline-flex items-center border rounded-full px-2.5 py-0.5 text-xs font-semibold transition-colors focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2',
+  'inline-flex items-center rounded-md px-2 py-1.5 text-xs font-medium ring-1 ring-inset w-fit',
   {
     variants: {
       variant: {
-        default: 'bg-primary hover:bg-primary/80 border-transparent text-primary-foreground',
-        secondary:
-          'bg-secondary hover:bg-secondary/80 border-transparent text-secondary-foreground',
+        neutral:
+          'bg-gray-50 text-gray-600 ring-gray-500/10 dark:bg-gray-400/10 dark:text-gray-400 dark:ring-gray-400/20',
         destructive:
-          'bg-destructive hover:bg-destructive/80 border-transparent text-destructive-foreground',
-        outline: 'text-foreground',
+          'bg-red-50 text-red-700 ring-red-600/10 dark:bg-red-400/10 dark:text-red-400 dark:ring-red-400/20',
+        warning:
+          'bg-yellow-50 text-yellow-800 ring-yellow-600/20 dark:bg-yellow-400/10 dark:text-yellow-500 dark:ring-yellow-400/20',
+        default:
+          'bg-green-50 text-green-700 ring-green-600/20 dark:bg-green-500/10 dark:text-green-400 dark:ring-green-500/20',
+        secondary:
+          'bg-blue-50 text-blue-700 ring-blue-700/10 dark:bg-blue-400/10 dark:text-blue-400 dark:ring-blue-400/30',
       },
     },
     defaultVariants: {

packages/ui/primitives/command.tsx

@@ -121,7 +121,7 @@ const CommandItem = React.forwardRef<
   <CommandPrimitive.Item
     ref={ref}
     className={cn(
-      'aria-selected:bg-accent aria-selected:text-accent-foreground relative flex cursor-default select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50',
+      'hover:bg-accent hover:text-accent-foreground aria-selected:bg-accent aria-selected:text-accent-foreground relative flex cursor-default select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50',
       className,
     )}
     {...props}

packages/ui/primitives/document-flow/add-fields.tsx

@@ -383,7 +383,7 @@ export const AddFieldsFormPartial = ({
               </PopoverTrigger>
 
               <PopoverContent className="p-0" align="start">
-                <Command>
+                <Command value={selectedSigner?.email}>
                   <CommandInput />
 
                   <CommandEmpty>

packages/ui/primitives/document-flow/add-subject.types.ts

@@ -13,7 +13,7 @@ export const ZAddSubjectFormSchema = z.object({
     redirectUrl: z
       .string()
       .optional()
-      .refine((value) => value === undefined || URL_REGEX.test(value), {
+      .refine((value) => value === undefined || value === '' || URL_REGEX.test(value), {
         message: 'Please enter a valid URL',
       }),
   }),

packages/ui/primitives/pdf-viewer.tsx

@@ -233,18 +233,20 @@ export const PDFViewer = ({
             {Array(numPages)
               .fill(null)
               .map((_, i) => (
-                <div
-                  key={i}
-                  className="border-border my-8 overflow-hidden rounded border will-change-transform first:mt-0 last:mb-0"
-                >
-                  <PDFPage
-                    pageNumber={i + 1}
-                    width={width}
-                    renderAnnotationLayer={false}
-                    renderTextLayer={false}
-                    loading={() => ''}
-                    onClick={(e) => onDocumentPageClick(e, i + 1)}
-                  />
+                <div key={i} className="last:-mb-2">
+                  <div className="border-border overflow-hidden rounded border will-change-transform">
+                    <PDFPage
+                      pageNumber={i + 1}
+                      width={width}
+                      renderAnnotationLayer={false}
+                      renderTextLayer={false}
+                      loading={() => ''}
+                      onClick={(e) => onDocumentPageClick(e, i + 1)}
+                    />
+                  </div>
+                  <p className="text-muted-foreground/80 my-2 text-center text-[11px]">
+                    Page {i + 1} of {numPages}
+                  </p>
                 </div>
               ))}
           </PDFDocument>

packages/ui/primitives/sheet.tsx

@@ -143,14 +143,17 @@ const sheetVariants = cva(
 
 export interface DialogContentProps
   extends React.ComponentPropsWithoutRef<typeof SheetPrimitive.Content>,
-    VariantProps<typeof sheetVariants> {}
+    VariantProps<typeof sheetVariants> {
+  showOverlay?: boolean;
+  sheetClass?: string;
+}
 
 const SheetContent = React.forwardRef<
   React.ElementRef<typeof SheetPrimitive.Content>,
   DialogContentProps
->(({ position, size, className, children, ...props }, ref) => (
+>(({ position, size, className, sheetClass, showOverlay = true, children, ...props }, ref) => (
   <SheetPortal position={position}>
-    <SheetOverlay />
+    {showOverlay && <SheetOverlay className={sheetClass} />}
     <SheetPrimitive.Content
       ref={ref}
       className={cn(sheetVariants({ position, size }), className)}

packages/ui/primitives/signature-pad/signature-pad.tsx

@@ -7,6 +7,8 @@ import { Undo2 } from 'lucide-react';
 import type { StrokeOptions } from 'perfect-freehand';
 import { getStroke } from 'perfect-freehand';
 
+import { unsafe_useEffectOnce } from '@documenso/lib/client-only/hooks/use-effect-once';
+
 import { cn } from '../../lib/utils';
 import { getSvgPathFromStroke } from './helper';
 import { Point } from './point';
@@ -28,6 +30,7 @@ export const SignaturePad = ({
   ...props
 }: SignaturePadProps) => {
   const $el = useRef<HTMLCanvasElement>(null);
+  const $imageData = useRef<ImageData | null>(null);
 
   const [isPressed, setIsPressed] = useState(false);
   const [lines, setLines] = useState<Point[][]>([]);
@@ -134,7 +137,6 @@ export const SignaturePad = ({
         });
 
         onChange?.($el.current.toDataURL());
-
         ctx.save();
       }
     }
@@ -163,6 +165,7 @@ export const SignaturePad = ({
       const ctx = $el.current.getContext('2d');
 
       ctx?.clearRect(0, 0, $el.current.width, $el.current.height);
+      $imageData.current = null;
     }
 
     onChange?.(null);
@@ -176,19 +179,25 @@ export const SignaturePad = ({
       return;
     }
 
-    const newLines = [...lines];
-    newLines.pop(); // Remove the last line
+    const newLines = lines.slice(0, -1);
     setLines(newLines);
 
     // Clear the canvas
     if ($el.current) {
       const ctx = $el.current.getContext('2d');
-      ctx?.clearRect(0, 0, $el.current.width, $el.current.height);
+      const { width, height } = $el.current;
+      ctx?.clearRect(0, 0, width, height);
+
+      if (typeof defaultValue === 'string' && $imageData.current) {
+        ctx?.putImageData($imageData.current, 0, 0);
+      }
 
       newLines.forEach((line) => {
         const pathData = new Path2D(getSvgPathFromStroke(getStroke(line, perfectFreehandOptions)));
         ctx?.fill(pathData);
       });
+
+      onChange?.($el.current.toDataURL());
     }
   };
 
@@ -199,7 +208,7 @@ export const SignaturePad = ({
     }
   }, []);
 
-  useEffect(() => {
+  unsafe_useEffectOnce(() => {
     if ($el.current && typeof defaultValue === 'string') {
       const ctx = $el.current.getContext('2d');
 
@@ -209,11 +218,15 @@ export const SignaturePad = ({
 
       img.onload = () => {
         ctx?.drawImage(img, 0, 0, Math.min(width, img.width), Math.min(height, img.height));
+
+        const defaultImageData = ctx?.getImageData(0, 0, width, height) || null;
+
+        $imageData.current = defaultImageData;
       };
 
       img.src = defaultValue;
     }
-  }, [defaultValue]);
+  });
 
   return (
     <div

packages/ui/styles/theme.css

@@ -55,6 +55,8 @@
     --card-border-tint: 112 205 159;
     --card-foreground: 0 0% 95%;
 
+    --widget: 0 0% 14.9%;
+
     --border: 0 0% 27.9%;
     --input: 0 0% 27.9%;