feat: add queue for sending emails

![CleanShot 2024-03-29 at 11 16
30@2x](https://github.com/documenso/documenso/assets/55143799/aae94a4b-e12e-4ce5-b0ff-45f4fc8911ac)
![CleanShot 2024-03-29 at 11 16
23@2x](https://github.com/documenso/documenso/assets/55143799/fb60c159-78e1-40f9-b596-b1a43682f57a)

.env.example

@@ -40,16 +40,6 @@ NEXT_PRIVATE_SIGNING_GCLOUD_HSM_PUBLIC_CRT_FILE_CONTENTS=
 # OPTIONAL: The path to the Google Cloud Credentials file to use for the gcloud-hsm signing transport.
 NEXT_PRIVATE_SIGNING_GCLOUD_APPLICATION_CREDENTIALS_CONTENTS=
 
-# [[SIGNING]]
-# OPTIONAL: Defines the signing transport to use. Available options: local (default)
-NEXT_PRIVATE_SIGNING_TRANSPORT="local"
-# OPTIONAL: Defines the passphrase for the signing certificate.
-NEXT_PRIVATE_SIGNING_PASSPHRASE=
-# OPTIONAL: Defines the file contents for the signing certificate as a base64 encoded string.
-NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS=
-# OPTIONAL: Defines the file path for the signing certificate. defaults to ./example/cert.p12
-NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=
-
 # [[STORAGE]]
 # OPTIONAL: Defines the storage transport to use. Available options: database (default) | s3
 NEXT_PUBLIC_UPLOAD_TRANSPORT="database"
@@ -107,6 +97,7 @@ NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT=5
 NEXT_PRIVATE_STRIPE_API_KEY=
 NEXT_PRIVATE_STRIPE_WEBHOOK_SECRET=
 NEXT_PUBLIC_STRIPE_COMMUNITY_PLAN_MONTHLY_PRICE_ID=
+NEXT_PUBLIC_STRIPE_ENTERPRISE_PLAN_MONTHLY_PRICE_ID=
 
 # [[FEATURES]]
 # OPTIONAL: Leave blank to disable PostHog and feature flags.

apps/marketing/next.config.js

@@ -2,6 +2,7 @@
 const fs = require('fs');
 const path = require('path');
 const { withContentlayer } = require('next-contentlayer');
+const { withAxiom } = require('next-axiom');
 
 const ENV_FILES = ['.env', '.env.local', `.env.${process.env.NODE_ENV || 'development'}`];
 
@@ -95,4 +96,4 @@ const config = {
   },
 };
 
-module.exports = withContentlayer(config);
+module.exports = withAxiom(withContentlayer(config));

apps/marketing/package.json

@@ -19,6 +19,7 @@
     "@documenso/trpc": "*",
     "@documenso/ui": "*",
     "@hookform/resolvers": "^3.1.0",
+    "@openstatus/react": "^0.0.3",
     "contentlayer": "^0.3.4",
     "framer-motion": "^10.12.8",
     "lucide-react": "^0.279.0",
@@ -26,6 +27,7 @@
     "micro": "^10.0.1",
     "next": "14.0.3",
     "next-auth": "4.24.5",
+    "next-axiom": "^1.1.1",
     "next-contentlayer": "^0.3.4",
     "next-plausible": "^3.10.1",
     "perfect-freehand": "^1.2.0",

apps/marketing/src/app/(marketing)/singleplayer/client.tsx

@@ -161,6 +161,7 @@ export const SinglePlayerClient = () => {
     signingStatus: 'NOT_SIGNED',
     sendStatus: 'NOT_SENT',
     role: 'SIGNER',
+    authOptions: null,
   };
 
   const onFileDrop = async (file: File) => {

apps/marketing/src/app/layout.tsx

@@ -2,6 +2,7 @@ import { Suspense } from 'react';
 
 import { Caveat, Inter } from 'next/font/google';
 
+import { AxiomWebVitals } from 'next-axiom';
 import { PublicEnvScript } from 'next-runtime-env';
 
 import { FeatureFlagProvider } from '@documenso/lib/client-only/providers/feature-flag';
@@ -67,6 +68,8 @@ export default async function RootLayout({ children }: { children: React.ReactNo
         <PublicEnvScript />
       </head>
 
+      <AxiomWebVitals />
+
       <Suspense>
         <PostHogPageview />
       </Suspense>

apps/marketing/src/components/(marketing)/footer.tsx

@@ -13,6 +13,8 @@ import LogoImage from '@documenso/assets/logo.png';
 import { cn } from '@documenso/ui/lib/utils';
 import { ThemeSwitcher } from '@documenso/ui/primitives/theme-switcher';
 
+import { StatusWidgetContainer } from './status-widget-container';
+
 export type FooterProps = HTMLAttributes<HTMLDivElement>;
 
 const SOCIAL_LINKS = [
@@ -62,6 +64,10 @@ export const Footer = ({ className, ...props }: FooterProps) => {
               </Link>
             ))}
           </div>
+
+          <div className="mt-6">
+            <StatusWidgetContainer />
+          </div>
         </div>
 
         <div className="grid w-full max-w-sm grid-cols-2 gap-x-4 gap-y-2 md:w-auto md:gap-x-8">

apps/marketing/src/components/(marketing)/share-connect-paid-widget-bento.tsx

@@ -1,4 +1,4 @@
-import { HTMLAttributes } from 'react';
+import type { HTMLAttributes } from 'react';
 
 import Image from 'next/image';
 
@@ -51,7 +51,7 @@ export const ShareConnectPaidWidgetBento = ({
         <Card className="col-span-2 lg:col-span-1" spotlight>
           <CardContent className="grid grid-cols-1 gap-8 p-6">
             <p className="text-foreground/80 leading-relaxed">
-              <strong className="block">Connections (Soon).</strong>
+              <strong className="block">Connections</strong>
               Create connections and automations with Zapier and more to integrate with your
               favorite tools.
             </p>

apps/marketing/src/components/(marketing)/status-widget-container.tsx

@@ -0,0 +1,21 @@
+// https://github.com/documenso/documenso/pull/1044/files#r1538258462
+import { Suspense } from 'react';
+
+import { StatusWidget } from './status-widget';
+
+export function StatusWidgetContainer() {
+  return (
+    <Suspense fallback={<StatusWidgetFallback />}>
+      <StatusWidget />
+    </Suspense>
+  );
+}
+
+function StatusWidgetFallback() {
+  return (
+    <div className="border-border inline-flex max-w-fit  items-center justify-between space-x-2 rounded-md border border-gray-200 px-2 py-2 pr-3 text-sm">
+      <span className="bg-muted h-2 w-36 animate-pulse rounded-md" />
+      <span className="bg-muted relative inline-flex h-2 w-2 rounded-full" />
+    </div>
+  );
+}

apps/marketing/src/components/(marketing)/status-widget.tsx

@@ -0,0 +1,75 @@
+import { use, useMemo } from 'react';
+
+import type { Status } from '@openstatus/react';
+import { getStatus } from '@openstatus/react';
+
+import { cn } from '@documenso/ui/lib/utils';
+
+const getStatusLevel = (level: Status) => {
+  return {
+    operational: {
+      label: 'Operational',
+      color: 'bg-green-500',
+      color2: 'bg-green-400',
+    },
+    degraded_performance: {
+      label: 'Degraded Performance',
+      color: 'bg-yellow-500',
+      color2: 'bg-yellow-400',
+    },
+    partial_outage: {
+      label: 'Partial Outage',
+      color: 'bg-yellow-500',
+      color2: 'bg-yellow-400',
+    },
+    major_outage: {
+      label: 'Major Outage',
+      color: 'bg-red-500',
+      color2: 'bg-red-400',
+    },
+    unknown: {
+      label: 'Unknown',
+      color: 'bg-gray-500',
+      color2: 'bg-gray-400',
+    },
+    incident: {
+      label: 'Incident',
+      color: 'bg-yellow-500',
+      color2: 'bg-yellow-400',
+    },
+    under_maintenance: {
+      label: 'Under Maintenance',
+      color: 'bg-gray-500',
+      color2: 'bg-gray-400',
+    },
+  }[level];
+};
+
+export function StatusWidget() {
+  const getStatusMemoized = useMemo(async () => getStatus('documenso-status'), []);
+  const { status } = use(getStatusMemoized);
+  const level = getStatusLevel(status);
+
+  return (
+    <a
+      className="border-border inline-flex max-w-fit  items-center justify-between gap-2 space-x-2 rounded-md border border-gray-200 px-3 py-1 text-sm"
+      href="https://status.documenso.com"
+      target="_blank"
+      rel="noreferrer"
+    >
+      <div>
+        <p className="text-sm">{level.label}</p>
+      </div>
+
+      <span className="relative ml-auto flex h-1.5 w-1.5">
+        <span
+          className={cn(
+            'absolute inline-flex h-full w-full animate-ping rounded-full opacity-75',
+            level.color2,
+          )}
+        />
+        <span className={cn('relative inline-flex h-1.5 w-1.5 rounded-full', level.color)} />
+      </span>
+    </a>
+  );
+}

apps/web/next.config.js

@@ -2,6 +2,7 @@
 const fs = require('fs');
 const path = require('path');
 const { version } = require('./package.json');
+const { withAxiom } = require('next-axiom');
 
 const ENV_FILES = ['.env', '.env.local', `.env.${process.env.NODE_ENV || 'development'}`];
 
@@ -91,4 +92,4 @@ const config = {
   },
 };
 
-module.exports = config;
+module.exports = withAxiom(config);

apps/web/package.json

@@ -33,8 +33,10 @@
     "micro": "^10.0.1",
     "next": "14.0.3",
     "next-auth": "4.24.5",
+    "next-axiom": "^1.1.1",
     "next-plausible": "^3.10.1",
     "next-themes": "^0.2.1",
+    "papaparse": "^5.4.1",
     "perfect-freehand": "^1.2.0",
     "posthog-js": "^1.75.3",
     "posthog-node": "^3.1.1",
@@ -58,6 +60,7 @@
     "@types/formidable": "^2.0.6",
     "@types/luxon": "^3.3.1",
     "@types/node": "20.1.0",
+    "@types/papaparse": "^5.3.14",
     "@types/react": "18.2.18",
     "@types/react-dom": "18.2.7",
     "@types/ua-parser-js": "^0.7.39",

apps/web/src/app/(dashboard)/admin/documents/[id]/page.tsx

@@ -14,6 +14,7 @@ import { LocaleDate } from '~/components/formatter/locale-date';
 
 import { AdminActions } from './admin-actions';
 import { RecipientItem } from './recipient-item';
+import { SuperDeleteDocumentDialog } from './super-delete-document-dialog';
 
 type AdminDocumentDetailsPageProps = {
   params: {
@@ -81,6 +82,10 @@ export default async function AdminDocumentDetailsPage({ params }: AdminDocument
           ))}
         </Accordion>
       </div>
+
+      <hr className="my-4" />
+
+      {document && <SuperDeleteDocumentDialog document={document} />}
     </div>
   );
 }

apps/web/src/app/(dashboard)/admin/documents/[id]/super-delete-document-dialog.tsx

@@ -0,0 +1,130 @@
+'use client';
+
+import { useState } from 'react';
+
+import { useRouter } from 'next/navigation';
+
+import type { Document } from '@documenso/prisma/client';
+import { TRPCClientError } from '@documenso/trpc/client';
+import { trpc } from '@documenso/trpc/react';
+import { Alert, AlertDescription, AlertTitle } from '@documenso/ui/primitives/alert';
+import { Button } from '@documenso/ui/primitives/button';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+  DialogTrigger,
+} from '@documenso/ui/primitives/dialog';
+import { Input } from '@documenso/ui/primitives/input';
+import { useToast } from '@documenso/ui/primitives/use-toast';
+
+export type SuperDeleteDocumentDialogProps = {
+  document: Document;
+};
+
+export const SuperDeleteDocumentDialog = ({ document }: SuperDeleteDocumentDialogProps) => {
+  const { toast } = useToast();
+  const router = useRouter();
+
+  const [reason, setReason] = useState('');
+
+  const { mutateAsync: deleteDocument, isLoading: isDeletingDocument } =
+    trpc.admin.deleteDocument.useMutation();
+
+  const handleDeleteDocument = async () => {
+    try {
+      if (!reason) {
+        return;
+      }
+
+      await deleteDocument({ id: document.id, reason });
+
+      toast({
+        title: 'Document deleted',
+        description: 'The Document has been deleted successfully.',
+        duration: 5000,
+      });
+
+      router.push('/admin/documents');
+    } catch (err) {
+      if (err instanceof TRPCClientError && err.data?.code === 'BAD_REQUEST') {
+        toast({
+          title: 'An error occurred',
+          description: err.message,
+          variant: 'destructive',
+        });
+      } else {
+        toast({
+          title: 'An unknown error occurred',
+          variant: 'destructive',
+          description:
+            err.message ??
+            'We encountered an unknown error while attempting to delete your document. Please try again later.',
+        });
+      }
+    }
+  };
+
+  return (
+    <div>
+      <div>
+        <Alert
+          className="flex flex-col items-center justify-between gap-4 p-6 md:flex-row "
+          variant="neutral"
+        >
+          <div>
+            <AlertTitle>Delete Document</AlertTitle>
+            <AlertDescription className="mr-2">
+              Delete the document. This action is irreversible so proceed with caution.
+            </AlertDescription>
+          </div>
+
+          <div className="flex-shrink-0">
+            <Dialog>
+              <DialogTrigger asChild>
+                <Button variant="destructive">Delete Document</Button>
+              </DialogTrigger>
+
+              <DialogContent>
+                <DialogHeader className="space-y-4">
+                  <DialogTitle>Delete Document</DialogTitle>
+
+                  <Alert variant="destructive">
+                    <AlertDescription className="selection:bg-red-100">
+                      This action is not reversible. Please be certain.
+                    </AlertDescription>
+                  </Alert>
+                </DialogHeader>
+
+                <div>
+                  <DialogDescription>To confirm, please enter the reason</DialogDescription>
+
+                  <Input
+                    className="mt-2"
+                    type="text"
+                    value={reason}
+                    onChange={(e) => setReason(e.target.value)}
+                  />
+                </div>
+
+                <DialogFooter>
+                  <Button
+                    onClick={handleDeleteDocument}
+                    loading={isDeletingDocument}
+                    variant="destructive"
+                    disabled={!reason}
+                  >
+                    {isDeletingDocument ? 'Deleting document...' : 'Delete Document'}
+                  </Button>
+                </DialogFooter>
+              </DialogContent>
+            </Dialog>
+          </div>
+        </Alert>
+      </div>
+    </div>
+  );
+};

apps/web/src/app/(dashboard)/admin/users/data-table-users.tsx

@@ -58,6 +58,7 @@ export const UsersDataTable = ({
         perPage,
       });
     });
+    // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [debouncedSearchString]);
 
   const onPaginationChange = (page: number, perPage: number) => {

apps/web/src/app/(dashboard)/documents/[id]/edit-document.tsx

@@ -8,19 +8,18 @@ import {
   DO_NOT_INVALIDATE_QUERY_ON_MUTATION,
   SKIP_QUERY_BATCH_META,
 } from '@documenso/lib/constants/trpc';
-import { DocumentStatus } from '@documenso/prisma/client';
 import type { DocumentWithDetails } from '@documenso/prisma/types/document';
 import { trpc } from '@documenso/trpc/react';
 import { cn } from '@documenso/ui/lib/utils';
 import { Card, CardContent } from '@documenso/ui/primitives/card';
 import { AddFieldsFormPartial } from '@documenso/ui/primitives/document-flow/add-fields';
 import type { TAddFieldsFormSchema } from '@documenso/ui/primitives/document-flow/add-fields.types';
+import { AddSettingsFormPartial } from '@documenso/ui/primitives/document-flow/add-settings';
+import type { TAddSettingsFormSchema } from '@documenso/ui/primitives/document-flow/add-settings.types';
 import { AddSignersFormPartial } from '@documenso/ui/primitives/document-flow/add-signers';
 import type { TAddSignersFormSchema } from '@documenso/ui/primitives/document-flow/add-signers.types';
 import { AddSubjectFormPartial } from '@documenso/ui/primitives/document-flow/add-subject';
 import type { TAddSubjectFormSchema } from '@documenso/ui/primitives/document-flow/add-subject.types';
-import { AddTitleFormPartial } from '@documenso/ui/primitives/document-flow/add-title';
-import type { TAddTitleFormSchema } from '@documenso/ui/primitives/document-flow/add-title.types';
 import { DocumentFlowFormContainer } from '@documenso/ui/primitives/document-flow/document-flow-root';
 import type { DocumentFlowStep } from '@documenso/ui/primitives/document-flow/types';
 import { LazyPDFViewer } from '@documenso/ui/primitives/lazy-pdf-viewer';
@@ -33,15 +32,17 @@ export type EditDocumentFormProps = {
   className?: string;
   initialDocument: DocumentWithDetails;
   documentRootPath: string;
+  isDocumentEnterprise: boolean;
 };
 
-type EditDocumentStep = 'title' | 'signers' | 'fields' | 'subject';
-const EditDocumentSteps: EditDocumentStep[] = ['title', 'signers', 'fields', 'subject'];
+type EditDocumentStep = 'settings' | 'signers' | 'fields' | 'subject';
+const EditDocumentSteps: EditDocumentStep[] = ['settings', 'signers', 'fields', 'subject'];
 
 export const EditDocumentForm = ({
   className,
   initialDocument,
   documentRootPath,
+  isDocumentEnterprise,
 }: EditDocumentFormProps) => {
   const { toast } = useToast();
 
@@ -67,7 +68,7 @@ export const EditDocumentForm = ({
 
   const { Recipient: recipients, Field: fields } = document;
 
-  const { mutateAsync: addTitle } = trpc.document.setTitleForDocument.useMutation({
+  const { mutateAsync: setSettingsForDocument } = trpc.document.setSettingsForDocument.useMutation({
     ...DO_NOT_INVALIDATE_QUERY_ON_MUTATION,
     onSuccess: (newData) => {
       utils.document.getDocumentWithDetailsById.setData(
@@ -123,9 +124,9 @@ export const EditDocumentForm = ({
     trpc.document.setPasswordForDocument.useMutation();
 
   const documentFlow: Record<EditDocumentStep, DocumentFlowStep> = {
-    title: {
-      title: 'Add Title',
-      description: 'Add the title to the document.',
+    settings: {
+      title: 'General',
+      description: 'Configure general settings for the document.',
       stepIndex: 1,
     },
     signers: {
@@ -149,8 +150,7 @@ export const EditDocumentForm = ({
     // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
     const searchParamStep = searchParams?.get('step') as EditDocumentStep | undefined;
 
-    let initialStep: EditDocumentStep =
-      document.status === DocumentStatus.DRAFT ? 'title' : 'signers';
+    let initialStep: EditDocumentStep = 'settings';
 
     if (
       searchParamStep &&
@@ -163,12 +163,23 @@ export const EditDocumentForm = ({
     return initialStep;
   });
 
-  const onAddTitleFormSubmit = async (data: TAddTitleFormSchema) => {
+  const onAddSettingsFormSubmit = async (data: TAddSettingsFormSchema) => {
     try {
-      await addTitle({
+      const { timezone, dateFormat, redirectUrl } = data.meta;
+
+      await setSettingsForDocument({
         documentId: document.id,
         teamId: team?.id,
-        title: data.title,
+        data: {
+          title: data.title,
+          globalAccessAuth: data.globalAccessAuth ?? null,
+          globalActionAuth: data.globalActionAuth ?? null,
+        },
+        meta: {
+          timezone,
+          dateFormat,
+          redirectUrl,
+        },
       });
 
       // Router refresh is here to clear the router cache for when navigating to /documents.
@@ -180,7 +191,7 @@ export const EditDocumentForm = ({
 
       toast({
         title: 'Error',
-        description: 'An error occurred while updating title.',
+        description: 'An error occurred while updating the document settings.',
         variant: 'destructive',
       });
     }
@@ -191,7 +202,11 @@ export const EditDocumentForm = ({
       await addSigners({
         documentId: document.id,
         teamId: team?.id,
-        signers: data.signers,
+        signers: data.signers.map((signer) => ({
+          ...signer,
+          // Explicitly set to null to indicate we want to remove auth if required.
+          actionAuth: signer.actionAuth || null,
+        })),
       });
 
       // Router refresh is here to clear the router cache for when navigating to /documents.
@@ -232,7 +247,7 @@ export const EditDocumentForm = ({
   };
 
   const onAddSubjectFormSubmit = async (data: TAddSubjectFormSchema) => {
-    const { subject, message, timezone, dateFormat, redirectUrl } = data.meta;
+    const { subject, message } = data.meta;
 
     try {
       await sendDocument({
@@ -241,9 +256,6 @@ export const EditDocumentForm = ({
         meta: {
           subject,
           message,
-          dateFormat,
-          timezone,
-          redirectUrl,
         },
       });
 
@@ -310,24 +322,26 @@ export const EditDocumentForm = ({
             currentStep={currentDocumentFlow.stepIndex}
             setCurrentStep={(step) => setStep(EditDocumentSteps[step - 1])}
           >
-            <AddTitleFormPartial
+            <AddSettingsFormPartial
               key={recipients.length}
-              documentFlow={documentFlow.title}
+              documentFlow={documentFlow.settings}
               document={document}
               recipients={recipients}
               fields={fields}
-              onSubmit={onAddTitleFormSubmit}
+              isDocumentEnterprise={isDocumentEnterprise}
               isDocumentPdfLoaded={isDocumentPdfLoaded}
+              onSubmit={onAddSettingsFormSubmit}
             />
             <AddSignersFormPartial
               key={recipients.length}
               documentFlow={documentFlow.signers}
-              document={document}
               recipients={recipients}
               fields={fields}
+              isDocumentEnterprise={isDocumentEnterprise}
               onSubmit={onAddSignersFormSubmit}
               isDocumentPdfLoaded={isDocumentPdfLoaded}
             />
+
             <AddFieldsFormPartial
               key={fields.length}
               documentFlow={documentFlow.fields}
@@ -336,6 +350,7 @@ export const EditDocumentForm = ({
               onSubmit={onAddFieldsFormSubmit}
               isDocumentPdfLoaded={isDocumentPdfLoaded}
             />
+
             <AddSubjectFormPartial
               key={recipients.length}
               documentFlow={documentFlow.subject}

apps/web/src/app/(dashboard)/documents/[id]/edit/document-edit-page-view.tsx

@@ -3,6 +3,7 @@ import { redirect } from 'next/navigation';
 
 import { ChevronLeft, Users2 } from 'lucide-react';
 
+import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import { DOCUMENSO_ENCRYPTION_KEY } from '@documenso/lib/constants/crypto';
 import { getRequiredServerComponentSession } from '@documenso/lib/next-auth/get-server-component-session';
 import { getDocumentWithDetailsById } from '@documenso/lib/server-only/document/get-document-with-details-by-id';
@@ -35,6 +36,11 @@ export const DocumentEditPageView = async ({ params, team }: DocumentEditPageVie
 
   const { user } = await getRequiredServerComponentSession();
 
+  const isDocumentEnterprise = await isUserEnterprise({
+    userId: user.id,
+    teamId: team?.id,
+  });
+
   const document = await getDocumentWithDetailsById({
     id: documentId,
     userId: user.id,
@@ -97,6 +103,7 @@ export const DocumentEditPageView = async ({ params, team }: DocumentEditPageVie
         className="mt-8"
         initialDocument={document}
         documentRootPath={documentRootPath}
+        isDocumentEnterprise={isDocumentEnterprise}
       />
     </div>
   );

apps/web/src/app/(dashboard)/settings/security/passkeys/create-passkey-dialog.tsx

@@ -38,6 +38,7 @@ import { useToast } from '@documenso/ui/primitives/use-toast';
 
 export type CreatePasskeyDialogProps = {
   trigger?: React.ReactNode;
+  onSuccess?: () => void;
 } & Omit<DialogPrimitive.DialogProps, 'children'>;
 
 const ZCreatePasskeyFormSchema = z.object({
@@ -48,7 +49,7 @@ type TCreatePasskeyFormSchema = z.infer<typeof ZCreatePasskeyFormSchema>;
 
 const parser = new UAParser();
 
-export const CreatePasskeyDialog = ({ trigger, ...props }: CreatePasskeyDialogProps) => {
+export const CreatePasskeyDialog = ({ trigger, onSuccess, ...props }: CreatePasskeyDialogProps) => {
   const [open, setOpen] = useState(false);
   const [formError, setFormError] = useState<string | null>(null);
 
@@ -84,6 +85,7 @@ export const CreatePasskeyDialog = ({ trigger, ...props }: CreatePasskeyDialogPr
         duration: 5000,
       });
 
+      onSuccess?.();
       setOpen(false);
     } catch (err) {
       if (err.name === 'NotAllowedError') {

apps/web/src/app/(signing)/sign/[token]/complete/page.tsx

@@ -6,7 +6,9 @@ import { getServerSession } from 'next-auth';
 import { match } from 'ts-pattern';
 
 import signingCelebration from '@documenso/assets/images/signing-celebration.png';
+import { getServerComponentSession } from '@documenso/lib/next-auth/get-server-component-session';
 import { getDocumentAndSenderByToken } from '@documenso/lib/server-only/document/get-document-by-token';
+import { isRecipientAuthorized } from '@documenso/lib/server-only/document/is-recipient-authorized';
 import { getFieldsForToken } from '@documenso/lib/server-only/field/get-fields-for-token';
 import { getRecipientByToken } from '@documenso/lib/server-only/recipient/get-recipient-by-token';
 import { getRecipientSignatures } from '@documenso/lib/server-only/recipient/get-recipient-signatures';
@@ -17,6 +19,7 @@ import { SigningCard3D } from '@documenso/ui/components/signing-card';
 
 import { truncateTitle } from '~/helpers/truncate-title';
 
+import { SigningAuthPageView } from '../signing-auth-page';
 import { DocumentPreviewButton } from './document-preview-button';
 
 export type CompletedSigningPageProps = {
@@ -32,8 +35,11 @@ export default async function CompletedSigningPage({
     return notFound();
   }
 
+  const { user } = await getServerComponentSession();
+
   const document = await getDocumentAndSenderByToken({
     token,
+    requireAccessAuth: false,
   }).catch(() => null);
 
   if (!document || !document.documentData) {
@@ -53,6 +59,17 @@ export default async function CompletedSigningPage({
     return notFound();
   }
 
+  const isDocumentAccessValid = await isRecipientAuthorized({
+    type: 'ACCESS',
+    document,
+    recipient,
+    userId: user?.id,
+  });
+
+  if (!isDocumentAccessValid) {
+    return <SigningAuthPageView email={recipient.email} />;
+  }
+
   const signatures = await getRecipientSignatures({ recipientId: recipient.id });
 
   const recipientName =

apps/web/src/app/(signing)/sign/[token]/date-field.tsx

@@ -12,6 +12,8 @@ import {
 } from '@documenso/lib/constants/date-formats';
 import { DEFAULT_DOCUMENT_TIME_ZONE } from '@documenso/lib/constants/time-zones';
 import { DO_NOT_INVALIDATE_QUERY_ON_MUTATION } from '@documenso/lib/constants/trpc';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import type { TRecipientActionAuth } from '@documenso/lib/types/document-auth';
 import type { Recipient } from '@documenso/prisma/client';
 import type { FieldWithSignature } from '@documenso/prisma/types/field-with-signature';
 import { trpc } from '@documenso/trpc/react';
@@ -54,16 +56,23 @@ export const DateField = ({
 
   const tooltipText = `"${field.customText}" will appear on the document as it has a timezone of "${timezone}".`;
 
-  const onSign = async () => {
+  const onSign = async (authOptions?: TRecipientActionAuth) => {
     try {
       await signFieldWithToken({
         token: recipient.token,
         fieldId: field.id,
         value: dateFormat ?? DEFAULT_DOCUMENT_DATE_FORMAT,
+        authOptions,
       });
 
       startTransition(() => router.refresh());
     } catch (err) {
+      const error = AppError.parseError(err);
+
+      if (error.code === AppErrorCode.UNAUTHORIZED) {
+        throw error;
+      }
+
       console.error(err);
 
       toast({

apps/web/src/app/(signing)/sign/[token]/document-action-auth-2fa.tsx

@@ -0,0 +1,172 @@
+import { useEffect, useState } from 'react';
+
+import { zodResolver } from '@hookform/resolvers/zod';
+import { useForm } from 'react-hook-form';
+import { z } from 'zod';
+
+import { AppError } from '@documenso/lib/errors/app-error';
+import { DocumentAuth, type TRecipientActionAuth } from '@documenso/lib/types/document-auth';
+import { RecipientRole } from '@documenso/prisma/client';
+import { Alert, AlertDescription, AlertTitle } from '@documenso/ui/primitives/alert';
+import { Button } from '@documenso/ui/primitives/button';
+import { DialogFooter } from '@documenso/ui/primitives/dialog';
+import {
+  Form,
+  FormControl,
+  FormField,
+  FormItem,
+  FormLabel,
+  FormMessage,
+} from '@documenso/ui/primitives/form/form';
+import { Input } from '@documenso/ui/primitives/input';
+
+import { EnableAuthenticatorAppDialog } from '~/components/forms/2fa/enable-authenticator-app-dialog';
+
+import { useRequiredDocumentAuthContext } from './document-auth-provider';
+
+export type DocumentActionAuth2FAProps = {
+  actionTarget?: 'FIELD' | 'DOCUMENT';
+  actionVerb?: string;
+  open: boolean;
+  onOpenChange: (value: boolean) => void;
+  onReauthFormSubmit: (values?: TRecipientActionAuth) => Promise<void> | void;
+};
+
+const Z2FAAuthFormSchema = z.object({
+  token: z
+    .string()
+    .min(4, { message: 'Token must at least 4 characters long' })
+    .max(10, { message: 'Token must be at most 10 characters long' }),
+});
+
+type T2FAAuthFormSchema = z.infer<typeof Z2FAAuthFormSchema>;
+
+export const DocumentActionAuth2FA = ({
+  actionTarget = 'FIELD',
+  actionVerb = 'sign',
+  onReauthFormSubmit,
+  open,
+  onOpenChange,
+}: DocumentActionAuth2FAProps) => {
+  const { recipient, user, isCurrentlyAuthenticating, setIsCurrentlyAuthenticating } =
+    useRequiredDocumentAuthContext();
+
+  const form = useForm<T2FAAuthFormSchema>({
+    resolver: zodResolver(Z2FAAuthFormSchema),
+    defaultValues: {
+      token: '',
+    },
+  });
+
+  const [is2FASetupSuccessful, setIs2FASetupSuccessful] = useState(false);
+  const [formErrorCode, setFormErrorCode] = useState<string | null>(null);
+
+  const onFormSubmit = async ({ token }: T2FAAuthFormSchema) => {
+    try {
+      setIsCurrentlyAuthenticating(true);
+
+      await onReauthFormSubmit({
+        type: DocumentAuth.TWO_FACTOR_AUTH,
+        token,
+      });
+
+      setIsCurrentlyAuthenticating(false);
+
+      onOpenChange(false);
+    } catch (err) {
+      setIsCurrentlyAuthenticating(false);
+
+      const error = AppError.parseError(err);
+      setFormErrorCode(error.code);
+
+      // Todo: Alert.
+    }
+  };
+
+  useEffect(() => {
+    form.reset({
+      token: '',
+    });
+
+    setIs2FASetupSuccessful(false);
+    setFormErrorCode(null);
+
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [open]);
+
+  if (!user?.twoFactorEnabled && !is2FASetupSuccessful) {
+    return (
+      <div className="space-y-4">
+        <Alert variant="warning">
+          <AlertDescription>
+            <p>
+              {recipient.role === RecipientRole.VIEWER && actionTarget === 'DOCUMENT'
+                ? 'You need to setup 2FA to mark this document as viewed.'
+                : `You need to setup 2FA to ${actionVerb.toLowerCase()} this ${actionTarget.toLowerCase()}.`}
+            </p>
+
+            {user?.identityProvider === 'DOCUMENSO' && (
+              <p className="mt-2">
+                By enabling 2FA, you will be required to enter a code from your authenticator app
+                every time you sign in.
+              </p>
+            )}
+          </AlertDescription>
+        </Alert>
+
+        <DialogFooter>
+          <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
+            Close
+          </Button>
+
+          <EnableAuthenticatorAppDialog onSuccess={() => setIs2FASetupSuccessful(true)} />
+        </DialogFooter>
+      </div>
+    );
+  }
+
+  return (
+    <Form {...form}>
+      <form onSubmit={form.handleSubmit(onFormSubmit)}>
+        <fieldset disabled={isCurrentlyAuthenticating}>
+          <div className="space-y-4">
+            <FormField
+              control={form.control}
+              name="token"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel required>2FA token</FormLabel>
+
+                  <FormControl>
+                    <Input {...field} placeholder="Token" />
+                  </FormControl>
+
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+
+            {formErrorCode && (
+              <Alert variant="destructive">
+                <AlertTitle>Unauthorized</AlertTitle>
+                <AlertDescription>
+                  We were unable to verify your details. Please try again or contact support
+                </AlertDescription>
+              </Alert>
+            )}
+
+            <DialogFooter>
+              <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
+                Cancel
+              </Button>
+
+              <Button type="submit" loading={isCurrentlyAuthenticating}>
+                Sign
+              </Button>
+            </DialogFooter>
+          </div>
+        </fieldset>
+      </form>
+    </Form>
+  );
+};

apps/web/src/app/(signing)/sign/[token]/document-action-auth-account.tsx

@@ -0,0 +1,79 @@
+import { useState } from 'react';
+
+import { DateTime } from 'luxon';
+import { signOut } from 'next-auth/react';
+
+import { RecipientRole } from '@documenso/prisma/client';
+import { trpc } from '@documenso/trpc/react';
+import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
+import { Button } from '@documenso/ui/primitives/button';
+import { DialogFooter } from '@documenso/ui/primitives/dialog';
+
+import { useRequiredDocumentAuthContext } from './document-auth-provider';
+
+export type DocumentActionAuthAccountProps = {
+  actionTarget?: 'FIELD' | 'DOCUMENT';
+  actionVerb?: string;
+  onOpenChange: (value: boolean) => void;
+};
+
+export const DocumentActionAuthAccount = ({
+  actionTarget = 'FIELD',
+  actionVerb = 'sign',
+  onOpenChange,
+}: DocumentActionAuthAccountProps) => {
+  const { recipient } = useRequiredDocumentAuthContext();
+
+  const [isSigningOut, setIsSigningOut] = useState(false);
+
+  const { mutateAsync: encryptSecondaryData } = trpc.crypto.encryptSecondaryData.useMutation();
+
+  const handleChangeAccount = async (email: string) => {
+    try {
+      setIsSigningOut(true);
+
+      const encryptedEmail = await encryptSecondaryData({
+        data: email,
+        expiresAt: DateTime.now().plus({ days: 1 }).toMillis(),
+      });
+
+      await signOut({
+        callbackUrl: `/signin?email=${encodeURIComponent(encryptedEmail)}`,
+      });
+    } catch {
+      setIsSigningOut(false);
+
+      // Todo: Alert.
+    }
+  };
+
+  return (
+    <fieldset disabled={isSigningOut} className="space-y-4">
+      <Alert variant="warning">
+        <AlertDescription>
+          {actionTarget === 'DOCUMENT' && recipient.role === RecipientRole.VIEWER ? (
+            <span>
+              To mark this document as viewed, you need to be logged in as{' '}
+              <strong>{recipient.email}</strong>
+            </span>
+          ) : (
+            <span>
+              To {actionVerb.toLowerCase()} this {actionTarget.toLowerCase()}, you need to be logged
+              in as <strong>{recipient.email}</strong>
+            </span>
+          )}
+        </AlertDescription>
+      </Alert>
+
+      <DialogFooter>
+        <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
+          Cancel
+        </Button>
+
+        <Button onClick={async () => handleChangeAccount(recipient.email)} loading={isSigningOut}>
+          Login
+        </Button>
+      </DialogFooter>
+    </fieldset>
+  );
+};

apps/web/src/app/(signing)/sign/[token]/document-action-auth-dialog.tsx

@@ -0,0 +1,90 @@
+import { P, match } from 'ts-pattern';
+
+import {
+  DocumentAuth,
+  type TRecipientActionAuth,
+  type TRecipientActionAuthTypes,
+} from '@documenso/lib/types/document-auth';
+import type { FieldType } from '@documenso/prisma/client';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogHeader,
+  DialogTitle,
+} from '@documenso/ui/primitives/dialog';
+
+import { DocumentActionAuth2FA } from './document-action-auth-2fa';
+import { DocumentActionAuthAccount } from './document-action-auth-account';
+import { DocumentActionAuthPasskey } from './document-action-auth-passkey';
+import { useRequiredDocumentAuthContext } from './document-auth-provider';
+
+export type DocumentActionAuthDialogProps = {
+  title?: string;
+  documentAuthType: TRecipientActionAuthTypes;
+  description?: string;
+  actionTarget: FieldType | 'DOCUMENT';
+  open: boolean;
+  onOpenChange: (value: boolean) => void;
+
+  /**
+   * The callback to run when the reauth form is filled out.
+   */
+  onReauthFormSubmit: (values?: TRecipientActionAuth) => Promise<void> | void;
+};
+
+export const DocumentActionAuthDialog = ({
+  title,
+  description,
+  documentAuthType,
+  open,
+  onOpenChange,
+  onReauthFormSubmit,
+}: DocumentActionAuthDialogProps) => {
+  const { recipient, user, isCurrentlyAuthenticating } = useRequiredDocumentAuthContext();
+
+  const handleOnOpenChange = (value: boolean) => {
+    if (isCurrentlyAuthenticating) {
+      return;
+    }
+
+    onOpenChange(value);
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={handleOnOpenChange}>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>{title || 'Sign field'}</DialogTitle>
+
+          <DialogDescription>
+            {description || 'Reauthentication is required to sign this field'}
+          </DialogDescription>
+        </DialogHeader>
+
+        {match({ documentAuthType, user })
+          .with(
+            { documentAuthType: DocumentAuth.ACCOUNT },
+            { user: P.when((user) => !user || user.email !== recipient.email) }, // Assume all current auth methods requires them to be logged in.
+            () => <DocumentActionAuthAccount onOpenChange={onOpenChange} />,
+          )
+          .with({ documentAuthType: DocumentAuth.PASSKEY }, () => (
+            <DocumentActionAuthPasskey
+              open={open}
+              onOpenChange={onOpenChange}
+              onReauthFormSubmit={onReauthFormSubmit}
+            />
+          ))
+          .with({ documentAuthType: DocumentAuth.TWO_FACTOR_AUTH }, () => (
+            <DocumentActionAuth2FA
+              open={open}
+              onOpenChange={onOpenChange}
+              onReauthFormSubmit={onReauthFormSubmit}
+            />
+          ))
+          .with({ documentAuthType: DocumentAuth.EXPLICIT_NONE }, () => null)
+          .exhaustive()}
+      </DialogContent>
+    </Dialog>
+  );
+};

apps/web/src/app/(signing)/sign/[token]/document-action-auth-passkey.tsx

@@ -0,0 +1,252 @@
+import { useEffect, useState } from 'react';
+
+import { zodResolver } from '@hookform/resolvers/zod';
+import { browserSupportsWebAuthn, startAuthentication } from '@simplewebauthn/browser';
+import { Loader } from 'lucide-react';
+import { useForm } from 'react-hook-form';
+import { z } from 'zod';
+
+import { AppError } from '@documenso/lib/errors/app-error';
+import { DocumentAuth, type TRecipientActionAuth } from '@documenso/lib/types/document-auth';
+import { RecipientRole } from '@documenso/prisma/client';
+import { trpc } from '@documenso/trpc/react';
+import { Alert, AlertDescription, AlertTitle } from '@documenso/ui/primitives/alert';
+import { Button } from '@documenso/ui/primitives/button';
+import { DialogFooter } from '@documenso/ui/primitives/dialog';
+import {
+  Form,
+  FormControl,
+  FormField,
+  FormItem,
+  FormLabel,
+  FormMessage,
+} from '@documenso/ui/primitives/form/form';
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from '@documenso/ui/primitives/select';
+
+import { CreatePasskeyDialog } from '~/app/(dashboard)/settings/security/passkeys/create-passkey-dialog';
+
+import { useRequiredDocumentAuthContext } from './document-auth-provider';
+
+export type DocumentActionAuthPasskeyProps = {
+  actionTarget?: 'FIELD' | 'DOCUMENT';
+  actionVerb?: string;
+  open: boolean;
+  onOpenChange: (value: boolean) => void;
+  onReauthFormSubmit: (values?: TRecipientActionAuth) => Promise<void> | void;
+};
+
+const ZPasskeyAuthFormSchema = z.object({
+  passkeyId: z.string(),
+});
+
+type TPasskeyAuthFormSchema = z.infer<typeof ZPasskeyAuthFormSchema>;
+
+export const DocumentActionAuthPasskey = ({
+  actionTarget = 'FIELD',
+  actionVerb = 'sign',
+  onReauthFormSubmit,
+  open,
+  onOpenChange,
+}: DocumentActionAuthPasskeyProps) => {
+  const {
+    recipient,
+    passkeyData,
+    preferredPasskeyId,
+    setPreferredPasskeyId,
+    isCurrentlyAuthenticating,
+    setIsCurrentlyAuthenticating,
+    refetchPasskeys,
+  } = useRequiredDocumentAuthContext();
+
+  const form = useForm<TPasskeyAuthFormSchema>({
+    resolver: zodResolver(ZPasskeyAuthFormSchema),
+    defaultValues: {
+      passkeyId: preferredPasskeyId || '',
+    },
+  });
+
+  const { mutateAsync: createPasskeyAuthenticationOptions } =
+    trpc.auth.createPasskeyAuthenticationOptions.useMutation();
+
+  const [formErrorCode, setFormErrorCode] = useState<string | null>(null);
+
+  const onFormSubmit = async ({ passkeyId }: TPasskeyAuthFormSchema) => {
+    try {
+      setPreferredPasskeyId(passkeyId);
+      setIsCurrentlyAuthenticating(true);
+
+      const { options, tokenReference } = await createPasskeyAuthenticationOptions({
+        preferredPasskeyId: passkeyId,
+      });
+
+      const authenticationResponse = await startAuthentication(options);
+
+      await onReauthFormSubmit({
+        type: DocumentAuth.PASSKEY,
+        authenticationResponse,
+        tokenReference,
+      });
+
+      setIsCurrentlyAuthenticating(false);
+
+      onOpenChange(false);
+    } catch (err) {
+      setIsCurrentlyAuthenticating(false);
+
+      if (err.name === 'NotAllowedError') {
+        return;
+      }
+
+      const error = AppError.parseError(err);
+      setFormErrorCode(error.code);
+
+      // Todo: Alert.
+    }
+  };
+
+  useEffect(() => {
+    form.reset({
+      passkeyId: preferredPasskeyId || '',
+    });
+
+    setFormErrorCode(null);
+  }, [open, form, preferredPasskeyId]);
+
+  if (!browserSupportsWebAuthn()) {
+    return (
+      <div className="space-y-4">
+        <Alert variant="warning">
+          <AlertDescription>
+            Your browser does not support passkeys, which is required to {actionVerb.toLowerCase()}{' '}
+            this {actionTarget.toLowerCase()}.
+          </AlertDescription>
+        </Alert>
+
+        <DialogFooter>
+          <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
+            Close
+          </Button>
+        </DialogFooter>
+      </div>
+    );
+  }
+
+  if (passkeyData.isInitialLoading || (passkeyData.isError && passkeyData.passkeys.length === 0)) {
+    return (
+      <div className="flex h-28 items-center justify-center">
+        <Loader className="text-muted-foreground h-6 w-6 animate-spin" />
+      </div>
+    );
+  }
+
+  if (passkeyData.isError) {
+    return (
+      <div className="h-28 space-y-4">
+        <Alert variant="destructive">
+          <AlertDescription>Something went wrong while loading your passkeys.</AlertDescription>
+        </Alert>
+
+        <DialogFooter>
+          <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
+            Cancel
+          </Button>
+
+          <Button type="button" onClick={() => void refetchPasskeys()}>
+            Retry
+          </Button>
+        </DialogFooter>
+      </div>
+    );
+  }
+
+  if (passkeyData.passkeys.length === 0) {
+    return (
+      <div className="space-y-4">
+        <Alert variant="warning">
+          <AlertDescription>
+            {recipient.role === RecipientRole.VIEWER && actionTarget === 'DOCUMENT'
+              ? 'You need to setup a passkey to mark this document as viewed.'
+              : `You need to setup a passkey to ${actionVerb.toLowerCase()} this ${actionTarget.toLowerCase()}.`}
+          </AlertDescription>
+        </Alert>
+
+        <DialogFooter>
+          <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
+            Cancel
+          </Button>
+
+          <CreatePasskeyDialog
+            onSuccess={async () => refetchPasskeys()}
+            trigger={<Button>Setup</Button>}
+          />
+        </DialogFooter>
+      </div>
+    );
+  }
+
+  return (
+    <Form {...form}>
+      <form onSubmit={form.handleSubmit(onFormSubmit)}>
+        <fieldset disabled={isCurrentlyAuthenticating}>
+          <div className="space-y-4">
+            <FormField
+              control={form.control}
+              name="passkeyId"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel required>Passkey</FormLabel>
+
+                  <FormControl>
+                    <Select {...field} onValueChange={field.onChange}>
+                      <SelectTrigger className="bg-background text-muted-foreground">
+                        <SelectValue
+                          data-testid="documentAccessSelectValue"
+                          placeholder="Select passkey"
+                        />
+                      </SelectTrigger>
+
+                      <SelectContent position="popper">
+                        {passkeyData.passkeys.map((passkey) => (
+                          <SelectItem key={passkey.id} value={passkey.id}>
+                            {passkey.name}
+                          </SelectItem>
+                        ))}
+                      </SelectContent>
+                    </Select>
+                  </FormControl>
+
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+
+            {formErrorCode && (
+              <Alert variant="destructive">
+                <AlertTitle>Unauthorized</AlertTitle>
+                <AlertDescription>
+                  We were unable to verify your details. Please try again or contact support
+                </AlertDescription>
+              </Alert>
+            )}
+
+            <DialogFooter>
+              <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
+                Cancel
+              </Button>
+
+              <Button type="submit" loading={isCurrentlyAuthenticating}>
+                Sign
+              </Button>
+            </DialogFooter>
+          </div>
+        </fieldset>
+      </form>
+    </Form>
+  );
+};

apps/web/src/app/(signing)/sign/[token]/document-auth-provider.tsx

@@ -0,0 +1,230 @@
+'use client';
+
+import { createContext, useContext, useEffect, useMemo, useState } from 'react';
+
+import { match } from 'ts-pattern';
+
+import { MAXIMUM_PASSKEYS } from '@documenso/lib/constants/auth';
+import type {
+  TDocumentAuthOptions,
+  TRecipientAccessAuthTypes,
+  TRecipientActionAuthTypes,
+  TRecipientAuthOptions,
+} from '@documenso/lib/types/document-auth';
+import { DocumentAuth } from '@documenso/lib/types/document-auth';
+import { extractDocumentAuthMethods } from '@documenso/lib/utils/document-auth';
+import {
+  type Document,
+  FieldType,
+  type Passkey,
+  type Recipient,
+  type User,
+} from '@documenso/prisma/client';
+import { trpc } from '@documenso/trpc/react';
+
+import type { DocumentActionAuthDialogProps } from './document-action-auth-dialog';
+import { DocumentActionAuthDialog } from './document-action-auth-dialog';
+
+type PasskeyData = {
+  passkeys: Omit<Passkey, 'credentialId' | 'credentialPublicKey'>[];
+  isInitialLoading: boolean;
+  isRefetching: boolean;
+  isError: boolean;
+};
+
+export type DocumentAuthContextValue = {
+  executeActionAuthProcedure: (_value: ExecuteActionAuthProcedureOptions) => Promise<void>;
+  document: Document;
+  documentAuthOption: TDocumentAuthOptions;
+  setDocument: (_value: Document) => void;
+  recipient: Recipient;
+  recipientAuthOption: TRecipientAuthOptions;
+  setRecipient: (_value: Recipient) => void;
+  derivedRecipientAccessAuth: TRecipientAccessAuthTypes | null;
+  derivedRecipientActionAuth: TRecipientActionAuthTypes | null;
+  isAuthRedirectRequired: boolean;
+  isCurrentlyAuthenticating: boolean;
+  setIsCurrentlyAuthenticating: (_value: boolean) => void;
+  passkeyData: PasskeyData;
+  preferredPasskeyId: string | null;
+  setPreferredPasskeyId: (_value: string | null) => void;
+  user?: User | null;
+  refetchPasskeys: () => Promise<void>;
+};
+
+const DocumentAuthContext = createContext<DocumentAuthContextValue | null>(null);
+
+export const useDocumentAuthContext = () => {
+  return useContext(DocumentAuthContext);
+};
+
+export const useRequiredDocumentAuthContext = () => {
+  const context = useDocumentAuthContext();
+
+  if (!context) {
+    throw new Error('Document auth context is required');
+  }
+
+  return context;
+};
+
+export interface DocumentAuthProviderProps {
+  document: Document;
+  recipient: Recipient;
+  user?: User | null;
+  children: React.ReactNode;
+}
+
+export const DocumentAuthProvider = ({
+  document: initialDocument,
+  recipient: initialRecipient,
+  user,
+  children,
+}: DocumentAuthProviderProps) => {
+  const [document, setDocument] = useState(initialDocument);
+  const [recipient, setRecipient] = useState(initialRecipient);
+
+  const [isCurrentlyAuthenticating, setIsCurrentlyAuthenticating] = useState(false);
+  const [preferredPasskeyId, setPreferredPasskeyId] = useState<string | null>(null);
+
+  const {
+    documentAuthOption,
+    recipientAuthOption,
+    derivedRecipientAccessAuth,
+    derivedRecipientActionAuth,
+  } = useMemo(
+    () =>
+      extractDocumentAuthMethods({
+        documentAuth: document.authOptions,
+        recipientAuth: recipient.authOptions,
+      }),
+    [document, recipient],
+  );
+
+  const passkeyQuery = trpc.auth.findPasskeys.useQuery(
+    {
+      perPage: MAXIMUM_PASSKEYS,
+    },
+    {
+      keepPreviousData: true,
+      enabled: derivedRecipientActionAuth === DocumentAuth.PASSKEY,
+    },
+  );
+
+  const passkeyData: PasskeyData = {
+    passkeys: passkeyQuery.data?.data || [],
+    isInitialLoading: passkeyQuery.isInitialLoading,
+    isRefetching: passkeyQuery.isRefetching,
+    isError: passkeyQuery.isError,
+  };
+
+  const [documentAuthDialogPayload, setDocumentAuthDialogPayload] =
+    useState<ExecuteActionAuthProcedureOptions | null>(null);
+
+  /**
+   * The pre calculated auth payload if the current user is authenticated correctly
+   * for the `derivedRecipientActionAuth`.
+   *
+   * Will be `null` if the user still requires authentication, or if they don't need
+   * authentication.
+   */
+  const preCalculatedActionAuthOptions = match(derivedRecipientActionAuth)
+    .with(DocumentAuth.ACCOUNT, () => {
+      if (recipient.email !== user?.email) {
+        return null;
+      }
+
+      return {
+        type: DocumentAuth.ACCOUNT,
+      };
+    })
+    .with(DocumentAuth.EXPLICIT_NONE, () => ({
+      type: DocumentAuth.EXPLICIT_NONE,
+    }))
+    .with(DocumentAuth.PASSKEY, DocumentAuth.TWO_FACTOR_AUTH, null, () => null)
+    .exhaustive();
+
+  const executeActionAuthProcedure = async (options: ExecuteActionAuthProcedureOptions) => {
+    // Directly run callback if no auth required.
+    if (!derivedRecipientActionAuth || options.actionTarget !== FieldType.SIGNATURE) {
+      await options.onReauthFormSubmit();
+      return;
+    }
+
+    // Run callback with precalculated auth options if available.
+    if (preCalculatedActionAuthOptions) {
+      setDocumentAuthDialogPayload(null);
+      await options.onReauthFormSubmit(preCalculatedActionAuthOptions);
+      return;
+    }
+
+    // Request the required auth from the user.
+    setDocumentAuthDialogPayload({
+      ...options,
+    });
+  };
+
+  useEffect(() => {
+    const { passkeys } = passkeyData;
+
+    if (!preferredPasskeyId && passkeys.length > 0) {
+      setPreferredPasskeyId(passkeys[0].id);
+    }
+
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [passkeyData.passkeys]);
+
+  // Assume that a user must be logged in for any auth requirements.
+  const isAuthRedirectRequired = Boolean(
+    derivedRecipientActionAuth &&
+      derivedRecipientActionAuth !== DocumentAuth.EXPLICIT_NONE &&
+      user?.email !== recipient.email,
+  );
+
+  const refetchPasskeys = async () => {
+    await passkeyQuery.refetch();
+  };
+
+  return (
+    <DocumentAuthContext.Provider
+      value={{
+        user,
+        document,
+        setDocument,
+        executeActionAuthProcedure,
+        recipient,
+        setRecipient,
+        documentAuthOption,
+        recipientAuthOption,
+        derivedRecipientAccessAuth,
+        derivedRecipientActionAuth,
+        isAuthRedirectRequired,
+        isCurrentlyAuthenticating,
+        setIsCurrentlyAuthenticating,
+        passkeyData,
+        preferredPasskeyId,
+        setPreferredPasskeyId,
+        refetchPasskeys,
+      }}
+    >
+      {children}
+
+      {documentAuthDialogPayload && derivedRecipientActionAuth && (
+        <DocumentActionAuthDialog
+          open={true}
+          onOpenChange={() => setDocumentAuthDialogPayload(null)}
+          onReauthFormSubmit={documentAuthDialogPayload.onReauthFormSubmit}
+          actionTarget={documentAuthDialogPayload.actionTarget}
+          documentAuthType={derivedRecipientActionAuth}
+        />
+      )}
+    </DocumentAuthContext.Provider>
+  );
+};
+
+type ExecuteActionAuthProcedureOptions = Omit<
+  DocumentActionAuthDialogProps,
+  'open' | 'onOpenChange' | 'documentAuthType' | 'recipientRole'
+>;
+
+DocumentAuthProvider.displayName = 'DocumentAuthProvider';

apps/web/src/app/(signing)/sign/[token]/email-field.tsx

@@ -7,6 +7,8 @@ import { useRouter } from 'next/navigation';
 import { Loader } from 'lucide-react';
 
 import { DO_NOT_INVALIDATE_QUERY_ON_MUTATION } from '@documenso/lib/constants/trpc';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import type { TRecipientActionAuth } from '@documenso/lib/types/document-auth';
 import type { Recipient } from '@documenso/prisma/client';
 import type { FieldWithSignature } from '@documenso/prisma/types/field-with-signature';
 import { trpc } from '@documenso/trpc/react';
@@ -39,17 +41,24 @@ export const EmailField = ({ field, recipient }: EmailFieldProps) => {
 
   const isLoading = isSignFieldWithTokenLoading || isRemoveSignedFieldWithTokenLoading || isPending;
 
-  const onSign = async () => {
+  const onSign = async (authOptions?: TRecipientActionAuth) => {
     try {
       await signFieldWithToken({
         token: recipient.token,
         fieldId: field.id,
         value: providedEmail ?? '',
         isBase64: false,
+        authOptions,
       });
 
       startTransition(() => router.refresh());
     } catch (err) {
+      const error = AppError.parseError(err);
+
+      if (error.code === AppErrorCode.UNAUTHORIZED) {
+        throw error;
+      }
+
       console.error(err);
 
       toast({

apps/web/src/app/(signing)/sign/[token]/form.tsx

@@ -8,6 +8,7 @@ import { useSession } from 'next-auth/react';
 import { useForm } from 'react-hook-form';
 
 import { useAnalytics } from '@documenso/lib/client-only/hooks/use-analytics';
+import type { TRecipientActionAuth } from '@documenso/lib/types/document-auth';
 import { sortFieldsByPosition, validateFieldsInserted } from '@documenso/lib/utils/fields';
 import { type Document, type Field, type Recipient, RecipientRole } from '@documenso/prisma/client';
 import { trpc } from '@documenso/trpc/react';
@@ -41,10 +42,10 @@ export const SigningForm = ({ document, recipient, fields, redirectUrl }: Signin
   const { mutateAsync: completeDocumentWithToken } =
     trpc.recipient.completeDocumentWithToken.useMutation();
 
-  const {
-    handleSubmit,
-    formState: { isSubmitting },
-  } = useForm();
+  const { handleSubmit, formState } = useForm();
+
+  // Keep the loading state going if successful since the redirect may take some time.
+  const isSubmitting = formState.isSubmitting || formState.isSubmitSuccessful;
 
   const uninsertedFields = useMemo(() => {
     return sortFieldsByPosition(fields.filter((field) => !field.inserted));
@@ -64,9 +65,20 @@ export const SigningForm = ({ document, recipient, fields, redirectUrl }: Signin
       return;
     }
 
+    await completeDocument();
+
+    // Reauth is currently not required for completing the document.
+    // await executeActionAuthProcedure({
+    //   onReauthFormSubmit: completeDocument,
+    //   actionTarget: 'DOCUMENT',
+    // });
+  };
+
+  const completeDocument = async (authOptions?: TRecipientActionAuth) => {
     await completeDocumentWithToken({
       token: recipient.token,
       documentId: document.id,
+      authOptions,
     });
 
     analytics.capture('App: Recipient has completed signing', {

apps/web/src/app/(signing)/sign/[token]/name-field.tsx

@@ -7,7 +7,9 @@ import { useRouter } from 'next/navigation';
 import { Loader } from 'lucide-react';
 
 import { DO_NOT_INVALIDATE_QUERY_ON_MUTATION } from '@documenso/lib/constants/trpc';
-import type { Recipient } from '@documenso/prisma/client';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import type { TRecipientActionAuth } from '@documenso/lib/types/document-auth';
+import { type Recipient } from '@documenso/prisma/client';
 import type { FieldWithSignature } from '@documenso/prisma/types/field-with-signature';
 import { trpc } from '@documenso/trpc/react';
 import { Button } from '@documenso/ui/primitives/button';
@@ -16,6 +18,7 @@ import { Input } from '@documenso/ui/primitives/input';
 import { Label } from '@documenso/ui/primitives/label';
 import { useToast } from '@documenso/ui/primitives/use-toast';
 
+import { useRequiredDocumentAuthContext } from './document-auth-provider';
 import { useRequiredSigningContext } from './provider';
 import { SigningFieldContainer } from './signing-field-container';
 
@@ -32,6 +35,8 @@ export const NameField = ({ field, recipient }: NameFieldProps) => {
   const { fullName: providedFullName, setFullName: setProvidedFullName } =
     useRequiredSigningContext();
 
+  const { executeActionAuthProcedure } = useRequiredDocumentAuthContext();
+
   const [isPending, startTransition] = useTransition();
 
   const { mutateAsync: signFieldWithToken, isLoading: isSignFieldWithTokenLoading } =
@@ -47,9 +52,33 @@ export const NameField = ({ field, recipient }: NameFieldProps) => {
   const [showFullNameModal, setShowFullNameModal] = useState(false);
   const [localFullName, setLocalFullName] = useState('');
 
-  const onSign = async (source: 'local' | 'provider' = 'provider') => {
+  const onPreSign = () => {
+    if (!providedFullName) {
+      setShowFullNameModal(true);
+      return false;
+    }
+
+    return true;
+  };
+
+  /**
+   * When the user clicks the sign button in the dialog where they enter their full name.
+   */
+  const onDialogSignClick = () => {
+    setShowFullNameModal(false);
+    setProvidedFullName(localFullName);
+
+    void executeActionAuthProcedure({
+      onReauthFormSubmit: async (authOptions) => await onSign(authOptions, localFullName),
+      actionTarget: field.type,
+    });
+  };
+
+  const onSign = async (authOptions?: TRecipientActionAuth, name?: string) => {
     try {
-      if (!providedFullName && !localFullName) {
+      const value = name || providedFullName;
+
+      if (!value) {
         setShowFullNameModal(true);
         return;
       }
@@ -57,18 +86,19 @@ export const NameField = ({ field, recipient }: NameFieldProps) => {
       await signFieldWithToken({
         token: recipient.token,
         fieldId: field.id,
-        value: source === 'local' && localFullName ? localFullName : providedFullName ?? '',
+        value,
         isBase64: false,
+        authOptions,
       });
 
-      if (source === 'local' && !providedFullName) {
-        setProvidedFullName(localFullName);
-      }
-
-      setLocalFullName('');
-
       startTransition(() => router.refresh());
     } catch (err) {
+      const error = AppError.parseError(err);
+
+      if (error.code === AppErrorCode.UNAUTHORIZED) {
+        throw error;
+      }
+
       console.error(err);
 
       toast({
@@ -99,7 +129,13 @@ export const NameField = ({ field, recipient }: NameFieldProps) => {
   };
 
   return (
-    <SigningFieldContainer field={field} onSign={onSign} onRemove={onRemove} type="Name">
+    <SigningFieldContainer
+      field={field}
+      onPreSign={onPreSign}
+      onSign={onSign}
+      onRemove={onRemove}
+      type="Name"
+    >
       {isLoading && (
         <div className="bg-background absolute inset-0 flex items-center justify-center rounded-md">
           <Loader className="text-primary h-5 w-5 animate-spin md:h-8 md:w-8" />
@@ -148,10 +184,7 @@ export const NameField = ({ field, recipient }: NameFieldProps) => {
                 type="button"
                 className="flex-1"
                 disabled={!localFullName}
-                onClick={() => {
-                  setShowFullNameModal(false);
-                  void onSign('local');
-                }}
+                onClick={() => onDialogSignClick()}
               >
                 Sign
               </Button>

apps/web/src/app/(signing)/sign/[token]/page.tsx

@@ -1,35 +1,24 @@
 import { headers } from 'next/headers';
 import { notFound, redirect } from 'next/navigation';
 
-import { match } from 'ts-pattern';
-
 import { DOCUMENSO_ENCRYPTION_KEY } from '@documenso/lib/constants/crypto';
-import { DEFAULT_DOCUMENT_DATE_FORMAT } from '@documenso/lib/constants/date-formats';
-import { PDF_VIEWER_PAGE_SELECTOR } from '@documenso/lib/constants/pdf-viewer';
-import { DEFAULT_DOCUMENT_TIME_ZONE } from '@documenso/lib/constants/time-zones';
 import { getServerComponentSession } from '@documenso/lib/next-auth/get-server-component-session';
 import { getDocumentAndSenderByToken } from '@documenso/lib/server-only/document/get-document-by-token';
+import { isRecipientAuthorized } from '@documenso/lib/server-only/document/is-recipient-authorized';
 import { viewedDocument } from '@documenso/lib/server-only/document/viewed-document';
 import { getFieldsForToken } from '@documenso/lib/server-only/field/get-fields-for-token';
 import { getRecipientByToken } from '@documenso/lib/server-only/recipient/get-recipient-by-token';
 import { getRecipientSignatures } from '@documenso/lib/server-only/recipient/get-recipient-signatures';
 import { symmetricDecrypt } from '@documenso/lib/universal/crypto';
 import { extractNextHeaderRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
-import { DocumentStatus, FieldType, RecipientRole, SigningStatus } from '@documenso/prisma/client';
-import { Card, CardContent } from '@documenso/ui/primitives/card';
-import { ElementVisible } from '@documenso/ui/primitives/element-visible';
-import { LazyPDFViewer } from '@documenso/ui/primitives/lazy-pdf-viewer';
+import { extractDocumentAuthMethods } from '@documenso/lib/utils/document-auth';
+import { DocumentStatus, SigningStatus } from '@documenso/prisma/client';
 
-import { truncateTitle } from '~/helpers/truncate-title';
-
-import { DateField } from './date-field';
-import { EmailField } from './email-field';
-import { SigningForm } from './form';
-import { NameField } from './name-field';
+import { DocumentAuthProvider } from './document-auth-provider';
 import { NoLongerAvailable } from './no-longer-available';
 import { SigningProvider } from './provider';
-import { SignatureField } from './signature-field';
-import { TextField } from './text-field';
+import { SigningAuthPageView } from './signing-auth-page';
+import { SigningPageView } from './signing-page-view';
 
 export type SigningPageProps = {
   params: {
@@ -42,6 +31,8 @@ export default async function SigningPage({ params: { token } }: SigningPageProp
     return notFound();
   }
 
+  const { user } = await getServerComponentSession();
+
   const requestHeaders = Object.fromEntries(headers().entries());
 
   const requestMetadata = extractNextHeaderRequestMetadata(requestHeaders);
@@ -49,21 +40,40 @@ export default async function SigningPage({ params: { token } }: SigningPageProp
   const [document, fields, recipient] = await Promise.all([
     getDocumentAndSenderByToken({
       token,
+      userId: user?.id,
+      requireAccessAuth: false,
     }).catch(() => null),
     getFieldsForToken({ token }),
     getRecipientByToken({ token }).catch(() => null),
-    viewedDocument({ token, requestMetadata }).catch(() => null),
   ]);
 
   if (!document || !document.documentData || !recipient) {
     return notFound();
   }
 
-  const truncatedTitle = truncateTitle(document.title);
+  const { derivedRecipientAccessAuth } = extractDocumentAuthMethods({
+    documentAuth: document.authOptions,
+    recipientAuth: recipient.authOptions,
+  });
 
-  const { documentData, documentMeta } = document;
+  const isDocumentAccessValid = await isRecipientAuthorized({
+    type: 'ACCESS',
+    document,
+    recipient,
+    userId: user?.id,
+  });
 
-  const { user } = await getServerComponentSession();
+  if (!isDocumentAccessValid) {
+    return <SigningAuthPageView email={recipient.email} />;
+  }
+
+  await viewedDocument({
+    token,
+    requestMetadata,
+    recipientAccessAuth: derivedRecipientAccessAuth,
+  }).catch(() => null);
+
+  const { documentMeta } = document;
 
   if (
     document.status === DocumentStatus.COMPLETED ||
@@ -109,73 +119,9 @@ export default async function SigningPage({ params: { token } }: SigningPageProp
       fullName={user?.email === recipient.email ? user.name : recipient.name}
       signature={user?.email === recipient.email ? user.signature : undefined}
     >
-      <div className="mx-auto w-full max-w-screen-xl">
-        <h1 className="mt-4 truncate text-2xl font-semibold md:text-3xl" title={document.title}>
-          {truncatedTitle}
-        </h1>
-
-        <div className="mt-2.5 flex items-center gap-x-6">
-          <p className="text-muted-foreground">
-            {document.User.name} ({document.User.email}) has invited you to{' '}
-            {recipient.role === RecipientRole.VIEWER && 'view'}
-            {recipient.role === RecipientRole.SIGNER && 'sign'}
-            {recipient.role === RecipientRole.APPROVER && 'approve'} this document.
-          </p>
-        </div>
-
-        <div className="mt-8 grid grid-cols-12 gap-y-8 lg:gap-x-8 lg:gap-y-0">
-          <Card
-            className="col-span-12 rounded-xl before:rounded-xl lg:col-span-7 xl:col-span-8"
-            gradient
-          >
-            <CardContent className="p-2">
-              <LazyPDFViewer
-                key={documentData.id}
-                documentData={documentData}
-                document={document}
-                password={documentMeta?.password}
-              />
-            </CardContent>
-          </Card>
-
-          <div className="col-span-12 lg:col-span-5 xl:col-span-4">
-            <SigningForm
-              document={document}
-              recipient={recipient}
-              fields={fields}
-              redirectUrl={documentMeta?.redirectUrl}
-            />
-          </div>
-        </div>
-
-        <ElementVisible target={PDF_VIEWER_PAGE_SELECTOR}>
-          {fields.map((field) =>
-            match(field.type)
-              .with(FieldType.SIGNATURE, () => (
-                <SignatureField key={field.id} field={field} recipient={recipient} />
-              ))
-              .with(FieldType.NAME, () => (
-                <NameField key={field.id} field={field} recipient={recipient} />
-              ))
-              .with(FieldType.DATE, () => (
-                <DateField
-                  key={field.id}
-                  field={field}
-                  recipient={recipient}
-                  dateFormat={documentMeta?.dateFormat ?? DEFAULT_DOCUMENT_DATE_FORMAT}
-                  timezone={documentMeta?.timezone ?? DEFAULT_DOCUMENT_TIME_ZONE}
-                />
-              ))
-              .with(FieldType.EMAIL, () => (
-                <EmailField key={field.id} field={field} recipient={recipient} />
-              ))
-              .with(FieldType.TEXT, () => (
-                <TextField key={field.id} field={field} recipient={recipient} />
-              ))
-              .otherwise(() => null),
-          )}
-        </ElementVisible>
-      </div>
+      <DocumentAuthProvider document={document} recipient={recipient} user={user}>
+        <SigningPageView recipient={recipient} document={document} fields={fields} />
+      </DocumentAuthProvider>
     </SigningProvider>
   );
 }

apps/web/src/app/(signing)/sign/[token]/sign-dialog.tsx

@@ -7,9 +7,11 @@ import {
   Dialog,
   DialogContent,
   DialogFooter,
+  DialogTitle,
   DialogTrigger,
 } from '@documenso/ui/primitives/dialog';
 
+import { SigningDisclosure } from '~/components/general/signing-disclosure';
 import { truncateTitle } from '~/helpers/truncate-title';
 
 export type SignDialogProps = {
@@ -33,8 +35,28 @@ export const SignDialog = ({
   const truncatedTitle = truncateTitle(document.title);
   const isComplete = fields.every((field) => field.inserted);
 
+  const handleOpenChange = (open: boolean) => {
+    if (isSubmitting || !isComplete) {
+      return;
+    }
+
+    // Reauth is currently not required for signing the document.
+    // if (isAuthRedirectRequired) {
+    //   await executeActionAuthProcedure({
+    //     actionTarget: 'DOCUMENT',
+    //     onReauthFormSubmit: () => {
+    //       // Do nothing since the user should be redirected.
+    //     },
+    //   });
+
+    //   return;
+    // }
+
+    setShowDialog(open);
+  };
+
   return (
-    <Dialog open={showDialog && isComplete} onOpenChange={setShowDialog}>
+    <Dialog open={showDialog} onOpenChange={handleOpenChange}>
       <DialogTrigger asChild>
         <Button
           className="w-full"
@@ -46,23 +68,39 @@ export const SignDialog = ({
           {isComplete ? 'Complete' : 'Next field'}
         </Button>
       </DialogTrigger>
+
       <DialogContent>
-        <div className="text-center">
+        <DialogTitle>
           <div className="text-foreground text-xl font-semibold">
-            {role === RecipientRole.VIEWER && 'Mark Document as Viewed'}
-            {role === RecipientRole.SIGNER && 'Sign Document'}
-            {role === RecipientRole.APPROVER && 'Approve Document'}
-          </div>
-          <div className="text-muted-foreground mx-auto w-4/5 py-2 text-center">
-            {role === RecipientRole.VIEWER &&
-              `You are about to finish viewing "${truncatedTitle}". Are you sure?`}
-            {role === RecipientRole.SIGNER &&
-              `You are about to finish signing "${truncatedTitle}". Are you sure?`}
-            {role === RecipientRole.APPROVER &&
-              `You are about to finish approving "${truncatedTitle}". Are you sure?`}
+            {role === RecipientRole.VIEWER && 'Complete Viewing'}
+            {role === RecipientRole.SIGNER && 'Complete Signing'}
+            {role === RecipientRole.APPROVER && 'Complete Approval'}
           </div>
+        </DialogTitle>
+
+        <div className="text-muted-foreground max-w-[50ch]">
+          {role === RecipientRole.VIEWER && (
+            <span>
+              You are about to complete viewing "{truncatedTitle}".
+              <br /> Are you sure?
+            </span>
+          )}
+          {role === RecipientRole.SIGNER && (
+            <span>
+              You are about to complete signing "{truncatedTitle}".
+              <br /> Are you sure?
+            </span>
+          )}
+          {role === RecipientRole.APPROVER && (
+            <span>
+              You are about to complete approving "{truncatedTitle}".
+              <br /> Are you sure?
+            </span>
+          )}
         </div>
 
+        <SigningDisclosure className="mt-4" />
+
         <DialogFooter>
           <div className="flex w-full flex-1 flex-nowrap gap-4">
             <Button

apps/web/src/app/(signing)/sign/[token]/signature-field.tsx

@@ -1,13 +1,15 @@
 'use client';
 
-import { useEffect, useMemo, useState, useTransition } from 'react';
+import { useMemo, useState, useTransition } from 'react';
 
 import { useRouter } from 'next/navigation';
 
 import { Loader } from 'lucide-react';
 
 import { DO_NOT_INVALIDATE_QUERY_ON_MUTATION } from '@documenso/lib/constants/trpc';
-import type { Recipient } from '@documenso/prisma/client';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import type { TRecipientActionAuth } from '@documenso/lib/types/document-auth';
+import { type Recipient } from '@documenso/prisma/client';
 import type { FieldWithSignature } from '@documenso/prisma/types/field-with-signature';
 import { trpc } from '@documenso/trpc/react';
 import { Button } from '@documenso/ui/primitives/button';
@@ -16,6 +18,9 @@ import { Label } from '@documenso/ui/primitives/label';
 import { SignaturePad } from '@documenso/ui/primitives/signature-pad';
 import { useToast } from '@documenso/ui/primitives/use-toast';
 
+import { SigningDisclosure } from '~/components/general/signing-disclosure';
+
+import { useRequiredDocumentAuthContext } from './document-auth-provider';
 import { useRequiredSigningContext } from './provider';
 import { SigningFieldContainer } from './signing-field-container';
 
@@ -30,9 +35,12 @@ export const SignatureField = ({ field, recipient }: SignatureFieldProps) => {
   const router = useRouter();
 
   const { toast } = useToast();
+
   const { signature: providedSignature, setSignature: setProvidedSignature } =
     useRequiredSigningContext();
 
+  const { executeActionAuthProcedure } = useRequiredDocumentAuthContext();
+
   const [isPending, startTransition] = useTransition();
 
   const { mutateAsync: signFieldWithToken, isLoading: isSignFieldWithTokenLoading } =
@@ -49,7 +57,6 @@ export const SignatureField = ({ field, recipient }: SignatureFieldProps) => {
 
   const [showSignatureModal, setShowSignatureModal] = useState(false);
   const [localSignature, setLocalSignature] = useState<string | null>(null);
-  const [isLocalSignatureSet, setIsLocalSignatureSet] = useState(false);
 
   const state = useMemo<SignatureFieldState>(() => {
     if (!field.inserted) {
@@ -63,23 +70,38 @@ export const SignatureField = ({ field, recipient }: SignatureFieldProps) => {
     return 'signed-text';
   }, [field.inserted, signature?.signatureImageAsBase64]);
 
-  useEffect(() => {
-    if (!showSignatureModal && !isLocalSignatureSet) {
-      setLocalSignature(null);
+  const onPreSign = () => {
+    if (!providedSignature) {
+      setShowSignatureModal(true);
+      return false;
     }
-  }, [showSignatureModal, isLocalSignatureSet]);
 
-  const onSign = async (source: 'local' | 'provider' = 'provider') => {
+    return true;
+  };
+
+  /**
+   * When the user clicks the sign button in the dialog where they enter their signature.
+   */
+  const onDialogSignClick = () => {
+    setShowSignatureModal(false);
+    setProvidedSignature(localSignature);
+
+    if (!localSignature) {
+      return;
+    }
+
+    void executeActionAuthProcedure({
+      onReauthFormSubmit: async (authOptions) => await onSign(authOptions, localSignature),
+      actionTarget: field.type,
+    });
+  };
+
+  const onSign = async (authOptions?: TRecipientActionAuth, signature?: string) => {
     try {
-      if (!providedSignature && !localSignature) {
-        setIsLocalSignatureSet(false);
-        setShowSignatureModal(true);
-        return;
-      }
-
-      const value = source === 'local' && localSignature ? localSignature : providedSignature ?? '';
+      const value = signature || providedSignature;
 
       if (!value) {
+        setShowSignatureModal(true);
         return;
       }
 
@@ -88,16 +110,17 @@ export const SignatureField = ({ field, recipient }: SignatureFieldProps) => {
         fieldId: field.id,
         value,
         isBase64: true,
+        authOptions,
       });
 
-      if (source === 'local' && !providedSignature) {
-        setProvidedSignature(localSignature);
-      }
-
-      setLocalSignature(null);
-
       startTransition(() => router.refresh());
     } catch (err) {
+      const error = AppError.parseError(err);
+
+      if (error.code === AppErrorCode.UNAUTHORIZED) {
+        throw error;
+      }
+
       console.error(err);
 
       toast({
@@ -128,7 +151,13 @@ export const SignatureField = ({ field, recipient }: SignatureFieldProps) => {
   };
 
   return (
-    <SigningFieldContainer field={field} onSign={onSign} onRemove={onRemove} type="Signature">
+    <SigningFieldContainer
+      field={field}
+      onPreSign={onPreSign}
+      onSign={onSign}
+      onRemove={onRemove}
+      type="Signature"
+    >
       {isLoading && (
         <div className="bg-background absolute inset-0 flex items-center justify-center rounded-md">
           <Loader className="text-primary h-5 w-5 animate-spin md:h-8 md:w-8" />
@@ -173,6 +202,8 @@ export const SignatureField = ({ field, recipient }: SignatureFieldProps) => {
             />
           </div>
 
+          <SigningDisclosure />
+
           <DialogFooter>
             <div className="flex w-full flex-1 flex-nowrap gap-4">
               <Button
@@ -191,11 +222,7 @@ export const SignatureField = ({ field, recipient }: SignatureFieldProps) => {
                 type="button"
                 className="flex-1"
                 disabled={!localSignature}
-                onClick={() => {
-                  setShowSignatureModal(false);
-                  setIsLocalSignatureSet(true);
-                  void onSign('local');
-                }}
+                onClick={() => onDialogSignClick()}
               >
                 Sign
               </Button>

apps/web/src/app/(signing)/sign/[token]/signing-auth-page.tsx

@@ -0,0 +1,67 @@
+'use client';
+
+import { useState } from 'react';
+
+import { DateTime } from 'luxon';
+import { signOut } from 'next-auth/react';
+
+import { trpc } from '@documenso/trpc/react';
+import { Button } from '@documenso/ui/primitives/button';
+import { useToast } from '@documenso/ui/primitives/use-toast';
+
+export type SigningAuthPageViewProps = {
+  email: string;
+};
+
+export const SigningAuthPageView = ({ email }: SigningAuthPageViewProps) => {
+  const { toast } = useToast();
+
+  const [isSigningOut, setIsSigningOut] = useState(false);
+
+  const { mutateAsync: encryptSecondaryData } = trpc.crypto.encryptSecondaryData.useMutation();
+
+  const handleChangeAccount = async (email: string) => {
+    try {
+      setIsSigningOut(true);
+
+      const encryptedEmail = await encryptSecondaryData({
+        data: email,
+        expiresAt: DateTime.now().plus({ days: 1 }).toMillis(),
+      });
+
+      await signOut({
+        callbackUrl: `/signin?email=${encodeURIComponent(encryptedEmail)}`,
+      });
+    } catch {
+      toast({
+        title: 'Something went wrong',
+        description: 'We were unable to log you out at this time.',
+        duration: 10000,
+        variant: 'destructive',
+      });
+    }
+
+    setIsSigningOut(false);
+  };
+
+  return (
+    <div className="mx-auto flex h-[70vh] w-full max-w-md flex-col items-center justify-center">
+      <div>
+        <h1 className="text-3xl font-semibold">Authentication required</h1>
+
+        <p className="text-muted-foreground mt-2 text-sm">
+          You need to be logged in as <strong>{email}</strong> to view this page.
+        </p>
+
+        <Button
+          className="mt-4 w-full"
+          type="submit"
+          onClick={async () => handleChangeAccount(email)}
+          loading={isSigningOut}
+        >
+          Login
+        </Button>
+      </div>
+    </div>
+  );
+};

apps/web/src/app/(signing)/sign/[token]/signing-field-container.tsx

@@ -2,15 +2,38 @@
 
 import React from 'react';
 
+import { type TRecipientActionAuth } from '@documenso/lib/types/document-auth';
+import { FieldType } from '@documenso/prisma/client';
 import type { FieldWithSignature } from '@documenso/prisma/types/field-with-signature';
 import { FieldRootContainer } from '@documenso/ui/components/field/field';
 import { Tooltip, TooltipContent, TooltipTrigger } from '@documenso/ui/primitives/tooltip';
 
+import { useRequiredDocumentAuthContext } from './document-auth-provider';
+
 export type SignatureFieldProps = {
   field: FieldWithSignature;
   loading?: boolean;
   children: React.ReactNode;
-  onSign?: () => Promise<void> | void;
+
+  /**
+   * A function that is called before the field requires to be signed, or reauthed.
+   *
+   * Example, you may want to show a dialog prior to signing where they can enter a value.
+   *
+   * Once that action is complete, you will need to call `executeActionAuthProcedure` to proceed
+   * regardless if it requires reauth or not.
+   *
+   * If the function returns true, we will proceed with the signing process. Otherwise if
+   * false is returned we will not proceed.
+   */
+  onPreSign?: () => Promise<boolean> | boolean;
+
+  /**
+   * The function required to be executed to insert the field.
+   *
+   * The auth values will be passed in if available.
+   */
+  onSign?: (documentAuthValue?: TRecipientActionAuth) => Promise<void> | void;
   onRemove?: () => Promise<void> | void;
   type?: 'Date' | 'Email' | 'Name' | 'Signature';
   tooltipText?: string | null;
@@ -19,18 +42,56 @@ export type SignatureFieldProps = {
 export const SigningFieldContainer = ({
   field,
   loading,
+  onPreSign,
   onSign,
   onRemove,
   children,
   type,
   tooltipText,
 }: SignatureFieldProps) => {
-  const onSignFieldClick = async () => {
-    if (field.inserted) {
+  const { executeActionAuthProcedure, isAuthRedirectRequired } = useRequiredDocumentAuthContext();
+
+  const handleInsertField = async () => {
+    if (field.inserted || !onSign) {
       return;
     }
 
-    await onSign?.();
+    // Bypass reauth for non signature fields.
+    if (field.type !== FieldType.SIGNATURE) {
+      const presignResult = await onPreSign?.();
+
+      if (presignResult === false) {
+        return;
+      }
+
+      await onSign();
+      return;
+    }
+
+    if (isAuthRedirectRequired) {
+      await executeActionAuthProcedure({
+        onReauthFormSubmit: () => {
+          // Do nothing since the user should be redirected.
+        },
+        actionTarget: field.type,
+      });
+
+      return;
+    }
+
+    // Handle any presign requirements, and halt if required.
+    if (onPreSign) {
+      const preSignResult = await onPreSign();
+
+      if (preSignResult === false) {
+        return;
+      }
+    }
+
+    await executeActionAuthProcedure({
+      onReauthFormSubmit: onSign,
+      actionTarget: field.type,
+    });
   };
 
   const onRemoveSignedFieldClick = async () => {
@@ -47,7 +108,7 @@ export const SigningFieldContainer = ({
         <button
           type="submit"
           className="absolute inset-0 z-10 h-full w-full"
-          onClick={onSignFieldClick}
+          onClick={async () => handleInsertField()}
         />
       )}
 

apps/web/src/app/(signing)/sign/[token]/signing-page-view.tsx

@@ -0,0 +1,102 @@
+import { match } from 'ts-pattern';
+
+import { DEFAULT_DOCUMENT_DATE_FORMAT } from '@documenso/lib/constants/date-formats';
+import { PDF_VIEWER_PAGE_SELECTOR } from '@documenso/lib/constants/pdf-viewer';
+import { DEFAULT_DOCUMENT_TIME_ZONE } from '@documenso/lib/constants/time-zones';
+import type { DocumentAndSender } from '@documenso/lib/server-only/document/get-document-by-token';
+import type { Field, Recipient } from '@documenso/prisma/client';
+import { FieldType, RecipientRole } from '@documenso/prisma/client';
+import { Card, CardContent } from '@documenso/ui/primitives/card';
+import { ElementVisible } from '@documenso/ui/primitives/element-visible';
+import { LazyPDFViewer } from '@documenso/ui/primitives/lazy-pdf-viewer';
+
+import { truncateTitle } from '~/helpers/truncate-title';
+
+import { DateField } from './date-field';
+import { EmailField } from './email-field';
+import { SigningForm } from './form';
+import { NameField } from './name-field';
+import { SignatureField } from './signature-field';
+import { TextField } from './text-field';
+
+export type SigningPageViewProps = {
+  document: DocumentAndSender;
+  recipient: Recipient;
+  fields: Field[];
+};
+
+export const SigningPageView = ({ document, recipient, fields }: SigningPageViewProps) => {
+  const truncatedTitle = truncateTitle(document.title);
+
+  const { documentData, documentMeta } = document;
+
+  return (
+    <div className="mx-auto w-full max-w-screen-xl">
+      <h1 className="mt-4 truncate text-2xl font-semibold md:text-3xl" title={document.title}>
+        {truncatedTitle}
+      </h1>
+
+      <div className="mt-2.5 flex items-center gap-x-6">
+        <p className="text-muted-foreground">
+          {document.User.name} ({document.User.email}) has invited you to{' '}
+          {recipient.role === RecipientRole.VIEWER && 'view'}
+          {recipient.role === RecipientRole.SIGNER && 'sign'}
+          {recipient.role === RecipientRole.APPROVER && 'approve'} this document.
+        </p>
+      </div>
+
+      <div className="mt-8 grid grid-cols-12 gap-y-8 lg:gap-x-8 lg:gap-y-0">
+        <Card
+          className="col-span-12 rounded-xl before:rounded-xl lg:col-span-7 xl:col-span-8"
+          gradient
+        >
+          <CardContent className="p-2">
+            <LazyPDFViewer
+              key={documentData.id}
+              documentData={documentData}
+              document={document}
+              password={documentMeta?.password}
+            />
+          </CardContent>
+        </Card>
+
+        <div className="col-span-12 lg:col-span-5 xl:col-span-4">
+          <SigningForm
+            document={document}
+            recipient={recipient}
+            fields={fields}
+            redirectUrl={documentMeta?.redirectUrl}
+          />
+        </div>
+      </div>
+
+      <ElementVisible target={PDF_VIEWER_PAGE_SELECTOR}>
+        {fields.map((field) =>
+          match(field.type)
+            .with(FieldType.SIGNATURE, () => (
+              <SignatureField key={field.id} field={field} recipient={recipient} />
+            ))
+            .with(FieldType.NAME, () => (
+              <NameField key={field.id} field={field} recipient={recipient} />
+            ))
+            .with(FieldType.DATE, () => (
+              <DateField
+                key={field.id}
+                field={field}
+                recipient={recipient}
+                dateFormat={documentMeta?.dateFormat ?? DEFAULT_DOCUMENT_DATE_FORMAT}
+                timezone={documentMeta?.timezone ?? DEFAULT_DOCUMENT_TIME_ZONE}
+              />
+            ))
+            .with(FieldType.EMAIL, () => (
+              <EmailField key={field.id} field={field} recipient={recipient} />
+            ))
+            .with(FieldType.TEXT, () => (
+              <TextField key={field.id} field={field} recipient={recipient} />
+            ))
+            .otherwise(() => null),
+        )}
+      </ElementVisible>
+    </div>
+  );
+};

apps/web/src/app/(signing)/sign/[token]/text-field.tsx

@@ -7,6 +7,8 @@ import { useRouter } from 'next/navigation';
 import { Loader } from 'lucide-react';
 
 import { DO_NOT_INVALIDATE_QUERY_ON_MUTATION } from '@documenso/lib/constants/trpc';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import type { TRecipientActionAuth } from '@documenso/lib/types/document-auth';
 import type { Recipient } from '@documenso/prisma/client';
 import type { FieldWithSignature } from '@documenso/prisma/types/field-with-signature';
 import { trpc } from '@documenso/trpc/react';
@@ -16,6 +18,7 @@ import { Input } from '@documenso/ui/primitives/input';
 import { Label } from '@documenso/ui/primitives/label';
 import { useToast } from '@documenso/ui/primitives/use-toast';
 
+import { useRequiredDocumentAuthContext } from './document-auth-provider';
 import { SigningFieldContainer } from './signing-field-container';
 
 export type TextFieldProps = {
@@ -28,6 +31,8 @@ export const TextField = ({ field, recipient }: TextFieldProps) => {
 
   const { toast } = useToast();
 
+  const { executeActionAuthProcedure } = useRequiredDocumentAuthContext();
+
   const [isPending, startTransition] = useTransition();
 
   const { mutateAsync: signFieldWithToken, isLoading: isSignFieldWithTokenLoading } =
@@ -42,22 +47,36 @@ export const TextField = ({ field, recipient }: TextFieldProps) => {
 
   const [showCustomTextModal, setShowCustomTextModal] = useState(false);
   const [localText, setLocalCustomText] = useState('');
-  const [isLocalSignatureSet, setIsLocalSignatureSet] = useState(false);
 
   useEffect(() => {
-    if (!showCustomTextModal && !isLocalSignatureSet) {
+    if (!showCustomTextModal) {
       setLocalCustomText('');
     }
-  }, [showCustomTextModal, isLocalSignatureSet]);
+  }, [showCustomTextModal]);
 
-  const onSign = async () => {
+  /**
+   * When the user clicks the sign button in the dialog where they enter the text field.
+   */
+  const onDialogSignClick = () => {
+    setShowCustomTextModal(false);
+
+    void executeActionAuthProcedure({
+      onReauthFormSubmit: async (authOptions) => await onSign(authOptions),
+      actionTarget: field.type,
+    });
+  };
+
+  const onPreSign = () => {
+    if (!localText) {
+      setShowCustomTextModal(true);
+      return false;
+    }
+
+    return true;
+  };
+
+  const onSign = async (authOptions?: TRecipientActionAuth) => {
     try {
-      if (!localText) {
-        setIsLocalSignatureSet(false);
-        setShowCustomTextModal(true);
-        return;
-      }
-
       if (!localText) {
         return;
       }
@@ -67,12 +86,19 @@ export const TextField = ({ field, recipient }: TextFieldProps) => {
         fieldId: field.id,
         value: localText,
         isBase64: true,
+        authOptions,
       });
 
       setLocalCustomText('');
 
       startTransition(() => router.refresh());
     } catch (err) {
+      const error = AppError.parseError(err);
+
+      if (error.code === AppErrorCode.UNAUTHORIZED) {
+        throw error;
+      }
+
       console.error(err);
 
       toast({
@@ -103,7 +129,13 @@ export const TextField = ({ field, recipient }: TextFieldProps) => {
   };
 
   return (
-    <SigningFieldContainer field={field} onSign={onSign} onRemove={onRemove} type="Signature">
+    <SigningFieldContainer
+      field={field}
+      onPreSign={onPreSign}
+      onSign={onSign}
+      onRemove={onRemove}
+      type="Signature"
+    >
       {isLoading && (
         <div className="bg-background absolute inset-0 flex items-center justify-center rounded-md">
           <Loader className="text-primary h-5 w-5 animate-spin md:h-8 md:w-8" />
@@ -150,11 +182,7 @@ export const TextField = ({ field, recipient }: TextFieldProps) => {
                 type="button"
                 className="flex-1"
                 disabled={!localText}
-                onClick={() => {
-                  setShowCustomTextModal(false);
-                  setIsLocalSignatureSet(true);
-                  void onSign();
-                }}
+                onClick={() => onDialogSignClick()}
               >
                 Save Text
               </Button>

apps/web/src/app/(unauthenticated)/articles/signature-disclosure/page.tsx

@@ -0,0 +1,108 @@
+import Link from 'next/link';
+
+import { Button } from '@documenso/ui/primitives/button';
+
+export default function SignatureDisclosure() {
+  return (
+    <div>
+      <article className="prose">
+        <h1>Electronic Signature Disclosure</h1>
+
+        <h2>Welcome</h2>
+        <p>
+          Thank you for using Documenso to perform your electronic document signing. The purpose of
+          this disclosure is to inform you about the process, legality, and your rights regarding
+          the use of electronic signatures on our platform. By opting to use an electronic
+          signature, you are agreeing to the terms and conditions outlined below.
+        </p>
+
+        <h2>Acceptance and Consent</h2>
+        <p>
+          When you use our platform to affix your electronic signature to documents, you are
+          consenting to do so under the Electronic Signatures in Global and National Commerce Act
+          (E-Sign Act) and other applicable laws. This action indicates your agreement to use
+          electronic means to sign documents and receive notifications.
+        </p>
+
+        <h2>Legality of Electronic Signatures</h2>
+        <p>
+          An electronic signature provided by you on our platform, achieved through clicking through
+          to a document and entering your name, or any other electronic signing method we provide,
+          is legally binding. It carries the same weight and enforceability as a manual signature
+          written with ink on paper.
+        </p>
+
+        <h2>System Requirements</h2>
+        <p>To use our electronic signature service, you must have access to:</p>
+        <ul>
+          <li>A stable internet connection</li>
+          <li>An email account</li>
+          <li>A device capable of accessing, opening, and reading documents</li>
+          <li>A means to print or download documents for your records</li>
+        </ul>
+
+        <h2>Electronic Delivery of Documents</h2>
+        <p>
+          All documents related to the electronic signing process will be provided to you
+          electronically through our platform or via email. It is your responsibility to ensure that
+          your email address is current and that you can receive and open our emails.
+        </p>
+
+        <h2>Consent to Electronic Transactions</h2>
+        <p>
+          By using the electronic signature feature, you are consenting to conduct transactions and
+          receive disclosures electronically. You acknowledge that your electronic signature on
+          documents is binding and that you accept the terms outlined in the documents you are
+          signing.
+        </p>
+
+        <h2>Withdrawing Consent</h2>
+        <p>
+          You have the right to withdraw your consent to use electronic signatures at any time
+          before completing the signing process. To withdraw your consent, please contact the sender
+          of the document. In failing to contact the sender you may reach out to{' '}
+          <a href="mailto:support@documenso.com">support@documenso.com</a> for assistance. Be aware
+          that withdrawing consent may delay or halt the completion of the related transaction or
+          service.
+        </p>
+
+        <h2>Updating Your Information</h2>
+        <p>
+          It is crucial to keep your contact information, especially your email address, up to date
+          with us. Please notify us immediately of any changes to ensure that you continue to
+          receive all necessary communications.
+        </p>
+
+        <h2>Retention of Documents</h2>
+        <p>
+          After signing a document electronically, you will be provided the opportunity to view,
+          download, and print the document for your records. It is highly recommended that you
+          retain a copy of all electronically signed documents for your personal records. We will
+          also retain a copy of the signed document for our records however we may not be able to
+          provide you with a copy of the signed document after a certain period of time.
+        </p>
+
+        <h2>Acknowledgment</h2>
+        <p>
+          By proceeding to use the electronic signature service provided by Documenso, you affirm
+          that you have read and understood this disclosure. You agree to all terms and conditions
+          related to the use of electronic signatures and electronic transactions as outlined
+          herein.
+        </p>
+
+        <h2>Contact Information</h2>
+        <p>
+          For any questions regarding this disclosure, electronic signatures, or any related
+          process, please contact us at:{' '}
+          <a href="mailto:support@documenso.com">support@documenso.com</a>
+        </p>
+      </article>
+
+      <div className="mt-8">
+        <Button asChild>
+          <Link href="/documents">Back to Documents</Link>
+        </Button>
+      </div>
+    </div>
+  );
+}

apps/web/src/app/layout.tsx

@@ -2,6 +2,7 @@ import { Suspense } from 'react';
 
 import { Caveat, Inter } from 'next/font/google';
 
+import { AxiomWebVitals } from 'next-axiom';
 import { PublicEnvScript } from 'next-runtime-env';
 
 import { FeatureFlagProvider } from '@documenso/lib/client-only/providers/feature-flag';
@@ -71,6 +72,8 @@ export default async function RootLayout({ children }: { children: React.ReactNo
         <PublicEnvScript />
       </head>
 
+      <AxiomWebVitals />
+
       <Suspense>
         <PostHogPageview />
       </Suspense>

apps/web/src/components/(dashboard)/avatar/stack-avatars.tsx

@@ -2,7 +2,7 @@ import React from 'react';
 
 import { getRecipientType } from '@documenso/lib/client-only/recipient-type';
 import { recipientAbbreviation } from '@documenso/lib/utils/recipient-formatter';
-import { Recipient } from '@documenso/prisma/client';
+import type { Recipient } from '@documenso/prisma/client';
 
 import { StackAvatar } from './stack-avatar';
 

apps/web/src/components/(teams)/dialogs/invite-team-member-dialog.tsx

@@ -1,19 +1,22 @@
 'use client';
 
-import { useEffect, useState } from 'react';
+import { useEffect, useRef, useState } from 'react';
 
 import { zodResolver } from '@hookform/resolvers/zod';
 import type * as DialogPrimitive from '@radix-ui/react-dialog';
-import { Mail, PlusCircle, Trash } from 'lucide-react';
+import { Download, Mail, MailIcon, PlusCircle, Trash, Upload, UsersIcon } from 'lucide-react';
+import Papa, { type ParseResult } from 'papaparse';
 import { useFieldArray, useForm } from 'react-hook-form';
 import { z } from 'zod';
 
+import { downloadFile } from '@documenso/lib/client-only/download-file';
 import { TEAM_MEMBER_ROLE_HIERARCHY, TEAM_MEMBER_ROLE_MAP } from '@documenso/lib/constants/teams';
 import { TeamMemberRole } from '@documenso/prisma/client';
 import { trpc } from '@documenso/trpc/react';
 import { ZCreateTeamMemberInvitesMutationSchema } from '@documenso/trpc/server/team-router/schema';
 import { cn } from '@documenso/ui/lib/utils';
 import { Button } from '@documenso/ui/primitives/button';
+import { Card, CardContent } from '@documenso/ui/primitives/card';
 import {
   Dialog,
   DialogContent,
@@ -39,6 +42,7 @@ import {
   SelectTrigger,
   SelectValue,
 } from '@documenso/ui/primitives/select';
+import { Tabs, TabsContent, TabsList, TabsTrigger } from '@documenso/ui/primitives/tabs';
 import { useToast } from '@documenso/ui/primitives/use-toast';
 
 export type InviteTeamMembersDialogProps = {
@@ -51,18 +55,45 @@ const ZInviteTeamMembersFormSchema = z
   .object({
     invitations: ZCreateTeamMemberInvitesMutationSchema.shape.invitations,
   })
-  .refine(
-    (schema) => {
-      const emails = schema.invitations.map((invitation) => invitation.email.toLowerCase());
+  // Display exactly which rows are duplicates.
+  .superRefine((items, ctx) => {
+    const uniqueEmails = new Map<string, number>();
 
-      return new Set(emails).size === emails.length;
-    },
-    // Dirty hack to handle errors when .root is populated for an array type
-    { message: 'Members must have unique emails', path: ['members__root'] },
-  );
+    for (const [index, invitation] of items.invitations.entries()) {
+      const email = invitation.email.toLowerCase();
+
+      const firstFoundIndex = uniqueEmails.get(email);
+
+      if (firstFoundIndex === undefined) {
+        uniqueEmails.set(email, index);
+        continue;
+      }
+
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'Emails must be unique',
+        path: ['invitations', index, 'email'],
+      });
+
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'Emails must be unique',
+        path: ['invitations', firstFoundIndex, 'email'],
+      });
+    }
+  });
 
 type TInviteTeamMembersFormSchema = z.infer<typeof ZInviteTeamMembersFormSchema>;
 
+type TabTypes = 'INDIVIDUAL' | 'BULK';
+
+const ZImportTeamMemberSchema = z.array(
+  z.object({
+    email: z.string().email(),
+    role: z.nativeEnum(TeamMemberRole),
+  }),
+);
+
 export const InviteTeamMembersDialog = ({
   currentUserTeamRole,
   teamId,
@@ -70,6 +101,8 @@ export const InviteTeamMembersDialog = ({
   ...props
 }: InviteTeamMembersDialogProps) => {
   const [open, setOpen] = useState(false);
+  const fileInputRef = useRef<HTMLInputElement>(null);
+  const [invitationType, setInvitationType] = useState<TabTypes>('INDIVIDUAL');
 
   const { toast } = useToast();
 
@@ -130,9 +163,75 @@ export const InviteTeamMembersDialog = ({
   useEffect(() => {
     if (!open) {
       form.reset();
+      setInvitationType('INDIVIDUAL');
     }
   }, [open, form]);
 
+  const onFileInputChange = (e: React.ChangeEvent<HTMLInputElement>) => {
+    if (!e.target.files?.length) {
+      return;
+    }
+
+    const csvFile = e.target.files[0];
+
+    Papa.parse(csvFile, {
+      skipEmptyLines: true,
+      comments: 'Work email,Job title',
+      complete: (results: ParseResult<string[]>) => {
+        const members = results.data.map((row) => {
+          const [email, role] = row;
+
+          return {
+            email: email.trim(),
+            role: role.trim().toUpperCase(),
+          };
+        });
+
+        // Remove the first row if it contains the headers.
+        if (members.length > 1 && members[0].role.toUpperCase() === 'ROLE') {
+          members.shift();
+        }
+
+        try {
+          const importedInvitations = ZImportTeamMemberSchema.parse(members);
+
+          form.setValue('invitations', importedInvitations);
+          form.clearErrors('invitations');
+
+          setInvitationType('INDIVIDUAL');
+        } catch (err) {
+          console.error(err.message);
+
+          toast({
+            variant: 'destructive',
+            title: 'Something went wrong',
+            description: 'Please check the CSV file and make sure it is according to our format',
+          });
+        }
+      },
+    });
+  };
+
+  const downloadTemplate = () => {
+    const data = [
+      { email: 'admin@documenso.com', role: 'Admin' },
+      { email: 'manager@documenso.com', role: 'Manager' },
+      { email: 'member@documenso.com', role: 'Member' },
+    ];
+
+    const csvContent =
+      'Email address,Role\n' + data.map((row) => `${row.email},${row.role}`).join('\n');
+
+    const blob = new Blob([csvContent], {
+      type: 'text/csv',
+    });
+
+    downloadFile({
+      filename: 'documenso-team-member-invites-template.csv',
+      data: blob,
+    });
+  };
+
   return (
     <Dialog
       {...props}
@@ -152,92 +251,144 @@ export const InviteTeamMembersDialog = ({
           </DialogDescription>
         </DialogHeader>
 
-        <Form {...form}>
-          <form onSubmit={form.handleSubmit(onFormSubmit)}>
-            <fieldset
-              className="flex h-full flex-col space-y-4"
-              disabled={form.formState.isSubmitting}
-            >
-              {teamMemberInvites.map((teamMemberInvite, index) => (
-                <div className="flex w-full flex-row space-x-4" key={teamMemberInvite.id}>
-                  <FormField
-                    control={form.control}
-                    name={`invitations.${index}.email`}
-                    render={({ field }) => (
-                      <FormItem className="w-full">
-                        {index === 0 && <FormLabel required>Email address</FormLabel>}
-                        <FormControl>
-                          <Input className="bg-background" {...field} />
-                        </FormControl>
-                        <FormMessage />
-                      </FormItem>
-                    )}
-                  />
+        <Tabs
+          defaultValue="INDIVIDUAL"
+          value={invitationType}
+          // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+          onValueChange={(value) => setInvitationType(value as TabTypes)}
+        >
+          <TabsList className="w-full">
+            <TabsTrigger value="INDIVIDUAL" className="hover:text-foreground w-full">
+              <MailIcon size={20} className="mr-2" />
+              Invite Members
+            </TabsTrigger>
 
-                  <FormField
-                    control={form.control}
-                    name={`invitations.${index}.role`}
-                    render={({ field }) => (
-                      <FormItem className="w-full">
-                        {index === 0 && <FormLabel required>Role</FormLabel>}
-                        <FormControl>
-                          <Select {...field} onValueChange={field.onChange}>
-                            <SelectTrigger className="text-muted-foreground max-w-[200px]">
-                              <SelectValue />
-                            </SelectTrigger>
+            <TabsTrigger value="BULK" className="hover:text-foreground w-full">
+              <UsersIcon size={20} className="mr-2" /> Bulk Import
+            </TabsTrigger>
+          </TabsList>
 
-                            <SelectContent position="popper">
-                              {TEAM_MEMBER_ROLE_HIERARCHY[currentUserTeamRole].map((role) => (
-                                <SelectItem key={role} value={role}>
-                                  {TEAM_MEMBER_ROLE_MAP[role] ?? role}
-                                </SelectItem>
-                              ))}
-                            </SelectContent>
-                          </Select>
-                        </FormControl>
-                        <FormMessage />
-                      </FormItem>
-                    )}
-                  />
+          <TabsContent value="INDIVIDUAL">
+            <Form {...form}>
+              <form onSubmit={form.handleSubmit(onFormSubmit)}>
+                <fieldset
+                  className="flex h-full flex-col space-y-4"
+                  disabled={form.formState.isSubmitting}
+                >
+                  <div className="custom-scrollbar -m-1 max-h-[60vh] space-y-4 overflow-y-auto p-1">
+                    {teamMemberInvites.map((teamMemberInvite, index) => (
+                      <div className="flex w-full flex-row space-x-4" key={teamMemberInvite.id}>
+                        <FormField
+                          control={form.control}
+                          name={`invitations.${index}.email`}
+                          render={({ field }) => (
+                            <FormItem className="w-full">
+                              {index === 0 && <FormLabel required>Email address</FormLabel>}
+                              <FormControl>
+                                <Input className="bg-background" {...field} />
+                              </FormControl>
+                              <FormMessage />
+                            </FormItem>
+                          )}
+                        />
 
-                  <button
+                        <FormField
+                          control={form.control}
+                          name={`invitations.${index}.role`}
+                          render={({ field }) => (
+                            <FormItem className="w-full">
+                              {index === 0 && <FormLabel required>Role</FormLabel>}
+                              <FormControl>
+                                <Select {...field} onValueChange={field.onChange}>
+                                  <SelectTrigger className="text-muted-foreground max-w-[200px]">
+                                    <SelectValue />
+                                  </SelectTrigger>
+
+                                  <SelectContent position="popper">
+                                    {TEAM_MEMBER_ROLE_HIERARCHY[currentUserTeamRole].map((role) => (
+                                      <SelectItem key={role} value={role}>
+                                        {TEAM_MEMBER_ROLE_MAP[role] ?? role}
+                                      </SelectItem>
+                                    ))}
+                                  </SelectContent>
+                                </Select>
+                              </FormControl>
+                              <FormMessage />
+                            </FormItem>
+                          )}
+                        />
+
+                        <button
+                          type="button"
+                          className={cn(
+                            'justify-left inline-flex h-10 w-10 items-center text-slate-500 hover:opacity-80 disabled:cursor-not-allowed disabled:opacity-50',
+                            index === 0 ? 'mt-8' : 'mt-0',
+                          )}
+                          disabled={teamMemberInvites.length === 1}
+                          onClick={() => removeTeamMemberInvite(index)}
+                        >
+                          <Trash className="h-5 w-5" />
+                        </button>
+                      </div>
+                    ))}
+                  </div>
+
+                  <Button
                     type="button"
-                    className={cn(
-                      'justify-left inline-flex h-10 w-10 items-center text-slate-500 hover:opacity-80 disabled:cursor-not-allowed disabled:opacity-50',
-                      index === 0 ? 'mt-8' : 'mt-0',
-                    )}
-                    disabled={teamMemberInvites.length === 1}
-                    onClick={() => removeTeamMemberInvite(index)}
+                    size="sm"
+                    variant="outline"
+                    className="w-fit"
+                    onClick={() => onAddTeamMemberInvite()}
                   >
-                    <Trash className="h-5 w-5" />
-                  </button>
-                </div>
-              ))}
+                    <PlusCircle className="mr-2 h-4 w-4" />
+                    Add more
+                  </Button>
 
-              <Button
-                type="button"
-                size="sm"
-                variant="outline"
-                className="w-fit"
-                onClick={() => onAddTeamMemberInvite()}
-              >
-                <PlusCircle className="mr-2 h-4 w-4" />
-                Add more
-              </Button>
+                  <DialogFooter>
+                    <Button type="button" variant="secondary" onClick={() => setOpen(false)}>
+                      Cancel
+                    </Button>
+
+                    <Button type="submit" loading={form.formState.isSubmitting}>
+                      {!form.formState.isSubmitting && <Mail className="mr-2 h-4 w-4" />}
+                      Invite
+                    </Button>
+                  </DialogFooter>
+                </fieldset>
+              </form>
+            </Form>
+          </TabsContent>
+
+          <TabsContent value="BULK">
+            <div className="mt-4 space-y-4">
+              <Card gradient className="h-32">
+                <CardContent
+                  className="text-muted-foreground/80 hover:text-muted-foreground/90 flex h-full cursor-pointer flex-col items-center justify-center rounded-lg p-0 transition-colors"
+                  onClick={() => fileInputRef.current?.click()}
+                >
+                  <Upload className="h-5 w-5" />
+
+                  <p className="mt-1 text-sm">Click here to upload</p>
+
+                  <input
+                    onChange={onFileInputChange}
+                    type="file"
+                    ref={fileInputRef}
+                    accept=".csv"
+                    hidden
+                  />
+                </CardContent>
+              </Card>
 
               <DialogFooter>
-                <Button type="button" variant="secondary" onClick={() => setOpen(false)}>
-                  Cancel
-                </Button>
-
-                <Button type="submit" loading={form.formState.isSubmitting}>
-                  {!form.formState.isSubmitting && <Mail className="mr-2 h-4 w-4" />}
-                  Invite
+                <Button type="button" variant="secondary" onClick={downloadTemplate}>
+                  <Download className="mr-2 h-4 w-4" />
+                  Template
                 </Button>
               </DialogFooter>
-            </fieldset>
-          </form>
-        </Form>
+            </div>
+          </TabsContent>
+        </Tabs>
       </DialogContent>
     </Dialog>
   );

apps/web/src/components/branding/logo.tsx

@@ -1,4 +1,4 @@
-import { SVGAttributes } from 'react';
+import type { SVGAttributes } from 'react';
 
 export type LogoProps = SVGAttributes<SVGSVGElement>;
 

apps/web/src/components/document/document-history-sheet.tsx

@@ -7,6 +7,7 @@ import { match } from 'ts-pattern';
 import { UAParser } from 'ua-parser-js';
 
 import { DOCUMENT_AUDIT_LOG_EMAIL_FORMAT } from '@documenso/lib/constants/document-audit-logs';
+import { DOCUMENT_AUTH_TYPES } from '@documenso/lib/constants/document-auth';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import { formatDocumentAuditLogActionString } from '@documenso/lib/utils/document-audit-logs';
 import { trpc } from '@documenso/trpc/react';
@@ -79,7 +80,11 @@ export const DocumentHistorySheet = ({
    * @param text The text to format
    * @returns The formatted text
    */
-  const formatGenericText = (text: string) => {
+  const formatGenericText = (text?: string | null) => {
+    if (!text) {
+      return '';
+    }
+
     return (text.charAt(0).toUpperCase() + text.slice(1).toLowerCase()).replaceAll('_', ' ');
   };
 
@@ -219,6 +224,24 @@ export const DocumentHistorySheet = ({
                       />
                     ),
                   )
+                  .with(
+                    { type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_GLOBAL_AUTH_ACCESS_UPDATED },
+                    { type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_GLOBAL_AUTH_ACTION_UPDATED },
+                    ({ data }) => (
+                      <DocumentHistorySheetChanges
+                        values={[
+                          {
+                            key: 'Old',
+                            value: DOCUMENT_AUTH_TYPES[data.from || '']?.value || 'None',
+                          },
+                          {
+                            key: 'New',
+                            value: DOCUMENT_AUTH_TYPES[data.to || '']?.value || 'None',
+                          },
+                        ]}
+                      />
+                    ),
+                  )
                   .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_META_UPDATED }, ({ data }) => {
                     if (data.changes.length === 0) {
                       return null;
@@ -281,6 +304,7 @@ export const DocumentHistorySheet = ({
                       ]}
                     />
                   ))
+
                   .exhaustive()}
 
                 {isUserDetailsVisible && (

apps/web/src/components/form/form-error-message.tsx

@@ -1,34 +0,0 @@
-import { AnimatePresence, motion } from 'framer-motion';
-
-import { cn } from '@documenso/ui/lib/utils';
-
-export type FormErrorMessageProps = {
-  className?: string;
-  error: { message?: string } | undefined;
-};
-
-export const FormErrorMessage = ({ error, className }: FormErrorMessageProps) => {
-  return (
-    <AnimatePresence>
-      {error && (
-        <motion.p
-          initial={{
-            opacity: 0,
-            y: -10,
-          }}
-          animate={{
-            opacity: 1,
-            y: 0,
-          }}
-          exit={{
-            opacity: 0,
-            y: 10,
-          }}
-          className={cn('text-xs text-red-500', className)}
-        >
-          {error.message}
-        </motion.p>
-      )}
-    </AnimatePresence>
-  );
-};

apps/web/src/components/formatter/template-type.tsx

@@ -1,9 +1,9 @@
-import { HTMLAttributes } from 'react';
+import type { HTMLAttributes } from 'react';
 
 import { Globe, Lock } from 'lucide-react';
 import type { LucideIcon } from 'lucide-react/dist/lucide-react';
 
-import { TemplateType as TemplateTypePrisma } from '@documenso/prisma/client';
+import type { TemplateType as TemplateTypePrisma } from '@documenso/prisma/client';
 import { cn } from '@documenso/ui/lib/utils';
 
 type TemplateTypeIcon = {

apps/web/src/components/forms/2fa/enable-authenticator-app-dialog.tsx

@@ -41,8 +41,13 @@ export const ZEnable2FAForm = z.object({
 
 export type TEnable2FAForm = z.infer<typeof ZEnable2FAForm>;
 
-export const EnableAuthenticatorAppDialog = () => {
+export type EnableAuthenticatorAppDialogProps = {
+  onSuccess?: () => void;
+};
+
+export const EnableAuthenticatorAppDialog = ({ onSuccess }: EnableAuthenticatorAppDialogProps) => {
   const { toast } = useToast();
+
   const router = useRouter();
 
   const [isOpen, setIsOpen] = useState(false);
@@ -79,6 +84,7 @@ export const EnableAuthenticatorAppDialog = () => {
       const data = await enable2FA({ code: token });
 
       setRecoveryCodes(data.recoveryCodes);
+      onSuccess?.();
 
       toast({
         title: 'Two-factor authentication enabled',
@@ -89,7 +95,7 @@ export const EnableAuthenticatorAppDialog = () => {
       toast({
         title: 'Unable to setup two-factor authentication',
         description:
-          'We were unable to setup two-factor authentication for your account. Please ensure that you have entered your password correctly and try again.',
+          'We were unable to setup two-factor authentication for your account. Please ensure that you have entered your code correctly and try again.',
         variant: 'destructive',
       });
     }

apps/web/src/components/forms/2fa/view-recovery-codes-dialog.tsx

@@ -47,12 +47,9 @@ export const ViewRecoveryCodesDialog = () => {
     data: recoveryCodes,
     mutate,
     isLoading,
-    isError,
     error,
   } = trpc.twoFactorAuthentication.viewRecoveryCodes.useMutation();
 
-  // error?.data?.code
-
   const viewRecoveryCodesForm = useForm<TViewRecoveryCodesForm>({
     defaultValues: {
       token: '',

apps/web/src/components/forms/profile.tsx

@@ -55,11 +55,8 @@ export const ProfileForm = ({ className, user }: ProfileFormProps) => {
   });
 
   const isSubmitting = form.formState.isSubmitting;
-  const hasTwoFactorAuthentication = user.twoFactorEnabled;
 
   const { mutateAsync: updateProfile } = trpc.profile.updateProfile.useMutation();
-  const { mutateAsync: deleteAccount, isLoading: isDeletingAccount } =
-    trpc.profile.deleteAccount.useMutation();
 
   const onFormSubmit = async ({ name, signature }: TProfileFormSchema) => {
     try {

apps/web/src/components/forms/signin.tsx

@@ -124,7 +124,7 @@ export const SignInForm = ({ className, initialEmail, isGoogleSSOEnabled }: Sign
   };
 
   const onSignInWithPasskey = async () => {
-    if (!browserSupportsWebAuthn) {
+    if (!browserSupportsWebAuthn()) {
       toast({
         title: 'Not supported',
         description: 'Passkeys are not supported on this browser',

apps/web/src/components/general/signing-disclosure.tsx

@@ -0,0 +1,29 @@
+import type { HTMLAttributes } from 'react';
+
+import Link from 'next/link';
+
+import { cn } from '@documenso/ui/lib/utils';
+
+export type SigningDisclosureProps = HTMLAttributes<HTMLParagraphElement>;
+
+export const SigningDisclosure = ({ className, ...props }: SigningDisclosureProps) => {
+  return (
+    <p className={cn('text-muted-foreground text-xs', className)} {...props}>
+      By proceeding with your electronic signature, you acknowledge and consent that it will be used
+      to sign the given document and holds the same legal validity as a handwritten signature. By
+      completing the electronic signing process, you affirm your understanding and acceptance of
+      these conditions.
+      <span className="mt-2 block">
+        Read the full{' '}
+        <Link
+          className="text-documenso-700 underline"
+          href="/articles/signature-disclosure"
+          target="_blank"
+        >
+          signature disclosure
+        </Link>
+        .
+      </span>
+    </p>
+  );
+};

apps/web/src/components/ui/background.tsx

@@ -1,4 +1,4 @@
-import { SVGAttributes } from 'react';
+import type { SVGAttributes } from 'react';
 
 export type BackgroundProps = Omit<SVGAttributes<SVGElement>, 'viewBox'>;
 

apps/web/src/components/ui/user-profile-skeleton.tsx

@@ -24,7 +24,7 @@ export const UserProfileSkeleton = ({ className, user, rows = 2 }: UserProfileSk
         className,
       )}
     >
-      <div className="border-border bg-background text-muted-foreground inline-block max-w-full truncate rounded-md border px-2.5 py-1.5 text-sm">
+      <div className="border-border bg-background text-muted-foreground inline-block max-w-full truncate rounded-md border px-2.5 py-1.5 text-sm lowercase">
         {baseUrl.host}/u/{user.url}
       </div>
 

apps/web/src/providers/next-theme.tsx

@@ -3,7 +3,7 @@
 import * as React from 'react';
 
 import { ThemeProvider as NextThemesProvider } from 'next-themes';
-import { ThemeProviderProps } from 'next-themes/dist/types';
+import type { ThemeProviderProps } from 'next-themes/dist/types';
 
 export function ThemeProvider({ children, ...props }: ThemeProviderProps) {
   return <NextThemesProvider {...props}>{children}</NextThemesProvider>;

docker/development/compose.yml

@@ -11,6 +11,17 @@ services:
     ports:
       - 54320:5432
 
+  queue:
+    image: postgres:15
+    container_name: queue
+    user: postgres
+    command: -c jit=off
+    environment:
+      POSTGRES_PASSWORD: password
+      POSTGRES_DB: queue
+    ports:
+      - 54321:5432
+
   inbucket:
     image: inbucket/inbucket
     container_name: mailserver

package-lock.json

@@ -42,6 +42,7 @@
         "@documenso/trpc": "*",
         "@documenso/ui": "*",
         "@hookform/resolvers": "^3.1.0",
+        "@openstatus/react": "^0.0.3",
         "contentlayer": "^0.3.4",
         "framer-motion": "^10.12.8",
         "lucide-react": "^0.279.0",
@@ -49,6 +50,7 @@
         "micro": "^10.0.1",
         "next": "14.0.3",
         "next-auth": "4.24.5",
+        "next-axiom": "^1.1.1",
         "next-contentlayer": "^0.3.4",
         "next-plausible": "^3.10.1",
         "perfect-freehand": "^1.2.0",
@@ -111,8 +113,10 @@
         "micro": "^10.0.1",
         "next": "14.0.3",
         "next-auth": "4.24.5",
+        "next-axiom": "^1.1.1",
         "next-plausible": "^3.10.1",
         "next-themes": "^0.2.1",
+        "papaparse": "^5.4.1",
         "perfect-freehand": "^1.2.0",
         "posthog-js": "^1.75.3",
         "posthog-node": "^3.1.1",
@@ -136,6 +140,7 @@
         "@types/formidable": "^2.0.6",
         "@types/luxon": "^3.3.1",
         "@types/node": "20.1.0",
+        "@types/papaparse": "^5.3.14",
         "@types/react": "18.2.18",
         "@types/react-dom": "18.2.7",
         "@types/ua-parser-js": "^0.7.39",
@@ -4138,6 +4143,14 @@
       "resolved": "https://registry.npmjs.org/@one-ini/wasm/-/wasm-0.1.1.tgz",
       "integrity": "sha512-XuySG1E38YScSJoMlqovLru4KTUNSjgVTIjyh7qMX6aNN5HY5Ct5LhRJdxO79JtTzKfzV/bnWpz+zquYrISsvw=="
     },
+    "node_modules/@openstatus/react": {
+      "version": "0.0.3",
+      "resolved": "https://registry.npmjs.org/@openstatus/react/-/react-0.0.3.tgz",
+      "integrity": "sha512-uDiegz7e3H67pG8lTT+op+6w5keTT7XpcENrREaqlWl5j53TYyO8nheOG1PeNw2/Qgd5KaGeRJJFn1crhTUSYw==",
+      "peerDependencies": {
+        "react": "^18.0.0"
+      }
+    },
     "node_modules/@opentelemetry/api": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.4.1.tgz",
@@ -8079,6 +8092,15 @@
       "resolved": "https://registry.npmjs.org/@types/normalize-package-data/-/normalize-package-data-2.4.4.tgz",
       "integrity": "sha512-37i+OaWTh9qeK4LSHPsyRC7NahnGotNuZvjLSgcPzblpHB3rrCJxAOgI5gCdKm7coonsaX1Of0ILiTcnZjbfxA=="
     },
+    "node_modules/@types/papaparse": {
+      "version": "5.3.14",
+      "resolved": "https://registry.npmjs.org/@types/papaparse/-/papaparse-5.3.14.tgz",
+      "integrity": "sha512-LxJ4iEFcpqc6METwp9f6BV6VVc43m6MfH0VqFosHvrUgfXiFe6ww7R3itkOQ+TCK6Y+Iv/+RnnvtRZnkc5Kc9g==",
+      "dev": true,
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
     "node_modules/@types/parse5": {
       "version": "6.0.3",
       "resolved": "https://registry.npmjs.org/@types/parse5/-/parse5-6.0.3.tgz",
@@ -8421,6 +8443,18 @@
         "node": ">= 6.0.0"
       }
     },
+    "node_modules/aggregate-error": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/aggregate-error/-/aggregate-error-3.1.0.tgz",
+      "integrity": "sha512-4I7Td01quW/RpocfNayFdFVk1qSuoh0E7JrbRJ16nH01HhKFQ88INq9Sd+nd72zqRySlr9BmDA8xlEJ6vJMrYA==",
+      "dependencies": {
+        "clean-stack": "^2.0.0",
+        "indent-string": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/ajv": {
       "version": "8.12.0",
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.12.0.tgz",
@@ -9395,6 +9429,14 @@
       "resolved": "https://registry.npmjs.org/classnames/-/classnames-2.5.1.tgz",
       "integrity": "sha512-saHYOzhIQs6wy2sVxTM6bUDsQO4F50V9RQ22qBpEdCW+I+/Wmke2HOl6lS6dTpdxVhb88/I6+Hs+438c3lfUow=="
     },
+    "node_modules/clean-stack": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/clean-stack/-/clean-stack-2.2.0.tgz",
+      "integrity": "sha512-4diC9HaTE+KRAMWhDhrGOECgWZxoevMc5TlkObMqNSsVU62PYzXZ/SMTjzyGAFF1YusgxGcSWTEXBhp0CPwQ1A==",
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/cli-cursor": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-4.0.0.tgz",
@@ -10170,6 +10212,17 @@
       "integrity": "sha512-dcKFX3jn0MpIaXjisoRvexIJVEKzaq7z2rZKxf+MSr9TkdmHmsU4m2lcLojrj/FHl8mk5VxMmYA+ftRkP/3oKQ==",
       "devOptional": true
     },
+    "node_modules/cron-parser": {
+      "version": "4.9.0",
+      "resolved": "https://registry.npmjs.org/cron-parser/-/cron-parser-4.9.0.tgz",
+      "integrity": "sha512-p0SaNjrHOnQeR8/VnfGbmg9te2kfyYSQ7Sc/j/6DtPL3JQvKxmjO9TSjNFpujqV3vEYYBvNNvXSxzyksBWAx1Q==",
+      "dependencies": {
+        "luxon": "^3.2.1"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
     "node_modules/cross-fetch": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-4.0.0.tgz",
@@ -10536,6 +10589,17 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/delay": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/delay/-/delay-5.0.0.tgz",
+      "integrity": "sha512-ReEBKkIfe4ya47wlPYf/gu5ib6yUG0/Aez0JQZQz94kiWtRQvZIQbTiehsnwHvLSWJnQdhVeqYue7Id1dKr0qw==",
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/delayed-stream": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
@@ -13650,7 +13714,6 @@
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/indent-string/-/indent-string-4.0.0.tgz",
       "integrity": "sha512-EdDDZu4A2OyIK7Lr/2zG+w5jmbuk1DVBnEwREQvBzspBJkCEbRa8GxU1lghYcaGJCnRWibjDXlq779X1/y5xwg==",
-      "dev": true,
       "engines": {
         "node": ">=8"
       }
@@ -16668,6 +16731,22 @@
         }
       }
     },
+    "node_modules/next-axiom": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/next-axiom/-/next-axiom-1.1.1.tgz",
+      "integrity": "sha512-0r/TJ+/zetD+uDc7B+2E7WpC86hEtQ1U+DuWYrP/JNmUz+ZdPFbrZgzOSqaZ6TwYbXP56VVlPfYwq1YsKHTHYQ==",
+      "dependencies": {
+        "remeda": "^1.29.0",
+        "whatwg-fetch": "^3.6.2"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependencies": {
+        "next": ">=13.4",
+        "react": ">=18.0.0"
+      }
+    },
     "node_modules/next-contentlayer": {
       "version": "0.3.4",
       "resolved": "https://registry.npmjs.org/next-contentlayer/-/next-contentlayer-0.3.4.tgz",
@@ -17212,6 +17291,20 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/p-map": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/p-map/-/p-map-4.0.0.tgz",
+      "integrity": "sha512-/bjOqmgETBYB5BoEeGVea8dmvHb2m9GLy1E9W43yeyfP6QQCZGFNa+XRceJEuDB6zqr+gKpIAmlLebMpykw/MQ==",
+      "dependencies": {
+        "aggregate-error": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/p-try": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
@@ -17236,6 +17329,11 @@
       "resolved": "https://registry.npmjs.org/pako/-/pako-1.0.11.tgz",
       "integrity": "sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw=="
     },
+    "node_modules/papaparse": {
+      "version": "5.4.1",
+      "resolved": "https://registry.npmjs.org/papaparse/-/papaparse-5.4.1.tgz",
+      "integrity": "sha512-HipMsgJkZu8br23pW15uvo6sib6wne/4woLZPlFf3rpDyMe9ywEXUsuD7+6K9PRkJlVT51j/sCOYDKGGS3ZJrw=="
+    },
     "node_modules/parent-module": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
@@ -17516,6 +17614,124 @@
         "is-reference": "^3.0.0"
       }
     },
+    "node_modules/pg": {
+      "version": "8.11.5",
+      "resolved": "https://registry.npmjs.org/pg/-/pg-8.11.5.tgz",
+      "integrity": "sha512-jqgNHSKL5cbDjFlHyYsCXmQDrfIX/3RsNwYqpd4N0Kt8niLuNoRNH+aazv6cOd43gPh9Y4DjQCtb+X0MH0Hvnw==",
+      "dependencies": {
+        "pg-connection-string": "^2.6.4",
+        "pg-pool": "^3.6.2",
+        "pg-protocol": "^1.6.1",
+        "pg-types": "^2.1.0",
+        "pgpass": "1.x"
+      },
+      "engines": {
+        "node": ">= 8.0.0"
+      },
+      "optionalDependencies": {
+        "pg-cloudflare": "^1.1.1"
+      },
+      "peerDependencies": {
+        "pg-native": ">=3.0.1"
+      },
+      "peerDependenciesMeta": {
+        "pg-native": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/pg-boss": {
+      "version": "9.0.3",
+      "resolved": "https://registry.npmjs.org/pg-boss/-/pg-boss-9.0.3.tgz",
+      "integrity": "sha512-cUWUiv3sr563yNy0nCZ25Tv5U0m59Y9MhX/flm0vTR012yeVCrqpfboaZP4xFOQPdWipMJpuu4g94HR0SncTgw==",
+      "dependencies": {
+        "cron-parser": "^4.0.0",
+        "delay": "^5.0.0",
+        "lodash.debounce": "^4.0.8",
+        "p-map": "^4.0.0",
+        "pg": "^8.5.1",
+        "serialize-error": "^8.1.0",
+        "uuid": "^9.0.0"
+      },
+      "engines": {
+        "node": ">=16"
+      }
+    },
+    "node_modules/pg-boss/node_modules/uuid": {
+      "version": "9.0.1",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
+      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
+      "funding": [
+        "https://github.com/sponsors/broofa",
+        "https://github.com/sponsors/ctavan"
+      ],
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
+    "node_modules/pg-cloudflare": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/pg-cloudflare/-/pg-cloudflare-1.1.1.tgz",
+      "integrity": "sha512-xWPagP/4B6BgFO+EKz3JONXv3YDgvkbVrGw2mTo3D6tVDQRh1e7cqVGvyR3BE+eQgAvx1XhW/iEASj4/jCWl3Q==",
+      "optional": true
+    },
+    "node_modules/pg-connection-string": {
+      "version": "2.6.4",
+      "resolved": "https://registry.npmjs.org/pg-connection-string/-/pg-connection-string-2.6.4.tgz",
+      "integrity": "sha512-v+Z7W/0EO707aNMaAEfiGnGL9sxxumwLl2fJvCQtMn9Fxsg+lPpPkdcyBSv/KFgpGdYkMfn+EI1Or2EHjpgLCA=="
+    },
+    "node_modules/pg-int8": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/pg-int8/-/pg-int8-1.0.1.tgz",
+      "integrity": "sha512-WCtabS6t3c8SkpDBUlb1kjOs7l66xsGdKpIPZsg4wR+B3+u9UAum2odSsF9tnvxg80h4ZxLWMy4pRjOsFIqQpw==",
+      "engines": {
+        "node": ">=4.0.0"
+      }
+    },
+    "node_modules/pg-pool": {
+      "version": "3.6.2",
+      "resolved": "https://registry.npmjs.org/pg-pool/-/pg-pool-3.6.2.tgz",
+      "integrity": "sha512-Htjbg8BlwXqSBQ9V8Vjtc+vzf/6fVUuak/3/XXKA9oxZprwW3IMDQTGHP+KDmVL7rtd+R1QjbnCFPuTHm3G4hg==",
+      "peerDependencies": {
+        "pg": ">=8.0"
+      }
+    },
+    "node_modules/pg-protocol": {
+      "version": "1.6.1",
+      "resolved": "https://registry.npmjs.org/pg-protocol/-/pg-protocol-1.6.1.tgz",
+      "integrity": "sha512-jPIlvgoD63hrEuihvIg+tJhoGjUsLPn6poJY9N5CnlPd91c2T18T/9zBtLxZSb1EhYxBRoZJtzScCaWlYLtktg=="
+    },
+    "node_modules/pg-types": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/pg-types/-/pg-types-2.2.0.tgz",
+      "integrity": "sha512-qTAAlrEsl8s4OiEQY69wDvcMIdQN6wdz5ojQiOy6YRMuynxenON0O5oCpJI6lshc6scgAY8qvJ2On/p+CXY0GA==",
+      "dependencies": {
+        "pg-int8": "1.0.1",
+        "postgres-array": "~2.0.0",
+        "postgres-bytea": "~1.0.0",
+        "postgres-date": "~1.0.4",
+        "postgres-interval": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/pgpass": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/pgpass/-/pgpass-1.0.5.tgz",
+      "integrity": "sha512-FdW9r/jQZhSeohs1Z3sI1yxFQNFvMcnmfuj4WBMUTxOrAyLMaTcE1aAMBiTlbMNaXvBCQuVi0R7hd8udDSP7ug==",
+      "dependencies": {
+        "split2": "^4.1.0"
+      }
+    },
+    "node_modules/pgpass/node_modules/split2": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/split2/-/split2-4.2.0.tgz",
+      "integrity": "sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==",
+      "engines": {
+        "node": ">= 10.x"
+      }
+    },
     "node_modules/picocolors": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz",
@@ -17774,6 +17990,41 @@
       "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz",
       "integrity": "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ=="
     },
+    "node_modules/postgres-array": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/postgres-array/-/postgres-array-2.0.0.tgz",
+      "integrity": "sha512-VpZrUqU5A69eQyW2c5CA1jtLecCsN2U/bD6VilrFDWq5+5UIEVO7nazS3TEcHf1zuPYO/sqGvUvW62g86RXZuA==",
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/postgres-bytea": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/postgres-bytea/-/postgres-bytea-1.0.0.tgz",
+      "integrity": "sha512-xy3pmLuQqRBZBXDULy7KbaitYqLcmxigw14Q5sj8QBVLqEwXfeybIKVWiqAXTlcvdvb0+xkOtDbfQMOf4lST1w==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postgres-date": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/postgres-date/-/postgres-date-1.0.7.tgz",
+      "integrity": "sha512-suDmjLVQg78nMK2UZ454hAG+OAW+HQPZ6n++TNDUX+L0+uUlLywnoxJKDou51Zm+zTCjrCl0Nq6J9C5hP9vK/Q==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postgres-interval": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/postgres-interval/-/postgres-interval-1.2.0.tgz",
+      "integrity": "sha512-9ZhXKM/rw350N1ovuWHbGxnGh/SNJ4cnxHiM0rxE4VN41wsg8P8zWn9hv/buK00RP4WvlOyr/RBDiptyxVbkZQ==",
+      "dependencies": {
+        "xtend": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/posthog-js": {
       "version": "1.93.2",
       "resolved": "https://registry.npmjs.org/posthog-js/-/posthog-js-1.93.2.tgz",
@@ -22936,6 +23187,11 @@
       "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
       "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="
     },
+    "node_modules/whatwg-fetch": {
+      "version": "3.6.20",
+      "resolved": "https://registry.npmjs.org/whatwg-fetch/-/whatwg-fetch-3.6.20.tgz",
+      "integrity": "sha512-EqhiFU6daOA8kpjOWTL0olhVOF3i7OrFzSYiGsEMB8GcXS+RrzauAERX65xMeNWVqxA6HXH2m69Z9LaKKdisfg=="
+    },
     "node_modules/whatwg-url": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
@@ -24878,6 +25134,7 @@
         "next-auth": "4.24.5",
         "oslo": "^0.17.0",
         "pdf-lib": "^1.17.1",
+        "pg-boss": "^9.0.3",
         "react": "18.2.0",
         "remeda": "^1.27.1",
         "stripe": "^12.7.0",

packages/app-tests/e2e/command-menu/document-search.spec.ts

@@ -0,0 +1,54 @@
+import { expect, test } from '@playwright/test';
+
+import { seedPendingDocument } from '@documenso/prisma/seed/documents';
+import { seedUser } from '@documenso/prisma/seed/users';
+
+import { apiSignin } from '../fixtures/authentication';
+
+test('[COMMAND_MENU]: should see sent documents', async ({ page }) => {
+  const user = await seedUser();
+  const recipient = await seedUser();
+  const document = await seedPendingDocument(user, [recipient]);
+
+  await apiSignin({
+    page,
+    email: user.email,
+  });
+
+  await page.keyboard.press('Meta+K');
+
+  await page.getByPlaceholder('Type a command or search...').first().fill(document.title);
+  await expect(page.getByRole('option', { name: document.title })).toBeVisible();
+});
+
+test('[COMMAND_MENU]: should see received documents', async ({ page }) => {
+  const user = await seedUser();
+  const recipient = await seedUser();
+  const document = await seedPendingDocument(user, [recipient]);
+
+  await apiSignin({
+    page,
+    email: recipient.email,
+  });
+
+  await page.keyboard.press('Meta+K');
+
+  await page.getByPlaceholder('Type a command or search...').first().fill(document.title);
+  await expect(page.getByRole('option', { name: document.title })).toBeVisible();
+});
+
+test('[COMMAND_MENU]: should be able to search by recipient', async ({ page }) => {
+  const user = await seedUser();
+  const recipient = await seedUser();
+  const document = await seedPendingDocument(user, [recipient]);
+
+  await apiSignin({
+    page,
+    email: recipient.email,
+  });
+
+  await page.keyboard.press('Meta+K');
+
+  await page.getByPlaceholder('Type a command or search...').first().fill(recipient.email);
+  await expect(page.getByRole('option', { name: document.title })).toBeVisible();
+});

packages/app-tests/e2e/document-auth/access-auth.spec.ts

@@ -0,0 +1,96 @@
+import { expect, test } from '@playwright/test';
+
+import { createDocumentAuthOptions } from '@documenso/lib/utils/document-auth';
+import { prisma } from '@documenso/prisma';
+import { seedPendingDocument } from '@documenso/prisma/seed/documents';
+import { seedUser, unseedUser } from '@documenso/prisma/seed/users';
+
+import { apiSignin } from '../fixtures/authentication';
+
+test.describe.configure({ mode: 'parallel' });
+
+test('[DOCUMENT_AUTH]: should grant access when not required', async ({ page }) => {
+  const user = await seedUser();
+
+  const recipientWithAccount = await seedUser();
+
+  const document = await seedPendingDocument(user, [
+    recipientWithAccount,
+    'recipientwithoutaccount@documenso.com',
+  ]);
+
+  const recipients = await prisma.recipient.findMany({
+    where: {
+      documentId: document.id,
+    },
+  });
+
+  const tokens = recipients.map((recipient) => recipient.token);
+
+  for (const token of tokens) {
+    await page.goto(`/sign/${token}`);
+    await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+  }
+
+  await unseedUser(user.id);
+});
+
+test('[DOCUMENT_AUTH]: should allow or deny access when required', async ({ page }) => {
+  const user = await seedUser();
+
+  const recipientWithAccount = await seedUser();
+
+  const document = await seedPendingDocument(
+    user,
+    [recipientWithAccount, 'recipientwithoutaccount@documenso.com'],
+    {
+      createDocumentOptions: {
+        authOptions: createDocumentAuthOptions({
+          globalAccessAuth: 'ACCOUNT',
+          globalActionAuth: null,
+        }),
+      },
+    },
+  );
+
+  const recipients = await prisma.recipient.findMany({
+    where: {
+      documentId: document.id,
+    },
+  });
+
+  // Check that both are denied access.
+  for (const recipient of recipients) {
+    const { email, token } = recipient;
+
+    await page.goto(`/sign/${token}`);
+    await expect(page.getByRole('heading', { name: 'Authentication required' })).toBeVisible();
+    await expect(page.getByRole('paragraph')).toContainText(email);
+  }
+
+  await apiSignin({
+    page,
+    email: recipientWithAccount.email,
+  });
+
+  // Check that the one logged in is granted access.
+  for (const recipient of recipients) {
+    const { email, token } = recipient;
+
+    await page.goto(`/sign/${token}`);
+
+    // Recipient should be granted access.
+    if (recipient.email === recipientWithAccount.email) {
+      await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+    }
+
+    // Recipient should still be denied.
+    if (recipient.email !== recipientWithAccount.email) {
+      await expect(page.getByRole('heading', { name: 'Authentication required' })).toBeVisible();
+      await expect(page.getByRole('paragraph')).toContainText(email);
+    }
+  }
+
+  await unseedUser(user.id);
+  await unseedUser(recipientWithAccount.id);
+});

packages/app-tests/e2e/document-auth/action-auth.spec.ts

@@ -0,0 +1,418 @@
+import { expect, test } from '@playwright/test';
+
+import { ZRecipientAuthOptionsSchema } from '@documenso/lib/types/document-auth';
+import {
+  createDocumentAuthOptions,
+  createRecipientAuthOptions,
+} from '@documenso/lib/utils/document-auth';
+import { FieldType } from '@documenso/prisma/client';
+import {
+  seedPendingDocumentNoFields,
+  seedPendingDocumentWithFullFields,
+} from '@documenso/prisma/seed/documents';
+import { seedTestEmail, seedUser, unseedUser } from '@documenso/prisma/seed/users';
+
+import { apiSignin, apiSignout } from '../fixtures/authentication';
+
+test.describe.configure({ mode: 'parallel', timeout: 60000 });
+
+test('[DOCUMENT_AUTH]: should allow signing when no auth setup', async ({ page }) => {
+  const user = await seedUser();
+
+  const recipientWithAccount = await seedUser();
+
+  const { recipients } = await seedPendingDocumentWithFullFields({
+    owner: user,
+    recipients: [recipientWithAccount, seedTestEmail()],
+  });
+
+  // Check that both are granted access.
+  for (const recipient of recipients) {
+    const { token, Field } = recipient;
+
+    const signUrl = `/sign/${token}`;
+
+    await page.goto(signUrl);
+    await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+
+    // Add signature.
+    const canvas = page.locator('canvas');
+    const box = await canvas.boundingBox();
+    if (box) {
+      await page.mouse.move(box.x + box.width / 2, box.y + box.height / 2);
+      await page.mouse.down();
+      await page.mouse.move(box.x + box.width / 4, box.y + box.height / 4);
+      await page.mouse.up();
+    }
+
+    for (const field of Field) {
+      await page.locator(`#field-${field.id}`).getByRole('button').click();
+
+      if (field.type === FieldType.TEXT) {
+        await page.getByLabel('Custom Text').fill('TEXT');
+        await page.getByRole('button', { name: 'Save Text' }).click();
+      }
+
+      await expect(page.locator(`#field-${field.id}`)).toHaveAttribute('data-inserted', 'true');
+    }
+
+    await page.getByRole('button', { name: 'Complete' }).click();
+    await page.getByRole('button', { name: 'Sign' }).click();
+    await page.waitForURL(`${signUrl}/complete`);
+  }
+
+  await unseedUser(user.id);
+  await unseedUser(recipientWithAccount.id);
+});
+
+test('[DOCUMENT_AUTH]: should allow signing with valid global auth', async ({ page }) => {
+  const user = await seedUser();
+
+  const recipientWithAccount = await seedUser();
+
+  const { recipients } = await seedPendingDocumentWithFullFields({
+    owner: user,
+    recipients: [recipientWithAccount],
+    updateDocumentOptions: {
+      authOptions: createDocumentAuthOptions({
+        globalAccessAuth: null,
+        globalActionAuth: 'ACCOUNT',
+      }),
+    },
+  });
+
+  const recipient = recipients[0];
+
+  const { token, Field } = recipient;
+
+  const signUrl = `/sign/${token}`;
+
+  await apiSignin({
+    page,
+    email: recipientWithAccount.email,
+    redirectPath: signUrl,
+  });
+
+  await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+
+  // Add signature.
+  const canvas = page.locator('canvas');
+  const box = await canvas.boundingBox();
+  if (box) {
+    await page.mouse.move(box.x + box.width / 2, box.y + box.height / 2);
+    await page.mouse.down();
+    await page.mouse.move(box.x + box.width / 4, box.y + box.height / 4);
+    await page.mouse.up();
+  }
+
+  for (const field of Field) {
+    await page.locator(`#field-${field.id}`).getByRole('button').click();
+
+    if (field.type === FieldType.TEXT) {
+      await page.getByLabel('Custom Text').fill('TEXT');
+      await page.getByRole('button', { name: 'Save Text' }).click();
+    }
+
+    await expect(page.locator(`#field-${field.id}`)).toHaveAttribute('data-inserted', 'true');
+  }
+
+  await page.getByRole('button', { name: 'Complete' }).click();
+  await page.getByRole('button', { name: 'Sign' }).click();
+  await page.waitForURL(`${signUrl}/complete`);
+
+  await unseedUser(user.id);
+  await unseedUser(recipientWithAccount.id);
+});
+
+// Currently document auth for signing/approving/viewing is not required.
+test.skip('[DOCUMENT_AUTH]: should deny signing document when required for global auth', async ({
+  page,
+}) => {
+  const user = await seedUser();
+
+  const recipientWithAccount = await seedUser();
+
+  const { recipients } = await seedPendingDocumentNoFields({
+    owner: user,
+    recipients: [recipientWithAccount],
+    updateDocumentOptions: {
+      authOptions: createDocumentAuthOptions({
+        globalAccessAuth: null,
+        globalActionAuth: 'ACCOUNT',
+      }),
+    },
+  });
+
+  const recipient = recipients[0];
+
+  const { token } = recipient;
+
+  await page.goto(`/sign/${token}`);
+  await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+
+  await page.getByRole('button', { name: 'Complete' }).click();
+  await expect(page.getByRole('paragraph')).toContainText(
+    'Reauthentication is required to sign the document',
+  );
+
+  await unseedUser(user.id);
+  await unseedUser(recipientWithAccount.id);
+});
+
+test('[DOCUMENT_AUTH]: should deny signing fields when required for global auth', async ({
+  page,
+}) => {
+  const user = await seedUser();
+
+  const recipientWithAccount = await seedUser();
+
+  const { recipients } = await seedPendingDocumentWithFullFields({
+    owner: user,
+    recipients: [recipientWithAccount, seedTestEmail()],
+    updateDocumentOptions: {
+      authOptions: createDocumentAuthOptions({
+        globalAccessAuth: null,
+        globalActionAuth: 'ACCOUNT',
+      }),
+    },
+  });
+
+  // Check that both are denied access.
+  for (const recipient of recipients) {
+    const { token, Field } = recipient;
+
+    await page.goto(`/sign/${token}`);
+    await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+
+    for (const field of Field) {
+      if (field.type !== FieldType.SIGNATURE) {
+        continue;
+      }
+
+      await page.locator(`#field-${field.id}`).getByRole('button').click();
+      await expect(page.getByRole('paragraph')).toContainText(
+        'Reauthentication is required to sign this field',
+      );
+      await page.getByRole('button', { name: 'Cancel' }).click();
+    }
+  }
+
+  await unseedUser(user.id);
+  await unseedUser(recipientWithAccount.id);
+});
+
+test('[DOCUMENT_AUTH]: should allow field signing when required for recipient auth', async ({
+  page,
+}) => {
+  const user = await seedUser();
+
+  const recipientWithInheritAuth = await seedUser();
+  const recipientWithExplicitNoneAuth = await seedUser();
+  const recipientWithExplicitAccountAuth = await seedUser();
+
+  const { recipients } = await seedPendingDocumentWithFullFields({
+    owner: user,
+    recipients: [
+      recipientWithInheritAuth,
+      recipientWithExplicitNoneAuth,
+      recipientWithExplicitAccountAuth,
+    ],
+    recipientsCreateOptions: [
+      {
+        authOptions: createRecipientAuthOptions({
+          accessAuth: null,
+          actionAuth: null,
+        }),
+      },
+      {
+        authOptions: createRecipientAuthOptions({
+          accessAuth: null,
+          actionAuth: 'EXPLICIT_NONE',
+        }),
+      },
+      {
+        authOptions: createRecipientAuthOptions({
+          accessAuth: null,
+          actionAuth: 'ACCOUNT',
+        }),
+      },
+    ],
+    fields: [FieldType.DATE],
+  });
+
+  for (const recipient of recipients) {
+    const { token, Field } = recipient;
+    const { actionAuth } = ZRecipientAuthOptionsSchema.parse(recipient.authOptions);
+
+    // This document has no global action auth, so only account should require auth.
+    const isAuthRequired = actionAuth === 'ACCOUNT';
+
+    const signUrl = `/sign/${token}`;
+
+    await page.goto(signUrl);
+    await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+
+    if (isAuthRequired) {
+      for (const field of Field) {
+        if (field.type !== FieldType.SIGNATURE) {
+          continue;
+        }
+
+        await page.locator(`#field-${field.id}`).getByRole('button').click();
+        await expect(page.getByRole('paragraph')).toContainText(
+          'Reauthentication is required to sign this field',
+        );
+        await page.getByRole('button', { name: 'Cancel' }).click();
+      }
+
+      // Sign in and it should work.
+      await apiSignin({
+        page,
+        email: recipient.email,
+        redirectPath: signUrl,
+      });
+    }
+
+    // Add signature.
+    const canvas = page.locator('canvas');
+    const box = await canvas.boundingBox();
+    if (box) {
+      await page.mouse.move(box.x + box.width / 2, box.y + box.height / 2);
+      await page.mouse.down();
+      await page.mouse.move(box.x + box.width / 4, box.y + box.height / 4);
+      await page.mouse.up();
+    }
+
+    for (const field of Field) {
+      await page.locator(`#field-${field.id}`).getByRole('button').click();
+
+      if (field.type === FieldType.TEXT) {
+        await page.getByLabel('Custom Text').fill('TEXT');
+        await page.getByRole('button', { name: 'Save Text' }).click();
+      }
+
+      await expect(page.locator(`#field-${field.id}`)).toHaveAttribute('data-inserted', 'true', {
+        timeout: 5000,
+      });
+    }
+
+    await page.getByRole('button', { name: 'Complete' }).click();
+    await page.getByRole('button', { name: 'Sign' }).click();
+    await page.waitForURL(`${signUrl}/complete`);
+
+    if (isAuthRequired) {
+      await apiSignout({ page });
+    }
+  }
+});
+
+test('[DOCUMENT_AUTH]: should allow field signing when required for recipient and global auth', async ({
+  page,
+}) => {
+  const user = await seedUser();
+
+  const recipientWithInheritAuth = await seedUser();
+  const recipientWithExplicitNoneAuth = await seedUser();
+  const recipientWithExplicitAccountAuth = await seedUser();
+
+  const { recipients } = await seedPendingDocumentWithFullFields({
+    owner: user,
+    recipients: [
+      recipientWithInheritAuth,
+      recipientWithExplicitNoneAuth,
+      recipientWithExplicitAccountAuth,
+    ],
+    recipientsCreateOptions: [
+      {
+        authOptions: createRecipientAuthOptions({
+          accessAuth: null,
+          actionAuth: null,
+        }),
+      },
+      {
+        authOptions: createRecipientAuthOptions({
+          accessAuth: null,
+          actionAuth: 'EXPLICIT_NONE',
+        }),
+      },
+      {
+        authOptions: createRecipientAuthOptions({
+          accessAuth: null,
+          actionAuth: 'ACCOUNT',
+        }),
+      },
+    ],
+    fields: [FieldType.DATE],
+    updateDocumentOptions: {
+      authOptions: createDocumentAuthOptions({
+        globalAccessAuth: null,
+        globalActionAuth: 'ACCOUNT',
+      }),
+    },
+  });
+
+  for (const recipient of recipients) {
+    const { token, Field } = recipient;
+    const { actionAuth } = ZRecipientAuthOptionsSchema.parse(recipient.authOptions);
+
+    // This document HAS global action auth, so account and inherit should require auth.
+    const isAuthRequired = actionAuth === 'ACCOUNT' || actionAuth === null;
+
+    const signUrl = `/sign/${token}`;
+
+    await page.goto(signUrl);
+    await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+
+    if (isAuthRequired) {
+      for (const field of Field) {
+        if (field.type !== FieldType.SIGNATURE) {
+          continue;
+        }
+
+        await page.locator(`#field-${field.id}`).getByRole('button').click();
+        await expect(page.getByRole('paragraph')).toContainText(
+          'Reauthentication is required to sign this field',
+        );
+        await page.getByRole('button', { name: 'Cancel' }).click();
+      }
+
+      // Sign in and it should work.
+      await apiSignin({
+        page,
+        email: recipient.email,
+        redirectPath: signUrl,
+      });
+    }
+
+    // Add signature.
+    const canvas = page.locator('canvas');
+    const box = await canvas.boundingBox();
+    if (box) {
+      await page.mouse.move(box.x + box.width / 2, box.y + box.height / 2);
+      await page.mouse.down();
+      await page.mouse.move(box.x + box.width / 4, box.y + box.height / 4);
+      await page.mouse.up();
+    }
+
+    for (const field of Field) {
+      await page.locator(`#field-${field.id}`).getByRole('button').click();
+
+      if (field.type === FieldType.TEXT) {
+        await page.getByLabel('Custom Text').fill('TEXT');
+        await page.getByRole('button', { name: 'Save Text' }).click();
+      }
+
+      await expect(page.locator(`#field-${field.id}`)).toHaveAttribute('data-inserted', 'true', {
+        timeout: 5000,
+      });
+    }
+
+    await page.getByRole('button', { name: 'Complete' }).click();
+    await page.getByRole('button', { name: 'Sign' }).click();
+    await page.waitForURL(`${signUrl}/complete`);
+
+    if (isAuthRequired) {
+      await apiSignout({ page });
+    }
+  }
+});

packages/app-tests/e2e/document-flow/settings-step.spec.ts

@@ -0,0 +1,200 @@
+import { expect, test } from '@playwright/test';
+
+import {
+  seedBlankDocument,
+  seedDraftDocument,
+  seedPendingDocument,
+} from '@documenso/prisma/seed/documents';
+import { seedUserSubscription } from '@documenso/prisma/seed/subscriptions';
+import { seedTeam, unseedTeam } from '@documenso/prisma/seed/teams';
+import { seedUser, unseedUser } from '@documenso/prisma/seed/users';
+
+import { apiSignin } from '../fixtures/authentication';
+
+test.describe.configure({ mode: 'parallel' });
+
+test.describe('[EE_ONLY]', () => {
+  const enterprisePriceId = process.env.NEXT_PUBLIC_STRIPE_ENTERPRISE_PLAN_MONTHLY_PRICE_ID || '';
+
+  test.beforeEach(() => {
+    test.skip(
+      process.env.NEXT_PUBLIC_FEATURE_BILLING_ENABLED !== 'true' || !enterprisePriceId,
+      'Billing required for this test',
+    );
+  });
+
+  test('[DOCUMENT_FLOW] add action auth settings', async ({ page }) => {
+    const user = await seedUser();
+
+    await seedUserSubscription({
+      userId: user.id,
+      priceId: enterprisePriceId,
+    });
+
+    const document = await seedBlankDocument(user);
+
+    await apiSignin({
+      page,
+      email: user.email,
+      redirectPath: `/documents/${document.id}/edit`,
+    });
+
+    // Set EE action auth.
+    await page.getByTestId('documentActionSelectValue').click();
+    await page.getByLabel('Require account').getByText('Require account').click();
+    await expect(page.getByTestId('documentActionSelectValue')).toContainText('Require account');
+
+    // Save the settings by going to the next step.
+    await page.getByRole('button', { name: 'Continue' }).click();
+    await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
+
+    // Return to the settings step to check that the results are saved correctly.
+    await page.getByRole('button', { name: 'Go Back' }).click();
+    await expect(page.getByRole('heading', { name: 'General' })).toBeVisible();
+
+    // Todo: Verify that the values are correct once we fix the issue where going back
+    // does not show the updated values.
+    // await expect(page.getByLabel('Title')).toContainText('New Title');
+    // await expect(page.getByTestId('documentAccessSelectValue')).toContainText('Require account');
+    // await expect(page.getByTestId('documentActionSelectValue')).toContainText('Require account');
+
+    await unseedUser(user.id);
+  });
+
+  test('[DOCUMENT_FLOW] enterprise team member can add action auth settings', async ({ page }) => {
+    const team = await seedTeam({
+      createTeamMembers: 1,
+    });
+
+    const owner = team.owner;
+    const teamMemberUser = team.members[1].user;
+
+    // Make the team enterprise by giving the owner the enterprise subscription.
+    await seedUserSubscription({
+      userId: team.ownerUserId,
+      priceId: enterprisePriceId,
+    });
+
+    const document = await seedBlankDocument(owner, {
+      createDocumentOptions: {
+        teamId: team.id,
+      },
+    });
+
+    await apiSignin({
+      page,
+      email: teamMemberUser.email,
+      redirectPath: `/t/${team.url}/documents/${document.id}/edit`,
+    });
+
+    // Set EE action auth.
+    await page.getByTestId('documentActionSelectValue').click();
+    await page.getByLabel('Require account').getByText('Require account').click();
+    await expect(page.getByTestId('documentActionSelectValue')).toContainText('Require account');
+
+    // Save the settings by going to the next step.
+    await page.getByRole('button', { name: 'Continue' }).click();
+    await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
+
+    // Advanced settings should be visible.
+    await expect(page.getByLabel('Show advanced settings')).toBeVisible();
+
+    await unseedTeam(team.url);
+  });
+
+  test('[DOCUMENT_FLOW] enterprise team member should not have access to enterprise on personal account', async ({
+    page,
+  }) => {
+    const team = await seedTeam({
+      createTeamMembers: 1,
+    });
+
+    const teamMemberUser = team.members[1].user;
+
+    // Make the team enterprise by giving the owner the enterprise subscription.
+    await seedUserSubscription({
+      userId: team.ownerUserId,
+      priceId: enterprisePriceId,
+    });
+
+    const document = await seedBlankDocument(teamMemberUser);
+
+    await apiSignin({
+      page,
+      email: teamMemberUser.email,
+      redirectPath: `/documents/${document.id}/edit`,
+    });
+
+    // Global action auth should not be visible.
+    await expect(page.getByTestId('documentActionSelectValue')).not.toBeVisible();
+
+    // Next step.
+    await page.getByRole('button', { name: 'Continue' }).click();
+    await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
+
+    // Advanced settings should not be visible.
+    await expect(page.getByLabel('Show advanced settings')).not.toBeVisible();
+
+    await unseedTeam(team.url);
+  });
+});
+
+test('[DOCUMENT_FLOW]: add settings', async ({ page }) => {
+  const user = await seedUser();
+  const document = await seedBlankDocument(user);
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/documents/${document.id}/edit`,
+  });
+
+  // Set title.
+  await page.getByLabel('Title').fill('New Title');
+
+  // Set access auth.
+  await page.getByTestId('documentAccessSelectValue').click();
+  await page.getByLabel('Require account').getByText('Require account').click();
+  await expect(page.getByTestId('documentAccessSelectValue')).toContainText('Require account');
+
+  // Action auth should NOT be visible.
+  await expect(page.getByTestId('documentActionSelectValue')).not.toBeVisible();
+
+  // Save the settings by going to the next step.
+  await page.getByRole('button', { name: 'Continue' }).click();
+  await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
+
+  // Return to the settings step to check that the results are saved correctly.
+  await page.getByRole('button', { name: 'Go Back' }).click();
+  await expect(page.getByRole('heading', { name: 'General' })).toBeVisible();
+
+  // Todo: Verify that the values are correct once we fix the issue where going back
+  // does not show the updated values.
+  // await expect(page.getByLabel('Title')).toContainText('New Title');
+  // await expect(page.getByTestId('documentAccessSelectValue')).toContainText('Require account');
+  // await expect(page.getByTestId('documentActionSelectValue')).toContainText('Require account');
+
+  await unseedUser(user.id);
+});
+
+test('[DOCUMENT_FLOW]: title should be disabled depending on document status', async ({ page }) => {
+  const user = await seedUser();
+
+  const pendingDocument = await seedPendingDocument(user, []);
+  const draftDocument = await seedDraftDocument(user, []);
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/documents/${pendingDocument.id}/edit`,
+  });
+
+  // Should be disabled for pending documents.
+  await expect(page.getByLabel('Title')).toBeDisabled();
+
+  // Should be enabled for draft documents.
+  await page.goto(`/documents/${draftDocument.id}/edit`);
+  await expect(page.getByLabel('Title')).toBeEnabled();
+
+  await unseedUser(user.id);
+});

packages/app-tests/e2e/document-flow/signers-step.spec.ts

@@ -0,0 +1,118 @@
+import { expect, test } from '@playwright/test';
+
+import { seedBlankDocument } from '@documenso/prisma/seed/documents';
+import { seedUserSubscription } from '@documenso/prisma/seed/subscriptions';
+import { seedUser, unseedUser } from '@documenso/prisma/seed/users';
+
+import { apiSignin } from '../fixtures/authentication';
+
+test.describe.configure({ mode: 'parallel' });
+
+test.describe('[EE_ONLY]', () => {
+  const enterprisePriceId = process.env.NEXT_PUBLIC_STRIPE_ENTERPRISE_PLAN_MONTHLY_PRICE_ID || '';
+
+  test.beforeEach(() => {
+    test.skip(
+      process.env.NEXT_PUBLIC_FEATURE_BILLING_ENABLED !== 'true' || !enterprisePriceId,
+      'Billing required for this test',
+    );
+  });
+
+  test('[DOCUMENT_FLOW] add EE settings', async ({ page }) => {
+    const user = await seedUser();
+
+    await seedUserSubscription({
+      userId: user.id,
+      priceId: enterprisePriceId,
+    });
+
+    const document = await seedBlankDocument(user);
+
+    await apiSignin({
+      page,
+      email: user.email,
+      redirectPath: `/documents/${document.id}/edit`,
+    });
+
+    // Save the settings by going to the next step.
+    await page.getByRole('button', { name: 'Continue' }).click();
+    await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
+
+    // Add 2 signers.
+    await page.getByPlaceholder('Email').fill('recipient1@documenso.com');
+    await page.getByPlaceholder('Name').fill('Recipient 1');
+    await page.getByRole('button', { name: 'Add Signer' }).click();
+    await page
+      .getByRole('textbox', { name: 'Email', exact: true })
+      .fill('recipient2@documenso.com');
+    await page.getByRole('textbox', { name: 'Name', exact: true }).fill('Recipient 2');
+
+    // Display advanced settings.
+    await page.getByLabel('Show advanced settings').click();
+
+    // Navigate to the next step and back.
+    await page.getByRole('button', { name: 'Continue' }).click();
+    await expect(page.getByRole('heading', { name: 'Add Fields' })).toBeVisible();
+    await page.getByRole('button', { name: 'Go Back' }).click();
+    await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
+
+    // Todo: Fix stepper component back issue before finishing test.
+
+    await unseedUser(user.id);
+  });
+});
+
+// Note: Not complete yet due to issue with back button.
+test('[DOCUMENT_FLOW]: add signers', async ({ page }) => {
+  const user = await seedUser();
+  const document = await seedBlankDocument(user);
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/documents/${document.id}/edit`,
+  });
+
+  // Save the settings by going to the next step.
+  await page.getByRole('button', { name: 'Continue' }).click();
+  await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
+
+  // Add 2 signers.
+  await page.getByPlaceholder('Email').fill('recipient1@documenso.com');
+  await page.getByPlaceholder('Name').fill('Recipient 1');
+  await page.getByRole('button', { name: 'Add Signer' }).click();
+  await page.getByRole('textbox', { name: 'Email', exact: true }).fill('recipient2@documenso.com');
+  await page.getByRole('textbox', { name: 'Name', exact: true }).fill('Recipient 2');
+
+  // Advanced settings should not be visible for non EE users.
+  await expect(page.getByLabel('Show advanced settings')).toBeHidden();
+
+  // Navigate to the next step and back.
+  await page.getByRole('button', { name: 'Continue' }).click();
+  await expect(page.getByRole('heading', { name: 'Add Fields' })).toBeVisible();
+  await page.getByRole('button', { name: 'Go Back' }).click();
+  await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
+
+  // Todo: Fix stepper component back issue before finishing test.
+
+  // // Expect that the advanced settings is unchecked, since no advanced settings were applied.
+  // await expect(page.getByLabel('Show advanced settings')).toBeChecked({ checked: false });
+
+  // // Add advanced settings for a single recipient.
+  // await page.getByLabel('Show advanced settings').click();
+  // await page.getByRole('combobox').first().click();
+  // await page.getByLabel('Require account').click();
+
+  // // Navigate to the next step and back.
+  // await page.getByRole('button', { name: 'Continue' }).click();
+  // await expect(page.getByRole('heading', { name: 'Add Fields' })).toBeVisible();
+  // await page.getByRole('button', { name: 'Go Back' }).click();
+  // await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
+
+  // Expect that the advanced settings is visible, and the checkbox is hidden. Since advanced
+  // settings were applied.
+
+  // Todo: Fix stepper component back issue before finishing test.
+
+  await unseedUser(user.id);
+});

packages/app-tests/e2e/document-flow/stepper-component.spec.ts

@@ -1,22 +1,37 @@
 import { expect, test } from '@playwright/test';
 import path from 'node:path';
 
-import { getDocumentByToken } from '@documenso/lib/server-only/document/get-document-by-token';
 import { getRecipientByEmail } from '@documenso/lib/server-only/recipient/get-recipient-by-email';
+import { prisma } from '@documenso/prisma';
 import { DocumentStatus } from '@documenso/prisma/client';
-import { TEST_USER } from '@documenso/prisma/seed/pr-718-add-stepper-component';
+import { seedBlankDocument } from '@documenso/prisma/seed/documents';
+import { seedUser, unseedUser } from '@documenso/prisma/seed/users';
 
-test(`[PR-718]: should be able to create a document`, async ({ page }) => {
-  await page.goto('/signin');
+import { apiSignin } from '../fixtures/authentication';
 
-  const documentTitle = `example-${Date.now()}.pdf`;
+// Can't use the function in server-only/document due to it indirectly using
+// require imports.
+const getDocumentByToken = async (token: string) => {
+  return await prisma.document.findFirstOrThrow({
+    where: {
+      Recipient: {
+        some: {
+          token,
+        },
+      },
+    },
+  });
+};
 
-  // Sign in
-  await page.getByLabel('Email').fill(TEST_USER.email);
-  await page.getByLabel('Password', { exact: true }).fill(TEST_USER.password);
-  await page.getByRole('button', { name: 'Sign In' }).click();
+test('[DOCUMENT_FLOW]: should be able to upload a PDF document', async ({ page }) => {
+  const user = await seedUser();
 
-  // Upload document
+  await apiSignin({
+    page,
+    email: user.email,
+  });
+
+  // Upload document.
   const [fileChooser] = await Promise.all([
     page.waitForEvent('filechooser'),
     page.locator('input[type=file]').evaluate((e) => {
@@ -26,13 +41,26 @@ test(`[PR-718]: should be able to create a document`, async ({ page }) => {
     }),
   ]);
 
-  await fileChooser.setFiles(path.join(__dirname, '../../../assets/example.pdf'));
+  await fileChooser.setFiles(path.join(__dirname, '../../../../assets/example.pdf'));
 
-  // Wait to be redirected to the edit page
+  // Wait to be redirected to the edit page.
   await page.waitForURL(/\/documents\/\d+/);
+});
 
-  // Set title
-  await expect(page.getByRole('heading', { name: 'Add Title' })).toBeVisible();
+test('[DOCUMENT_FLOW]: should be able to create a document', async ({ page }) => {
+  const user = await seedUser();
+  const document = await seedBlankDocument(user);
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/documents/${document.id}/edit`,
+  });
+
+  const documentTitle = `example-${Date.now()}.pdf`;
+
+  // Set general settings
+  await expect(page.getByRole('heading', { name: 'General' })).toBeVisible();
 
   await page.getByLabel('Title').fill(documentTitle);
 
@@ -75,35 +103,26 @@ test(`[PR-718]: should be able to create a document`, async ({ page }) => {
 
   // Assert document was created
   await expect(page.getByRole('link', { name: documentTitle })).toBeVisible();
+
+  await unseedUser(user.id);
 });
 
-test('should be able to create a document with multiple recipients', async ({ page }) => {
-  await page.goto('/signin');
+test('[DOCUMENT_FLOW]: should be able to create a document with multiple recipients', async ({
+  page,
+}) => {
+  const user = await seedUser();
+  const document = await seedBlankDocument(user);
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/documents/${document.id}/edit`,
+  });
 
   const documentTitle = `example-${Date.now()}.pdf`;
 
-  // Sign in
-  await page.getByLabel('Email').fill(TEST_USER.email);
-  await page.getByLabel('Password', { exact: true }).fill(TEST_USER.password);
-  await page.getByRole('button', { name: 'Sign In' }).click();
-
-  // Upload document
-  const [fileChooser] = await Promise.all([
-    page.waitForEvent('filechooser'),
-    page.locator('input[type=file]').evaluate((e) => {
-      if (e instanceof HTMLInputElement) {
-        e.click();
-      }
-    }),
-  ]);
-
-  await fileChooser.setFiles(path.join(__dirname, '../../../assets/example.pdf'));
-
-  // Wait to be redirected to the edit page
-  await page.waitForURL(/\/documents\/\d+/);
-
   // Set title
-  await expect(page.getByRole('heading', { name: 'Add Title' })).toBeVisible();
+  await expect(page.getByRole('heading', { name: 'General' })).toBeVisible();
 
   await page.getByLabel('Title').fill(documentTitle);
 
@@ -112,13 +131,12 @@ test('should be able to create a document with multiple recipients', async ({ pa
   // Add signers
   await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
 
-  await page.getByLabel('Email*').fill('user1@example.com');
-  await page.getByLabel('Name').fill('User 1');
-
+  // Add 2 signers.
+  await page.getByPlaceholder('Email').fill('user1@example.com');
+  await page.getByPlaceholder('Name').fill('User 1');
   await page.getByRole('button', { name: 'Add Signer' }).click();
-
-  await page.getByLabel('Email*').nth(1).fill('user2@example.com');
-  await page.getByLabel('Name').nth(1).fill('User 2');
+  await page.getByRole('textbox', { name: 'Email', exact: true }).fill('user2@example.com');
+  await page.getByRole('textbox', { name: 'Name', exact: true }).fill('User 2');
 
   await page.getByRole('button', { name: 'Continue' }).click();
 
@@ -170,35 +188,24 @@ test('should be able to create a document with multiple recipients', async ({ pa
 
   // Assert document was created
   await expect(page.getByRole('link', { name: documentTitle })).toBeVisible();
+
+  await unseedUser(user.id);
 });
 
-test('should be able to create, send and sign a document', async ({ page }) => {
-  await page.goto('/signin');
+test('[DOCUMENT_FLOW]: should be able to create, send and sign a document', async ({ page }) => {
+  const user = await seedUser();
+  const document = await seedBlankDocument(user);
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/documents/${document.id}/edit`,
+  });
 
   const documentTitle = `example-${Date.now()}.pdf`;
 
-  // Sign in
-  await page.getByLabel('Email').fill(TEST_USER.email);
-  await page.getByLabel('Password', { exact: true }).fill(TEST_USER.password);
-  await page.getByRole('button', { name: 'Sign In' }).click();
-
-  // Upload document
-  const [fileChooser] = await Promise.all([
-    page.waitForEvent('filechooser'),
-    page.locator('input[type=file]').evaluate((e) => {
-      if (e instanceof HTMLInputElement) {
-        e.click();
-      }
-    }),
-  ]);
-
-  await fileChooser.setFiles(path.join(__dirname, '../../../assets/example.pdf'));
-
-  // Wait to be redirected to the edit page
-  await page.waitForURL(/\/documents\/\d+/);
-
   // Set title
-  await expect(page.getByRole('heading', { name: 'Add Title' })).toBeVisible();
+  await expect(page.getByRole('heading', { name: 'General' })).toBeVisible();
 
   await page.getByLabel('Title').fill(documentTitle);
 
@@ -207,8 +214,8 @@ test('should be able to create, send and sign a document', async ({ page }) => {
   // Add signers
   await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
 
-  await page.getByLabel('Email*').fill('user1@example.com');
-  await page.getByLabel('Name').fill('User 1');
+  await page.getByPlaceholder('Email').fill('user1@example.com');
+  await page.getByPlaceholder('Name').fill('User 1');
 
   await page.getByRole('button', { name: 'Continue' }).click();
 
@@ -225,8 +232,9 @@ test('should be able to create, send and sign a document', async ({ page }) => {
   // Assert document was created
   await expect(page.getByRole('link', { name: documentTitle })).toBeVisible();
   await page.getByRole('link', { name: documentTitle }).click();
+  await page.waitForURL(/\/documents\/\d+/);
 
-  const url = await page.url().split('/');
+  const url = page.url().split('/');
   const documentId = url[url.length - 1];
 
   const { token } = await getRecipientByEmail({
@@ -238,60 +246,50 @@ test('should be able to create, send and sign a document', async ({ page }) => {
   await page.waitForURL(`/sign/${token}`);
 
   // Check if document has been viewed
-  const { status } = await getDocumentByToken({ token });
+  const { status } = await getDocumentByToken(token);
   expect(status).toBe(DocumentStatus.PENDING);
 
   await page.getByRole('button', { name: 'Complete' }).click();
-  await expect(page.getByRole('dialog').getByText('Sign Document')).toBeVisible();
+  await expect(page.getByRole('dialog').getByText('Complete Signing').first()).toBeVisible();
   await page.getByRole('button', { name: 'Sign' }).click();
 
   await page.waitForURL(`/sign/${token}/complete`);
   await expect(page.getByText('You have signed')).toBeVisible();
 
   // Check if document has been signed
-  const { status: completedStatus } = await getDocumentByToken({ token });
+  const { status: completedStatus } = await getDocumentByToken(token);
   expect(completedStatus).toBe(DocumentStatus.COMPLETED);
+
+  await unseedUser(user.id);
 });
 
-test('should be able to create, send with redirect url, sign a document and redirect to redirect url', async ({
+test('[DOCUMENT_FLOW]: should be able to create, send with redirect url, sign a document and redirect to redirect url', async ({
   page,
 }) => {
-  await page.goto('/signin');
+  const user = await seedUser();
+  const document = await seedBlankDocument(user);
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/documents/${document.id}/edit`,
+  });
 
   const documentTitle = `example-${Date.now()}.pdf`;
 
-  // Sign in
-  await page.getByLabel('Email').fill(TEST_USER.email);
-  await page.getByLabel('Password', { exact: true }).fill(TEST_USER.password);
-  await page.getByRole('button', { name: 'Sign In' }).click();
-
-  // Upload document
-  const [fileChooser] = await Promise.all([
-    page.waitForEvent('filechooser'),
-    page.locator('input[type=file]').evaluate((e) => {
-      if (e instanceof HTMLInputElement) {
-        e.click();
-      }
-    }),
-  ]);
-
-  await fileChooser.setFiles(path.join(__dirname, '../../../assets/example.pdf'));
-
-  // Wait to be redirected to the edit page
-  await page.waitForURL(/\/documents\/\d+/);
-
-  // Set title
-  await expect(page.getByRole('heading', { name: 'Add Title' })).toBeVisible();
-
+  // Set title & advanced redirect
+  await expect(page.getByRole('heading', { name: 'General' })).toBeVisible();
   await page.getByLabel('Title').fill(documentTitle);
+  await page.getByRole('button', { name: 'Advanced Options' }).click();
+  await page.getByLabel('Redirect URL').fill('https://documenso.com');
 
   await page.getByRole('button', { name: 'Continue' }).click();
 
   // Add signers
   await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
 
-  await page.getByLabel('Email*').fill('user1@example.com');
-  await page.getByLabel('Name').fill('User 1');
+  await page.getByPlaceholder('Email').fill('user1@example.com');
+  await page.getByPlaceholder('Name').fill('User 1');
 
   await page.getByRole('button', { name: 'Continue' }).click();
 
@@ -299,11 +297,6 @@ test('should be able to create, send with redirect url, sign a document and redi
   await expect(page.getByRole('heading', { name: 'Add Fields' })).toBeVisible();
   await page.getByRole('button', { name: 'Continue' }).click();
 
-  // Add subject and send
-  await expect(page.getByRole('heading', { name: 'Add Subject' })).toBeVisible();
-  await page.getByRole('button', { name: 'Advanced Options' }).click();
-  await page.getByLabel('Redirect URL').fill('https://documenso.com');
-
   await page.getByRole('button', { name: 'Send' }).click();
 
   await page.waitForURL('/documents');
@@ -311,8 +304,9 @@ test('should be able to create, send with redirect url, sign a document and redi
   // Assert document was created
   await expect(page.getByRole('link', { name: documentTitle })).toBeVisible();
   await page.getByRole('link', { name: documentTitle }).click();
+  await page.waitForURL(/\/documents\/\d+/);
 
-  const url = await page.url().split('/');
+  const url = page.url().split('/');
   const documentId = url[url.length - 1];
 
   const { token } = await getRecipientByEmail({
@@ -324,16 +318,18 @@ test('should be able to create, send with redirect url, sign a document and redi
   await page.waitForURL(`/sign/${token}`);
 
   // Check if document has been viewed
-  const { status } = await getDocumentByToken({ token });
+  const { status } = await getDocumentByToken(token);
   expect(status).toBe(DocumentStatus.PENDING);
 
   await page.getByRole('button', { name: 'Complete' }).click();
-  await expect(page.getByRole('dialog').getByText('Sign Document')).toBeVisible();
+  await expect(page.getByRole('dialog').getByText('Complete Signing').first()).toBeVisible();
   await page.getByRole('button', { name: 'Sign' }).click();
 
   await page.waitForURL('https://documenso.com');
 
   // Check if document has been signed
-  const { status: completedStatus } = await getDocumentByToken({ token });
+  const { status: completedStatus } = await getDocumentByToken(token);
   expect(completedStatus).toBe(DocumentStatus.COMPLETED);
+
+  await unseedUser(user.id);
 });

packages/app-tests/e2e/documents/delete-documents.spec.ts

@@ -0,0 +1,172 @@
+import { expect, test } from '@playwright/test';
+
+import {
+  seedCompletedDocument,
+  seedDraftDocument,
+  seedPendingDocument,
+} from '@documenso/prisma/seed/documents';
+import { seedUser } from '@documenso/prisma/seed/users';
+
+import { apiSignin, apiSignout } from '../fixtures/authentication';
+
+test.describe.configure({ mode: 'serial' });
+
+const seedDeleteDocumentsTestRequirements = async () => {
+  const [sender, recipientA, recipientB] = await Promise.all([seedUser(), seedUser(), seedUser()]);
+
+  const [draftDocument, pendingDocument, completedDocument] = await Promise.all([
+    seedDraftDocument(sender, [recipientA, recipientB], {
+      createDocumentOptions: { title: 'Document 1 - Draft' },
+    }),
+    seedPendingDocument(sender, [recipientA, recipientB], {
+      createDocumentOptions: { title: 'Document 1 - Pending' },
+    }),
+    seedCompletedDocument(sender, [recipientA, recipientB], {
+      createDocumentOptions: { title: 'Document 1 - Completed' },
+    }),
+  ]);
+
+  return {
+    sender,
+    recipients: [recipientA, recipientB],
+    draftDocument,
+    pendingDocument,
+    completedDocument,
+  };
+};
+
+test('[DOCUMENTS]: seeded documents should be visible', async ({ page }) => {
+  const { sender, recipients } = await seedDeleteDocumentsTestRequirements();
+
+  await apiSignin({
+    page,
+    email: sender.email,
+  });
+
+  await expect(page.getByRole('link', { name: 'Document 1 - Completed' })).toBeVisible();
+  await expect(page.getByRole('link', { name: 'Document 1 - Pending' })).toBeVisible();
+  await expect(page.getByRole('link', { name: 'Document 1 - Draft' })).toBeVisible();
+
+  await apiSignout({ page });
+
+  for (const recipient of recipients) {
+    await apiSignin({
+      page,
+      email: recipient.email,
+    });
+
+    await expect(page.getByRole('link', { name: 'Document 1 - Completed' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'Document 1 - Pending' })).toBeVisible();
+
+    await expect(page.getByRole('link', { name: 'Document 1 - Draft' })).not.toBeVisible();
+
+    await apiSignout({ page });
+  }
+});
+
+test('[DOCUMENTS]: deleting a completed document should not remove it from recipients', async ({
+  page,
+}) => {
+  const { sender, recipients } = await seedDeleteDocumentsTestRequirements();
+
+  await apiSignin({
+    page,
+    email: sender.email,
+  });
+
+  // open actions menu
+  await page
+    .locator('tr', { hasText: 'Document 1 - Completed' })
+    .getByRole('cell', { name: 'Download' })
+    .getByRole('button')
+    .nth(1)
+    .click();
+
+  // delete document
+  await page.getByRole('menuitem', { name: 'Delete' }).click();
+  await page.getByPlaceholder("Type 'delete' to confirm").fill('delete');
+  await page.getByRole('button', { name: 'Delete' }).click();
+
+  await expect(page.getByRole('row', { name: /Document 1 - Completed/ })).not.toBeVisible();
+
+  await apiSignout({ page });
+
+  for (const recipient of recipients) {
+    await apiSignin({
+      page,
+      email: recipient.email,
+    });
+
+    await expect(page.getByRole('link', { name: 'Document 1 - Completed' })).toBeVisible();
+    await page.getByRole('link', { name: 'Document 1 - Completed' }).click();
+    await expect(page.getByText('Everyone has signed').nth(0)).toBeVisible();
+
+    await apiSignout({ page });
+  }
+});
+
+test('[DOCUMENTS]: deleting a pending document should remove it from recipients', async ({
+  page,
+}) => {
+  const { sender, pendingDocument } = await seedDeleteDocumentsTestRequirements();
+
+  await apiSignin({
+    page,
+    email: sender.email,
+  });
+
+  // open actions menu
+  await page.locator('tr', { hasText: 'Document 1 - Pending' }).getByRole('button').nth(1).click();
+
+  // delete document
+  await page.getByRole('menuitem', { name: 'Delete' }).click();
+  await page.getByPlaceholder("Type 'delete' to confirm").fill('delete');
+  await page.getByRole('button', { name: 'Delete' }).click();
+
+  await expect(page.getByRole('row', { name: /Document 1 - Pending/ })).not.toBeVisible();
+
+  // signout
+  await apiSignout({ page });
+
+  for (const recipient of pendingDocument.Recipient) {
+    await apiSignin({
+      page,
+      email: recipient.email,
+    });
+
+    await expect(page.getByRole('link', { name: 'Document 1 - Pending' })).not.toBeVisible();
+
+    await page.goto(`/sign/${recipient.token}`);
+    await expect(page.getByText(/document.*cancelled/i).nth(0)).toBeVisible();
+
+    await page.goto('/documents');
+    await page.waitForURL('/documents');
+
+    await apiSignout({ page });
+  }
+});
+
+test('[DOCUMENTS]: deleting a draft document should remove it without additional prompting', async ({
+  page,
+}) => {
+  const { sender } = await seedDeleteDocumentsTestRequirements();
+
+  await apiSignin({
+    page,
+    email: sender.email,
+  });
+
+  // open actions menu
+  await page
+    .locator('tr', { hasText: 'Document 1 - Draft' })
+    .getByRole('cell', { name: 'Edit' })
+    .getByRole('button')
+    .click();
+
+  // delete document
+  await page.getByRole('menuitem', { name: 'Delete' }).click();
+  await expect(page.getByPlaceholder("Type 'delete' to confirm")).not.toBeVisible();
+  await page.getByRole('button', { name: 'Delete' }).click();
+
+  await expect(page.getByRole('row', { name: /Document 1 - Draft/ })).not.toBeVisible();
+});

packages/app-tests/e2e/fixtures/authentication.ts

@@ -1,8 +1,8 @@
-import type { Page } from '@playwright/test';
+import { type Page } from '@playwright/test';
 
 import { WEBAPP_BASE_URL } from '@documenso/lib/constants/app';
 
-type ManualLoginOptions = {
+type LoginOptions = {
   page: Page;
   email?: string;
   password?: string;
@@ -13,29 +13,54 @@ type ManualLoginOptions = {
   redirectPath?: string;
 };
 
-export const manualLogin = async ({
+export const apiSignin = async ({
   page,
   email = 'example@documenso.com',
   password = 'password',
-  redirectPath,
-}: ManualLoginOptions) => {
+  redirectPath = '/documents',
+}: LoginOptions) => {
+  const { request } = page.context();
+
+  const csrfToken = await getCsrfToken(page);
+
+  await request.post(`${WEBAPP_BASE_URL}/api/auth/callback/credentials`, {
+    form: {
+      email,
+      password,
+      json: true,
+      csrfToken,
+    },
+  });
+
+  await page.goto(`${WEBAPP_BASE_URL}${redirectPath}`);
+};
+
+export const apiSignout = async ({ page }: { page: Page }) => {
+  const { request } = page.context();
+
+  const csrfToken = await getCsrfToken(page);
+
+  await request.post(`${WEBAPP_BASE_URL}/api/auth/signout`, {
+    form: {
+      csrfToken,
+      json: true,
+    },
+  });
+
   await page.goto(`${WEBAPP_BASE_URL}/signin`);
+};
 
-  await page.getByLabel('Email').click();
-  await page.getByLabel('Email').fill(email);
+const getCsrfToken = async (page: Page) => {
+  const { request } = page.context();
 
-  await page.getByLabel('Password', { exact: true }).fill(password);
-  await page.getByLabel('Password', { exact: true }).press('Enter');
+  const response = await request.fetch(`${WEBAPP_BASE_URL}/api/auth/csrf`, {
+    method: 'get',
+  });
 
-  if (redirectPath) {
-    await page.waitForURL(`${WEBAPP_BASE_URL}/documents`);
-    await page.goto(`${WEBAPP_BASE_URL}${redirectPath}`);
+  const { csrfToken } = await response.json();
+  if (!csrfToken) {
+    throw new Error('Invalid session');
   }
-};
 
-export const manualSignout = async ({ page }: ManualLoginOptions) => {
-  await page.waitForTimeout(1000);
-  await page.getByTestId('menu-switcher').click();
-  await page.getByRole('menuitem', { name: 'Sign Out' }).click();
-  await page.waitForURL(`${WEBAPP_BASE_URL}/signin`);
+  return csrfToken;
 };

packages/app-tests/e2e/pr-711-deletion-of-documents.spec.ts

@@ -1,159 +0,0 @@
-import { expect, test } from '@playwright/test';
-
-import { TEST_USERS } from '@documenso/prisma/seed/pr-711-deletion-of-documents';
-
-import { manualLogin, manualSignout } from './fixtures/authentication';
-
-test.describe.configure({ mode: 'serial' });
-
-test('[PR-711]: seeded documents should be visible', async ({ page }) => {
-  const [sender, ...recipients] = TEST_USERS;
-
-  await page.goto('/signin');
-
-  await page.getByLabel('Email').fill(sender.email);
-  await page.getByLabel('Password', { exact: true }).fill(sender.password);
-  await page.getByRole('button', { name: 'Sign In' }).click();
-
-  await page.waitForURL('/documents');
-
-  await expect(page.getByRole('link', { name: 'Document 1 - Completed' })).toBeVisible();
-  await expect(page.getByRole('link', { name: 'Document 1 - Pending' })).toBeVisible();
-  await expect(page.getByRole('link', { name: 'Document 1 - Draft' })).toBeVisible();
-
-  await manualSignout({ page });
-
-  for (const recipient of recipients) {
-    await page.waitForURL('/signin');
-    await manualLogin({ page, email: recipient.email, password: recipient.password });
-
-    await page.waitForURL('/documents');
-
-    await expect(page.getByRole('link', { name: 'Document 1 - Completed' })).toBeVisible();
-    await expect(page.getByRole('link', { name: 'Document 1 - Pending' })).toBeVisible();
-
-    await expect(page.getByRole('link', { name: 'Document 1 - Draft' })).not.toBeVisible();
-
-    await manualSignout({ page });
-  }
-});
-
-test('[PR-711]: deleting a completed document should not remove it from recipients', async ({
-  page,
-}) => {
-  const [sender, ...recipients] = TEST_USERS;
-
-  await page.goto('/signin');
-
-  // sign in
-  await page.getByLabel('Email').fill(sender.email);
-  await page.getByLabel('Password', { exact: true }).fill(sender.password);
-  await page.getByRole('button', { name: 'Sign In' }).click();
-
-  await page.waitForURL('/documents');
-
-  // open actions menu
-  await page
-    .locator('tr', { hasText: 'Document 1 - Completed' })
-    .getByRole('cell', { name: 'Download' })
-    .getByRole('button')
-    .nth(1)
-    .click();
-
-  // delete document
-  await page.getByRole('menuitem', { name: 'Delete' }).click();
-  await page.getByPlaceholder("Type 'delete' to confirm").fill('delete');
-  await page.getByRole('button', { name: 'Delete' }).click();
-
-  await expect(page.getByRole('row', { name: /Document 1 - Completed/ })).not.toBeVisible();
-
-  await manualSignout({ page });
-
-  for (const recipient of recipients) {
-    await page.waitForURL('/signin');
-    await page.goto('/signin');
-
-    // sign in
-    await page.getByLabel('Email').fill(recipient.email);
-    await page.getByLabel('Password', { exact: true }).fill(recipient.password);
-    await page.getByRole('button', { name: 'Sign In' }).click();
-
-    await page.waitForURL('/documents');
-
-    await expect(page.getByRole('link', { name: 'Document 1 - Completed' })).toBeVisible();
-
-    await page.goto(`/sign/completed-token-${recipients.indexOf(recipient)}`);
-    await expect(page.getByText('Everyone has signed').nth(0)).toBeVisible();
-
-    await page.goto('/documents');
-    await manualSignout({ page });
-  }
-});
-
-test('[PR-711]: deleting a pending document should remove it from recipients', async ({ page }) => {
-  const [sender, ...recipients] = TEST_USERS;
-
-  for (const recipient of recipients) {
-    await page.goto(`/sign/pending-token-${recipients.indexOf(recipient)}`);
-
-    await expect(page.getByText('Waiting for others to sign').nth(0)).toBeVisible();
-  }
-
-  await page.goto('/signin');
-
-  await manualLogin({ page, email: sender.email, password: sender.password });
-  await page.waitForURL('/documents');
-
-  // open actions menu
-  await page.locator('tr', { hasText: 'Document 1 - Pending' }).getByRole('button').nth(1).click();
-
-  // delete document
-  await page.getByRole('menuitem', { name: 'Delete' }).click();
-  await page.getByPlaceholder("Type 'delete' to confirm").fill('delete');
-  await page.getByRole('button', { name: 'Delete' }).click();
-
-  await expect(page.getByRole('row', { name: /Document 1 - Pending/ })).not.toBeVisible();
-
-  // signout
-  await manualSignout({ page });
-
-  for (const recipient of recipients) {
-    await page.waitForURL('/signin');
-
-    await manualLogin({ page, email: recipient.email, password: recipient.password });
-    await page.waitForURL('/documents');
-
-    await expect(page.getByRole('link', { name: 'Document 1 - Pending' })).not.toBeVisible();
-
-    await page.goto(`/sign/pending-token-${recipients.indexOf(recipient)}`);
-    await expect(page.getByText(/document.*cancelled/i).nth(0)).toBeVisible();
-
-    await page.goto('/documents');
-    await page.waitForURL('/documents');
-
-    await manualSignout({ page });
-  }
-});
-
-test('[PR-711]: deleting a draft document should remove it without additional prompting', async ({
-  page,
-}) => {
-  const [sender] = TEST_USERS;
-
-  await manualLogin({ page, email: sender.email, password: sender.password });
-  await page.waitForURL('/documents');
-
-  // open actions menu
-  await page
-    .locator('tr', { hasText: 'Document 1 - Draft' })
-    .getByRole('cell', { name: 'Edit' })
-    .getByRole('button')
-    .click();
-
-  // delete document
-  await page.getByRole('menuitem', { name: 'Delete' }).click();
-  await expect(page.getByPlaceholder("Type 'delete' to confirm")).not.toBeVisible();
-  await page.getByRole('button', { name: 'Delete' }).click();
-
-  await expect(page.getByRole('row', { name: /Document 1 - Draft/ })).not.toBeVisible();
-});

packages/app-tests/e2e/pr-713-add-document-search-to-command-menu.spec.ts

@@ -1,54 +0,0 @@
-import { expect, test } from '@playwright/test';
-
-import { TEST_USERS } from '@documenso/prisma/seed/pr-713-add-document-search-to-command-menu';
-
-test('[PR-713]: should see sent documents', async ({ page }) => {
-  const [user] = TEST_USERS;
-
-  await page.goto('/signin');
-
-  await page.getByLabel('Email').fill(user.email);
-  await page.getByLabel('Password', { exact: true }).fill(user.password);
-  await page.getByRole('button', { name: 'Sign In' }).click();
-
-  await page.waitForURL('/documents');
-
-  await page.keyboard.press('Meta+K');
-
-  await page.getByPlaceholder('Type a command or search...').first().fill('sent');
-  await expect(page.getByRole('option', { name: '[713] Document - Sent' })).toBeVisible();
-});
-
-test('[PR-713]: should see received documents', async ({ page }) => {
-  const [user] = TEST_USERS;
-
-  await page.goto('/signin');
-
-  await page.getByLabel('Email').fill(user.email);
-  await page.getByLabel('Password', { exact: true }).fill(user.password);
-  await page.getByRole('button', { name: 'Sign In' }).click();
-
-  await page.waitForURL('/documents');
-
-  await page.keyboard.press('Meta+K');
-
-  await page.getByPlaceholder('Type a command or search...').first().fill('received');
-  await expect(page.getByRole('option', { name: '[713] Document - Received' })).toBeVisible();
-});
-
-test('[PR-713]: should be able to search by recipient', async ({ page }) => {
-  const [user, recipient] = TEST_USERS;
-
-  await page.goto('/signin');
-
-  await page.getByLabel('Email').fill(user.email);
-  await page.getByLabel('Password', { exact: true }).fill(user.password);
-  await page.getByRole('button', { name: 'Sign In' }).click();
-
-  await page.waitForURL('/documents');
-
-  await page.keyboard.press('Meta+K');
-
-  await page.getByPlaceholder('Type a command or search...').first().fill(recipient.email);
-  await expect(page.getByRole('option', { name: '[713] Document - Sent' })).toBeVisible();
-});

packages/app-tests/e2e/teams/manage-team.spec.ts

@@ -4,14 +4,19 @@ import { WEBAPP_BASE_URL } from '@documenso/lib/constants/app';
 import { seedTeam, unseedTeam } from '@documenso/prisma/seed/teams';
 import { seedUser } from '@documenso/prisma/seed/users';
 
-import { manualLogin } from '../fixtures/authentication';
+import { apiSignin } from '../fixtures/authentication';
 
 test.describe.configure({ mode: 'parallel' });
 
 test('[TEAMS]: create team', async ({ page }) => {
   const user = await seedUser();
 
-  await manualLogin({
+  test.skip(
+    process.env.NEXT_PUBLIC_FEATURE_BILLING_ENABLED === 'true',
+    'Test skipped because billing is enabled.',
+  );
+
+  await apiSignin({
     page,
     email: user.email,
     redirectPath: '/settings/teams',
@@ -26,9 +31,6 @@ test('[TEAMS]: create team', async ({ page }) => {
 
   await page.getByTestId('dialog-create-team-button').waitFor({ state: 'hidden' });
 
-  const isCheckoutRequired = page.url().includes('pending');
-  test.skip(isCheckoutRequired, 'Test skipped because billing is enabled.');
-
   // Goto new team settings page.
   await page.getByRole('row').filter({ hasText: teamId }).getByRole('link').nth(1).click();
 
@@ -38,7 +40,7 @@ test('[TEAMS]: create team', async ({ page }) => {
 test('[TEAMS]: delete team', async ({ page }) => {
   const team = await seedTeam();
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: team.owner.email,
     redirectPath: `/t/${team.url}/settings`,
@@ -56,7 +58,7 @@ test('[TEAMS]: delete team', async ({ page }) => {
 test('[TEAMS]: update team', async ({ page }) => {
   const team = await seedTeam();
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: team.owner.email,
   });

packages/app-tests/e2e/teams/team-documents.spec.ts

@@ -6,7 +6,7 @@ import { seedDocuments, seedTeamDocuments } from '@documenso/prisma/seed/documen
 import { seedTeamEmail, unseedTeam, unseedTeamEmail } from '@documenso/prisma/seed/teams';
 import { seedUser } from '@documenso/prisma/seed/users';
 
-import { manualLogin, manualSignout } from '../fixtures/authentication';
+import { apiSignin, apiSignout } from '../fixtures/authentication';
 
 test.describe.configure({ mode: 'parallel' });
 
@@ -30,7 +30,7 @@ test('[TEAMS]: check team documents count', async ({ page }) => {
 
   // Run the test twice, once with the team owner and once with a team member to ensure the counts are the same.
   for (const user of [team.owner, teamMember2]) {
-    await manualLogin({
+    await apiSignin({
       page,
       email: user.email,
       redirectPath: `/t/${team.url}/documents`,
@@ -55,7 +55,7 @@ test('[TEAMS]: check team documents count', async ({ page }) => {
     await checkDocumentTabCount(page, 'Draft', 1);
     await checkDocumentTabCount(page, 'All', 3);
 
-    await manualSignout({ page });
+    await apiSignout({ page });
   }
 
   await unseedTeam(team.url);
@@ -126,7 +126,7 @@ test('[TEAMS]: check team documents count with internal team email', async ({ pa
 
   // Run the test twice, one with the team owner and once with the team member email to ensure the counts are the same.
   for (const user of [team.owner, teamEmailMember]) {
-    await manualLogin({
+    await apiSignin({
       page,
       email: user.email,
       redirectPath: `/t/${team.url}/documents`,
@@ -151,7 +151,7 @@ test('[TEAMS]: check team documents count with internal team email', async ({ pa
     await checkDocumentTabCount(page, 'Draft', 1);
     await checkDocumentTabCount(page, 'All', 3);
 
-    await manualSignout({ page });
+    await apiSignout({ page });
   }
 
   await unseedTeamEmail({ teamId: team.id });
@@ -216,7 +216,7 @@ test('[TEAMS]: check team documents count with external team email', async ({ pa
     },
   ]);
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: teamMember2.email,
     redirectPath: `/t/${team.url}/documents`,
@@ -248,7 +248,7 @@ test('[TEAMS]: check team documents count with external team email', async ({ pa
 test('[TEAMS]: delete pending team document', async ({ page }) => {
   const { team, teamMember2: currentUser } = await seedTeamDocuments();
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: currentUser.email,
     redirectPath: `/t/${team.url}/documents?status=PENDING`,
@@ -266,7 +266,7 @@ test('[TEAMS]: delete pending team document', async ({ page }) => {
 test('[TEAMS]: resend pending team document', async ({ page }) => {
   const { team, teamMember2: currentUser } = await seedTeamDocuments();
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: currentUser.email,
     redirectPath: `/t/${team.url}/documents?status=PENDING`,

packages/app-tests/e2e/teams/team-email.spec.ts

@@ -4,14 +4,14 @@ import { WEBAPP_BASE_URL } from '@documenso/lib/constants/app';
 import { seedTeam, seedTeamEmailVerification, unseedTeam } from '@documenso/prisma/seed/teams';
 import { seedUser, unseedUser } from '@documenso/prisma/seed/users';
 
-import { manualLogin } from '../fixtures/authentication';
+import { apiSignin } from '../fixtures/authentication';
 
 test.describe.configure({ mode: 'parallel' });
 
 test('[TEAMS]: send team email request', async ({ page }) => {
   const team = await seedTeam();
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: team.owner.email,
     password: 'password',
@@ -57,7 +57,7 @@ test('[TEAMS]: delete team email', async ({ page }) => {
     createTeamEmail: true,
   });
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: team.owner.email,
     redirectPath: `/t/${team.url}/settings`,
@@ -86,7 +86,7 @@ test('[TEAMS]: team email owner removes access', async ({ page }) => {
     email: team.teamEmail.email,
   });
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: teamEmailOwner.email,
     redirectPath: `/settings/teams`,

packages/app-tests/e2e/teams/team-members.spec.ts

@@ -4,7 +4,7 @@ import { WEBAPP_BASE_URL } from '@documenso/lib/constants/app';
 import { seedTeam, seedTeamInvite, unseedTeam } from '@documenso/prisma/seed/teams';
 import { seedUser } from '@documenso/prisma/seed/users';
 
-import { manualLogin } from '../fixtures/authentication';
+import { apiSignin } from '../fixtures/authentication';
 
 test.describe.configure({ mode: 'parallel' });
 
@@ -13,7 +13,7 @@ test('[TEAMS]: update team member role', async ({ page }) => {
     createTeamMembers: 1,
   });
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: team.owner.email,
     password: 'password',
@@ -75,7 +75,7 @@ test('[TEAMS]: member can leave team', async ({ page }) => {
 
   const teamMember = team.members[1];
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: teamMember.user.email,
     password: 'password',
@@ -97,7 +97,7 @@ test('[TEAMS]: owner cannot leave team', async ({ page }) => {
     createTeamMembers: 1,
   });
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: team.owner.email,
     password: 'password',

packages/app-tests/e2e/teams/transfer-team.spec.ts

@@ -3,7 +3,7 @@ import { expect, test } from '@playwright/test';
 import { WEBAPP_BASE_URL } from '@documenso/lib/constants/app';
 import { seedTeam, seedTeamTransfer, unseedTeam } from '@documenso/prisma/seed/teams';
 
-import { manualLogin } from '../fixtures/authentication';
+import { apiSignin } from '../fixtures/authentication';
 
 test.describe.configure({ mode: 'parallel' });
 
@@ -14,7 +14,7 @@ test('[TEAMS]: initiate and cancel team transfer', async ({ page }) => {
 
   const teamMember = team.members[1];
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: team.owner.email,
     password: 'password',

packages/app-tests/e2e/templates/manage-templates.spec.ts

@@ -4,7 +4,7 @@ import { WEBAPP_BASE_URL } from '@documenso/lib/constants/app';
 import { seedTeam, unseedTeam } from '@documenso/prisma/seed/teams';
 import { seedTemplate } from '@documenso/prisma/seed/templates';
 
-import { manualLogin } from '../fixtures/authentication';
+import { apiSignin } from '../fixtures/authentication';
 
 test.describe.configure({ mode: 'parallel' });
 
@@ -36,7 +36,7 @@ test('[TEMPLATES]: view templates', async ({ page }) => {
     teamId: team.id,
   });
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: owner.email,
     redirectPath: '/templates',
@@ -81,7 +81,7 @@ test('[TEMPLATES]: delete template', async ({ page }) => {
     teamId: team.id,
   });
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: owner.email,
     redirectPath: '/templates',
@@ -108,7 +108,7 @@ test('[TEMPLATES]: delete template', async ({ page }) => {
     await page.getByRole('button', { name: 'Delete' }).click();
     await expect(page.getByText('Template deleted').first()).toBeVisible();
 
-    await page.waitForTimeout(1000);
+    await page.reload();
   }
 
   await unseedTeam(team.url);
@@ -135,7 +135,7 @@ test('[TEMPLATES]: duplicate template', async ({ page }) => {
     teamId: team.id,
   });
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: owner.email,
     redirectPath: '/templates',
@@ -181,7 +181,7 @@ test('[TEMPLATES]: use template', async ({ page }) => {
     teamId: team.id,
   });
 
-  await manualLogin({
+  await apiSignin({
     page,
     email: owner.email,
     redirectPath: '/templates',

packages/app-tests/e2e/user/auth-flow.spec.ts

@@ -2,6 +2,7 @@ import { type Page, expect, test } from '@playwright/test';
 
 import {
   extractUserVerificationToken,
+  seedTestEmail,
   seedUser,
   unseedUser,
   unseedUserByEmail,
@@ -9,9 +10,9 @@ import {
 
 test.use({ storageState: { cookies: [], origins: [] } });
 
-test('user can sign up with email and password', async ({ page }: { page: Page }) => {
+test('[USER] can sign up with email and password', async ({ page }: { page: Page }) => {
   const username = 'Test User';
-  const email = `test-user-${Date.now()}@auth-flow.documenso.com`;
+  const email = seedTestEmail();
   const password = 'Password123#';
 
   await page.goto('/signup');
@@ -30,7 +31,7 @@ test('user can sign up with email and password', async ({ page }: { page: Page }
   }
 
   await page.getByRole('button', { name: 'Next', exact: true }).click();
-  await page.getByLabel('Public profile username').fill('username-123');
+  await page.getByLabel('Public profile username').fill(Date.now().toString());
 
   await page.getByRole('button', { name: 'Complete', exact: true }).click();
 
@@ -50,7 +51,7 @@ test('user can sign up with email and password', async ({ page }: { page: Page }
   await unseedUserByEmail(email);
 });
 
-test('user can login with user and password', async ({ page }: { page: Page }) => {
+test('[USER] can sign in using email and password', async ({ page }: { page: Page }) => {
   const user = await seedUser();
 
   await page.goto('/signin');

packages/app-tests/e2e/user/delete-account.spec.ts

@@ -4,19 +4,16 @@ import { WEBAPP_BASE_URL } from '@documenso/lib/constants/app';
 import { getUserByEmail } from '@documenso/lib/server-only/user/get-user-by-email';
 import { seedUser } from '@documenso/prisma/seed/users';
 
-import { manualLogin } from './fixtures/authentication';
+import { apiSignin } from '../fixtures/authentication';
 
-test('delete user', async ({ page }) => {
+test('[USER] delete account', async ({ page }) => {
   const user = await seedUser();
 
-  await manualLogin({
-    page,
-    email: user.email,
-    redirectPath: '/settings',
-  });
+  await apiSignin({ page, email: user.email, redirectPath: '/settings' });
 
   await page.getByRole('button', { name: 'Delete Account' }).click();
   await page.getByLabel('Confirm Email').fill(user.email);
+
   await expect(page.getByRole('button', { name: 'Confirm Deletion' })).not.toBeDisabled();
   await page.getByRole('button', { name: 'Confirm Deletion' }).click();
 

packages/app-tests/e2e/user/update-name.spec.ts

@@ -3,16 +3,12 @@ import { expect, test } from '@playwright/test';
 import { getUserByEmail } from '@documenso/lib/server-only/user/get-user-by-email';
 import { seedUser } from '@documenso/prisma/seed/users';
 
-import { manualLogin } from './fixtures/authentication';
+import { apiSignin } from '../fixtures/authentication';
 
-test('update user name', async ({ page }) => {
+test('[USER] update full name', async ({ page }) => {
   const user = await seedUser();
 
-  await manualLogin({
-    page,
-    email: user.email,
-    redirectPath: '/settings/profile',
-  });
+  await apiSignin({ page, email: user.email, redirectPath: '/settings/profile' });
 
   await page.getByLabel('Full Name').fill('John Doe');
 

packages/app-tests/playwright.config.ts

@@ -1,10 +1,14 @@
 import { defineConfig, devices } from '@playwright/test';
+import dotenv from 'dotenv';
+import path from 'path';
 
-/**
- * Read environment variables from file.
- * https://github.com/motdotla/dotenv
- */
-// require('dotenv').config();
+const ENV_FILES = ['.env', '.env.local', `.env.${process.env.NODE_ENV || 'development'}`];
+
+ENV_FILES.forEach((file) => {
+  dotenv.config({
+    path: path.join(__dirname, `../../${file}`),
+  });
+});
 
 /**
  * See https://playwright.dev/docs/test-configuration.
@@ -13,12 +17,11 @@ export default defineConfig({
   testDir: './e2e',
   /* Run tests in files in parallel */
   fullyParallel: true,
+  workers: '50%',
   /* Fail the build on CI if you accidentally left test.only in the source code. */
   forbidOnly: !!process.env.CI,
   /* Retry on CI only */
-  retries: process.env.CI ? 2 : 0,
-  /* Opt out of parallel tests on CI. */
-  workers: process.env.CI ? 1 : undefined,
+  retries: process.env.CI ? 2 : 1,
   /* Reporter to use. See https://playwright.dev/docs/test-reporters */
   reporter: 'html',
   /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */

packages/ee/server-only/util/is-document-enterprise.ts

@@ -0,0 +1,56 @@
+import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import { subscriptionsContainActiveEnterprisePlan } from '@documenso/lib/utils/billing';
+import { prisma } from '@documenso/prisma';
+import type { Subscription } from '@documenso/prisma/client';
+
+export type IsUserEnterpriseOptions = {
+  userId: number;
+  teamId?: number;
+};
+
+/**
+ * Whether the user is enterprise, or has permission to use enterprise features on
+ * behalf of their team.
+ *
+ * It is assumed that the provided user is part of the provided team.
+ */
+export const isUserEnterprise = async ({
+  userId,
+  teamId,
+}: IsUserEnterpriseOptions): Promise<boolean> => {
+  let subscriptions: Subscription[] = [];
+
+  if (!IS_BILLING_ENABLED()) {
+    return false;
+  }
+
+  if (teamId) {
+    subscriptions = await prisma.team
+      .findFirstOrThrow({
+        where: {
+          id: teamId,
+        },
+        select: {
+          owner: {
+            include: {
+              Subscription: true,
+            },
+          },
+        },
+      })
+      .then((team) => team.owner.Subscription);
+  } else {
+    subscriptions = await prisma.user
+      .findFirstOrThrow({
+        where: {
+          id: userId,
+        },
+        select: {
+          Subscription: true,
+        },
+      })
+      .then((user) => user.Subscription);
+  }
+
+  return subscriptionsContainActiveEnterprisePlan(subscriptions);
+};

packages/email/mailer.ts

@@ -1,3 +1,4 @@
+import type { SendMailOptions } from 'nodemailer';
 import { createTransport } from 'nodemailer';
 
 import { ResendTransport } from '@documenso/nodemailer-resend';
@@ -54,3 +55,4 @@ const getTransport = () => {
 };
 
 export const mailer = getTransport();
+export type MailOptions = SendMailOptions;

packages/email/template-components/template-document-super-delete.tsx

@@ -0,0 +1,45 @@
+import { Section, Text } from '../components';
+import { TemplateDocumentImage } from './template-document-image';
+
+export interface TemplateDocumentDeleteProps {
+  reason: string;
+  documentName: string;
+  assetBaseUrl: string;
+}
+
+export const TemplateDocumentDelete = ({
+  reason,
+  documentName,
+  assetBaseUrl,
+}: TemplateDocumentDeleteProps) => {
+  return (
+    <>
+      <TemplateDocumentImage className="mt-6" assetBaseUrl={assetBaseUrl} />
+
+      <Section>
+        <Text className="text-primary mb-0 mt-6 text-left text-lg font-semibold">
+          Your document has been deleted by an admin!
+        </Text>
+
+        <Text className="mx-auto mb-6 mt-1 text-left text-base text-slate-400">
+          "{documentName}" has been deleted by an admin.
+        </Text>
+
+        <Text className="mx-auto mb-6 mt-1 text-left text-base text-slate-400">
+          This document can not be recovered, if you would like to dispute the reason for future
+          documents please contact support.
+        </Text>
+
+        <Text className="mx-auto mt-1 text-left text-base text-slate-400">
+          The reason provided for deletion is the following:
+        </Text>
+
+        <Text className="mx-auto mb-6 mt-1 text-left text-base italic text-slate-400">
+          {reason}
+        </Text>
+      </Section>
+    </>
+  );
+};
+
+export default TemplateDocumentDelete;

packages/email/templates/document-super-delete.tsx

@@ -0,0 +1,66 @@
+import config from '@documenso/tailwind-config';
+
+import { Body, Container, Head, Hr, Html, Img, Preview, Section, Tailwind } from '../components';
+import {
+  TemplateDocumentDelete,
+  type TemplateDocumentDeleteProps,
+} from '../template-components/template-document-super-delete';
+import { TemplateFooter } from '../template-components/template-footer';
+
+export type DocumentDeleteEmailTemplateProps = Partial<TemplateDocumentDeleteProps>;
+
+export const DocumentSuperDeleteEmailTemplate = ({
+  documentName = 'Open Source Pledge.pdf',
+  assetBaseUrl = 'http://localhost:3002',
+  reason = 'Unknown',
+}: DocumentDeleteEmailTemplateProps) => {
+  const previewText = `An admin has deleted your document "${documentName}".`;
+
+  const getAssetUrl = (path: string) => {
+    return new URL(path, assetBaseUrl).toString();
+  };
+
+  return (
+    <Html>
+      <Head />
+      <Preview>{previewText}</Preview>
+      <Tailwind
+        config={{
+          theme: {
+            extend: {
+              colors: config.theme.extend.colors,
+            },
+          },
+        }}
+      >
+        <Body className="mx-auto my-auto bg-white font-sans">
+          <Section>
+            <Container className="mx-auto mb-2 mt-8 max-w-xl rounded-lg border border-solid border-slate-200 p-4 backdrop-blur-sm">
+              <Section>
+                <Img
+                  src={getAssetUrl('/static/logo.png')}
+                  alt="Documenso Logo"
+                  className="mb-4 h-6"
+                />
+
+                <TemplateDocumentDelete
+                  reason={reason}
+                  documentName={documentName}
+                  assetBaseUrl={assetBaseUrl}
+                />
+              </Section>
+            </Container>
+
+            <Hr className="mx-auto mt-12 max-w-xl" />
+
+            <Container className="mx-auto max-w-xl">
+              <TemplateFooter />
+            </Container>
+          </Section>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+};
+
+export default DocumentSuperDeleteEmailTemplate;

packages/lib/constants/document-auth.ts

@@ -0,0 +1,26 @@
+import type { TDocumentAuth } from '../types/document-auth';
+import { DocumentAuth } from '../types/document-auth';
+
+type DocumentAuthTypeData = {
+  key: TDocumentAuth;
+  value: string;
+};
+
+export const DOCUMENT_AUTH_TYPES: Record<string, DocumentAuthTypeData> = {
+  [DocumentAuth.ACCOUNT]: {
+    key: DocumentAuth.ACCOUNT,
+    value: 'Require account',
+  },
+  [DocumentAuth.PASSKEY]: {
+    key: DocumentAuth.PASSKEY,
+    value: 'Require passkey',
+  },
+  [DocumentAuth.TWO_FACTOR_AUTH]: {
+    key: DocumentAuth.TWO_FACTOR_AUTH,
+    value: 'Require 2FA',
+  },
+  [DocumentAuth.EXPLICIT_NONE]: {
+    key: DocumentAuth.EXPLICIT_NONE,
+    value: 'None (Overrides global settings)',
+  },
+} satisfies Record<TDocumentAuth, DocumentAuthTypeData>;

packages/lib/errors/app-error.ts

@@ -137,12 +137,16 @@ export class AppError extends Error {
   }
 
   static parseFromJSONString(jsonString: string): AppError | null {
-    const parsed = ZAppErrorJsonSchema.safeParse(JSON.parse(jsonString));
+    try {
+      const parsed = ZAppErrorJsonSchema.safeParse(JSON.parse(jsonString));
 
-    if (!parsed.success) {
+      if (!parsed.success) {
+        return null;
+      }
+
+      return new AppError(parsed.data.code, parsed.data.message, parsed.data.userMessage);
+    } catch {
       return null;
     }
-
-    return new AppError(parsed.data.code, parsed.data.message, parsed.data.userMessage);
   }
 }

packages/lib/next-auth/auth-options.ts

@@ -22,7 +22,7 @@ import { sendConfirmationToken } from '../server-only/user/send-confirmation-tok
 import type { TAuthenticationResponseJSONSchema } from '../types/webauthn';
 import { ZAuthenticationResponseJSONSchema } from '../types/webauthn';
 import { extractNextAuthRequestMetadata } from '../universal/extract-request-metadata';
-import { getAuthenticatorRegistrationOptions } from '../utils/authenticator';
+import { getAuthenticatorOptions } from '../utils/authenticator';
 import { ErrorCode } from './error-codes';
 
 export const NEXT_AUTH_OPTIONS: AuthOptions = {
@@ -196,7 +196,7 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
 
         const user = passkey.User;
 
-        const { rpId, origin } = getAuthenticatorRegistrationOptions();
+        const { rpId, origin } = getAuthenticatorOptions();
 
         const verification = await verifyAuthenticationResponse({
           response: requestBodyCrediential,

packages/lib/package.json

@@ -27,18 +27,19 @@
     "@next-auth/prisma-adapter": "1.0.7",
     "@noble/ciphers": "0.4.0",
     "@noble/hashes": "1.3.2",
+    "@node-rs/bcrypt": "^1.10.0",
     "@pdf-lib/fontkit": "^1.1.1",
     "@scure/base": "^1.1.3",
     "@sindresorhus/slugify": "^2.2.1",
     "@upstash/redis": "^1.20.6",
     "@vvo/tzdb": "^6.117.0",
-    "@node-rs/bcrypt": "^1.10.0",
     "luxon": "^3.4.0",
     "nanoid": "^4.0.2",
     "next": "14.0.3",
     "next-auth": "4.24.5",
     "oslo": "^0.17.0",
     "pdf-lib": "^1.17.1",
+    "pg-boss": "^9.0.3",
     "react": "18.2.0",
     "remeda": "^1.27.1",
     "stripe": "^12.7.0",

packages/lib/server-only/2fa/is-2fa-availble.ts

@@ -1,4 +1,4 @@
-import { User } from '@documenso/prisma/client';
+import type { User } from '@documenso/prisma/client';
 
 import { DOCUMENSO_ENCRYPTION_KEY } from '../../constants/crypto';
 
@@ -9,9 +9,5 @@ type IsTwoFactorAuthenticationEnabledOptions = {
 export const isTwoFactorAuthenticationEnabled = ({
   user,
 }: IsTwoFactorAuthenticationEnabledOptions) => {
-  return (
-    user.twoFactorEnabled &&
-    user.identityProvider === 'DOCUMENSO' &&
-    typeof DOCUMENSO_ENCRYPTION_KEY === 'string'
-  );
+  return user.twoFactorEnabled && typeof DOCUMENSO_ENCRYPTION_KEY === 'string';
 };

packages/lib/server-only/auth/create-passkey-authentication-options.ts

@@ -0,0 +1,76 @@
+import { generateAuthenticationOptions } from '@simplewebauthn/server';
+import type { AuthenticatorTransportFuture } from '@simplewebauthn/types';
+import { DateTime } from 'luxon';
+
+import { prisma } from '@documenso/prisma';
+import type { Passkey } from '@documenso/prisma/client';
+
+import { AppError, AppErrorCode } from '../../errors/app-error';
+import { getAuthenticatorOptions } from '../../utils/authenticator';
+
+type CreatePasskeyAuthenticationOptions = {
+  userId: number;
+
+  /**
+   * The ID of the passkey to request authentication for.
+   *
+   * If not set, we allow the browser client to handle choosing.
+   */
+  preferredPasskeyId?: string;
+};
+
+export const createPasskeyAuthenticationOptions = async ({
+  userId,
+  preferredPasskeyId,
+}: CreatePasskeyAuthenticationOptions) => {
+  const { rpId, timeout } = getAuthenticatorOptions();
+
+  let preferredPasskey: Pick<Passkey, 'credentialId' | 'transports'> | null = null;
+
+  if (preferredPasskeyId) {
+    preferredPasskey = await prisma.passkey.findFirst({
+      where: {
+        userId,
+        id: preferredPasskeyId,
+      },
+      select: {
+        credentialId: true,
+        transports: true,
+      },
+    });
+
+    if (!preferredPasskey) {
+      throw new AppError(AppErrorCode.NOT_FOUND, 'Requested passkey not found');
+    }
+  }
+
+  const options = await generateAuthenticationOptions({
+    rpID: rpId,
+    userVerification: 'preferred',
+    timeout,
+    allowCredentials: preferredPasskey
+      ? [
+          {
+            id: preferredPasskey.credentialId,
+            type: 'public-key',
+            // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+            transports: preferredPasskey.transports as AuthenticatorTransportFuture[],
+          },
+        ]
+      : undefined,
+  });
+
+  const { secondaryId } = await prisma.verificationToken.create({
+    data: {
+      userId,
+      token: options.challenge,
+      expires: DateTime.now().plus({ minutes: 2 }).toJSDate(),
+      identifier: 'PASSKEY_CHALLENGE',
+    },
+  });
+
+  return {
+    tokenReference: secondaryId,
+    options,
+  };
+};

packages/lib/server-only/auth/create-passkey-registration-options.ts

@@ -5,7 +5,7 @@ import { DateTime } from 'luxon';
 import { prisma } from '@documenso/prisma';
 
 import { PASSKEY_TIMEOUT } from '../../constants/auth';
-import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
+import { getAuthenticatorOptions } from '../../utils/authenticator';
 
 type CreatePasskeyRegistrationOptions = {
   userId: number;
@@ -27,7 +27,7 @@ export const createPasskeyRegistrationOptions = async ({
 
   const { passkeys } = user;
 
-  const { rpName, rpId: rpID } = getAuthenticatorRegistrationOptions();
+  const { rpName, rpId: rpID } = getAuthenticatorOptions();
 
   const options = await generateRegistrationOptions({
     rpName,

packages/lib/server-only/auth/create-passkey-signin-options.ts

@@ -3,14 +3,14 @@ import { DateTime } from 'luxon';
 
 import { prisma } from '@documenso/prisma';
 
-import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
+import { getAuthenticatorOptions } from '../../utils/authenticator';
 
 type CreatePasskeySigninOptions = {
   sessionId: string;
 };
 
 export const createPasskeySigninOptions = async ({ sessionId }: CreatePasskeySigninOptions) => {
-  const { rpId, timeout } = getAuthenticatorRegistrationOptions();
+  const { rpId, timeout } = getAuthenticatorOptions();
 
   const options = await generateAuthenticationOptions({
     rpID: rpId,

packages/lib/server-only/auth/create-passkey.ts

@@ -7,7 +7,7 @@ import { UserSecurityAuditLogType } from '@documenso/prisma/client';
 import { MAXIMUM_PASSKEYS } from '../../constants/auth';
 import { AppError, AppErrorCode } from '../../errors/app-error';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
-import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
+import { getAuthenticatorOptions } from '../../utils/authenticator';
 
 type CreatePasskeyOptions = {
   userId: number;
@@ -64,7 +64,7 @@ export const createPasskey = async ({
     throw new AppError(AppErrorCode.EXPIRED_CODE, 'Challenge token expired');
   }
 
-  const { rpId: expectedRPID, origin: expectedOrigin } = getAuthenticatorRegistrationOptions();
+  const { rpId: expectedRPID, origin: expectedOrigin } = getAuthenticatorOptions();
 
   const verification = await verifyRegistrationResponse({
     response: verificationResponse,

packages/lib/server-only/auth/find-passkeys.ts

@@ -11,6 +11,7 @@ export interface FindPasskeysOptions {
   orderBy?: {
     column: keyof Passkey;
     direction: 'asc' | 'desc';
+    nulls?: Prisma.NullsOrder;
   };
 }
 
@@ -21,8 +22,9 @@ export const findPasskeys = async ({
   perPage = 10,
   orderBy,
 }: FindPasskeysOptions) => {
-  const orderByColumn = orderBy?.column ?? 'name';
+  const orderByColumn = orderBy?.column ?? 'lastUsedAt';
   const orderByDirection = orderBy?.direction ?? 'desc';
+  const orderByNulls: Prisma.NullsOrder | undefined = orderBy?.nulls ?? 'last';
 
   const whereClause: Prisma.PasskeyWhereInput = {
     userId,
@@ -41,7 +43,10 @@ export const findPasskeys = async ({
       skip: Math.max(page - 1, 0) * perPage,
       take: perPage,
       orderBy: {
-        [orderByColumn]: orderByDirection,
+        [orderByColumn]: {
+          sort: orderByDirection,
+          nulls: orderByNulls,
+        },
       },
       select: {
         id: true,

packages/lib/server-only/document-meta/upsert-document-meta.ts

@@ -2,12 +2,11 @@
 
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
-import {
-  createDocumentAuditLogData,
-  diffDocumentMetaChanges,
-} from '@documenso/lib/utils/document-audit-logs';
+import { diffDocumentMetaChanges } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 
+import { queueJob } from '../queue/job';
+
 export type CreateDocumentMetaOptions = {
   documentId: number;
   subject?: string;
@@ -65,46 +64,45 @@ export const upsertDocumentMeta = async ({
     },
   });
 
-  return await prisma.$transaction(async (tx) => {
-    const upsertedDocumentMeta = await tx.documentMeta.upsert({
-      where: {
+  const upsertedDocumentMeta = await prisma.documentMeta.upsert({
+    where: {
+      documentId,
+    },
+    create: {
+      subject,
+      message,
+      password,
+      dateFormat,
+      timezone,
+      documentId,
+      redirectUrl,
+    },
+    update: {
+      subject,
+      message,
+      password,
+      dateFormat,
+      timezone,
+      redirectUrl,
+    },
+  });
+
+  const changes = diffDocumentMetaChanges(originalDocumentMeta ?? {}, upsertedDocumentMeta);
+
+  if (changes.length > 0) {
+    await queueJob({
+      job: 'create-document-audit-log',
+      args: {
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_META_UPDATED,
         documentId,
-      },
-      create: {
-        subject,
-        message,
-        password,
-        dateFormat,
-        timezone,
-        documentId,
-        redirectUrl,
-      },
-      update: {
-        subject,
-        message,
-        password,
-        dateFormat,
-        timezone,
-        redirectUrl,
+        user,
+        requestMetadata,
+        data: {
+          changes: diffDocumentMetaChanges(originalDocumentMeta ?? {}, upsertedDocumentMeta),
+        },
       },
     });
+  }
 
-    const changes = diffDocumentMetaChanges(originalDocumentMeta ?? {}, upsertedDocumentMeta);
-
-    if (changes.length > 0) {
-      await tx.documentAuditLog.create({
-        data: createDocumentAuditLogData({
-          type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_META_UPDATED,
-          documentId,
-          user,
-          requestMetadata,
-          data: {
-            changes: diffDocumentMetaChanges(originalDocumentMeta ?? {}, upsertedDocumentMeta),
-          },
-        }),
-      });
-    }
-
-    return upsertedDocumentMeta;
-  });
+  return upsertedDocumentMeta;
 };

packages/lib/server-only/document/complete-document-with-token.ts

@@ -2,18 +2,20 @@
 
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
-import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, SigningStatus } from '@documenso/prisma/client';
 import { WebhookTriggerEvents } from '@documenso/prisma/client';
 
+import type { TRecipientActionAuth } from '../../types/document-auth';
+import { queueJob } from '../queue/job';
 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';
 import { sealDocument } from './seal-document';
-import { sendPendingEmail } from './send-pending-email';
 
 export type CompleteDocumentWithTokenOptions = {
   token: string;
   documentId: number;
+  userId?: number;
+  authOptions?: TRecipientActionAuth;
   requestMetadata?: RequestMetadata;
 };
 
@@ -71,6 +73,25 @@ export const completeDocumentWithToken = async ({
     throw new Error(`Recipient ${recipient.id} has unsigned fields`);
   }
 
+  // Document reauth for completing documents is currently not required.
+
+  // const { derivedRecipientActionAuth } = extractDocumentAuthMethods({
+  //   documentAuth: document.authOptions,
+  //   recipientAuth: recipient.authOptions,
+  // });
+
+  // const isValid = await isRecipientAuthorized({
+  //   type: 'ACTION',
+  //   document: document,
+  //   recipient: recipient,
+  //   userId,
+  //   authOptions,
+  // });
+
+  // if (!isValid) {
+  //   throw new AppError(AppErrorCode.UNAUTHORIZED, 'Invalid authentication values');
+  // }
+
   await prisma.recipient.update({
     where: {
       id: recipient.id,
@@ -81,8 +102,9 @@ export const completeDocumentWithToken = async ({
     },
   });
 
-  await prisma.documentAuditLog.create({
-    data: createDocumentAuditLogData({
+  await queueJob({
+    job: 'create-document-audit-log',
+    args: {
       type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_COMPLETED,
       documentId: document.id,
       user: {
@@ -95,8 +117,9 @@ export const completeDocumentWithToken = async ({
         recipientName: recipient.name,
         recipientId: recipient.id,
         recipientRole: recipient.role,
+        // actionAuth: derivedRecipientActionAuth || undefined,
       },
-    }),
+    },
   });
 
   const pendingRecipients = await prisma.recipient.count({
@@ -109,7 +132,13 @@ export const completeDocumentWithToken = async ({
   });
 
   if (pendingRecipients > 0) {
-    await sendPendingEmail({ documentId, recipientId: recipient.id });
+    await queueJob({
+      job: 'send-pending-email',
+      args: {
+        documentId: document.id,
+        recipientId: recipient.id,
+      },
+    });
   }
 
   const documents = await prisma.document.updateMany({

packages/lib/server-only/document/create-document.ts

@@ -3,10 +3,10 @@
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
-import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 import { WebhookTriggerEvents } from '@documenso/prisma/client';
 
+import { queueJob } from '../queue/job';
 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';
 
 export type CreateDocumentOptions = {
@@ -44,35 +44,34 @@ export const createDocument = async ({
     throw new AppError(AppErrorCode.NOT_FOUND, 'Team not found');
   }
 
-  return await prisma.$transaction(async (tx) => {
-    const document = await tx.document.create({
-      data: {
-        title,
-        documentDataId,
-        userId,
-        teamId,
-      },
-    });
-
-    await tx.documentAuditLog.create({
-      data: createDocumentAuditLogData({
-        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_CREATED,
-        documentId: document.id,
-        user,
-        requestMetadata,
-        data: {
-          title,
-        },
-      }),
-    });
-
-    await triggerWebhook({
-      event: WebhookTriggerEvents.DOCUMENT_CREATED,
-      data: document,
+  const document = await prisma.document.create({
+    data: {
+      title,
+      documentDataId,
       userId,
       teamId,
-    });
-
-    return document;
+    },
   });
+
+  await queueJob({
+    job: 'create-document-audit-log',
+    args: {
+      type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_CREATED,
+      documentId: document.id,
+      user,
+      requestMetadata,
+      data: {
+        title,
+      },
+    },
+  });
+
+  await triggerWebhook({
+    event: WebhookTriggerEvents.DOCUMENT_CREATED,
+    data: document,
+    userId,
+    teamId,
+  });
+
+  return document;
 };

packages/lib/server-only/document/delete-document.ts

@@ -2,7 +2,6 @@
 
 import { createElement } from 'react';
 
-import { mailer } from '@documenso/email/mailer';
 import { render } from '@documenso/email/render';
 import DocumentCancelTemplate from '@documenso/email/templates/document-cancel';
 import { prisma } from '@documenso/prisma';
@@ -12,7 +11,7 @@ import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
 import { FROM_ADDRESS, FROM_NAME } from '../../constants/email';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
-import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
+import { queueJob } from '../queue/job';
 
 export type DeleteDocumentOptions = {
   id: number;
@@ -61,23 +60,22 @@ export const deleteDocument = async ({
 
   // if the document is a draft, hard-delete
   if (status === DocumentStatus.DRAFT) {
-    return await prisma.$transaction(async (tx) => {
-      // Currently redundant since deleting a document will delete the audit logs.
-      // However may be useful if we disassociate audit lgos and documents if required.
-      await tx.documentAuditLog.create({
-        data: createDocumentAuditLogData({
-          documentId: id,
-          type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_DELETED,
-          user,
-          requestMetadata,
-          data: {
-            type: 'HARD',
-          },
-        }),
-      });
-
-      return await tx.document.delete({ where: { id, status: DocumentStatus.DRAFT } });
+    // Currently redundant since deleting a document will delete the audit logs.
+    // However may be useful if we disassociate audit lgos and documents if required.
+    await queueJob({
+      job: 'create-document-audit-log',
+      args: {
+        documentId: id,
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_DELETED,
+        user,
+        requestMetadata,
+        data: {
+          type: 'HARD',
+        },
+      },
     });
+
+    return await prisma.document.delete({ where: { id, status: DocumentStatus.DRAFT } });
   }
 
   // if the document is pending, send cancellation emails to all recipients
@@ -93,44 +91,46 @@ export const deleteDocument = async ({
           assetBaseUrl,
         });
 
-        await mailer.sendMail({
-          to: {
-            address: recipient.email,
-            name: recipient.name,
+        await queueJob({
+          job: 'send-mail',
+          args: {
+            to: {
+              address: recipient.email,
+              name: recipient.name,
+            },
+            from: {
+              name: FROM_NAME,
+              address: FROM_ADDRESS,
+            },
+            subject: 'Document Cancelled',
+            html: render(template),
+            text: render(template, { plainText: true }),
           },
-          from: {
-            name: FROM_NAME,
-            address: FROM_ADDRESS,
-          },
-          subject: 'Document Cancelled',
-          html: render(template),
-          text: render(template, { plainText: true }),
         });
       }),
     );
   }
 
   // If the document is not a draft, only soft-delete.
-  return await prisma.$transaction(async (tx) => {
-    await tx.documentAuditLog.create({
-      data: createDocumentAuditLogData({
-        documentId: id,
-        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_DELETED,
-        user,
-        requestMetadata,
-        data: {
-          type: 'SOFT',
-        },
-      }),
-    });
-
-    return await tx.document.update({
-      where: {
-        id,
-      },
+  await queueJob({
+    job: 'create-document-audit-log',
+    args: {
+      documentId: id,
+      type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_DELETED,
+      user,
+      requestMetadata,
       data: {
-        deletedAt: new Date().toISOString(),
+        type: 'SOFT',
       },
-    });
+    },
+  });
+
+  return await prisma.document.update({
+    where: {
+      id,
+    },
+    data: {
+      deletedAt: new Date().toISOString(),
+    },
   });
 };

packages/lib/server-only/document/get-document-by-token.ts

@@ -1,13 +1,39 @@
 import { prisma } from '@documenso/prisma';
 import type { DocumentWithRecipient } from '@documenso/prisma/types/document-with-recipient';
 
+import { AppError, AppErrorCode } from '../../errors/app-error';
+import type { TDocumentAuthMethods } from '../../types/document-auth';
+import { isRecipientAuthorized } from './is-recipient-authorized';
+
+export interface GetDocumentAndSenderByTokenOptions {
+  token: string;
+  userId?: number;
+  accessAuth?: TDocumentAuthMethods;
+
+  /**
+   * Whether we enforce the access requirement.
+   *
+   * Defaults to true.
+   */
+  requireAccessAuth?: boolean;
+}
+
+export interface GetDocumentAndRecipientByTokenOptions {
+  token: string;
+  userId?: number;
+  accessAuth?: TDocumentAuthMethods;
+
+  /**
+   * Whether we enforce the access requirement.
+   *
+   * Defaults to true.
+   */
+  requireAccessAuth?: boolean;
+}
 export type GetDocumentByTokenOptions = {
   token: string;
 };
 
-export type GetDocumentAndSenderByTokenOptions = GetDocumentByTokenOptions;
-export type GetDocumentAndRecipientByTokenOptions = GetDocumentByTokenOptions;
-
 export const getDocumentByToken = async ({ token }: GetDocumentByTokenOptions) => {
   if (!token) {
     throw new Error('Missing token');
@@ -26,8 +52,13 @@ export const getDocumentByToken = async ({ token }: GetDocumentByTokenOptions) =
   return result;
 };
 
+export type DocumentAndSender = Awaited<ReturnType<typeof getDocumentAndSenderByToken>>;
+
 export const getDocumentAndSenderByToken = async ({
   token,
+  userId,
+  accessAuth,
+  requireAccessAuth = true,
 }: GetDocumentAndSenderByTokenOptions) => {
   if (!token) {
     throw new Error('Missing token');
@@ -45,12 +76,40 @@ export const getDocumentAndSenderByToken = async ({
       User: true,
       documentData: true,
       documentMeta: true,
+      Recipient: {
+        where: {
+          token,
+        },
+      },
     },
   });
 
   // eslint-disable-next-line no-unused-vars, @typescript-eslint/no-unused-vars
   const { password: _password, ...User } = result.User;
 
+  const recipient = result.Recipient[0];
+
+  // Sanity check, should not be possible.
+  if (!recipient) {
+    throw new Error('Missing recipient');
+  }
+
+  let documentAccessValid = true;
+
+  if (requireAccessAuth) {
+    documentAccessValid = await isRecipientAuthorized({
+      type: 'ACCESS',
+      document: result,
+      recipient,
+      userId,
+      authOptions: accessAuth,
+    });
+  }
+
+  if (!documentAccessValid) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, 'Invalid access values');
+  }
+
   return {
     ...result,
     User,
@@ -62,6 +121,9 @@ export const getDocumentAndSenderByToken = async ({
  */
 export const getDocumentAndRecipientByToken = async ({
   token,
+  userId,
+  accessAuth,
+  requireAccessAuth = true,
 }: GetDocumentAndRecipientByTokenOptions): Promise<DocumentWithRecipient> => {
   if (!token) {
     throw new Error('Missing token');
@@ -85,6 +147,29 @@ export const getDocumentAndRecipientByToken = async ({
     },
   });
 
+  const recipient = result.Recipient[0];
+
+  // Sanity check, should not be possible.
+  if (!recipient) {
+    throw new Error('Missing recipient');
+  }
+
+  let documentAccessValid = true;
+
+  if (requireAccessAuth) {
+    documentAccessValid = await isRecipientAuthorized({
+      type: 'ACCESS',
+      document: result,
+      recipient,
+      userId,
+      authOptions: accessAuth,
+    });
+  }
+
+  if (!documentAccessValid) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, 'Invalid access values');
+  }
+
   return {
     ...result,
     Recipient: result.Recipient,

packages/lib/server-only/document/is-recipient-authorized.ts

@@ -0,0 +1,213 @@
+import { verifyAuthenticationResponse } from '@simplewebauthn/server';
+import { match } from 'ts-pattern';
+
+import { prisma } from '@documenso/prisma';
+import type { Document, Recipient } from '@documenso/prisma/client';
+
+import { verifyTwoFactorAuthenticationToken } from '../2fa/verify-2fa-token';
+import { AppError, AppErrorCode } from '../../errors/app-error';
+import type { TDocumentAuth, TDocumentAuthMethods } from '../../types/document-auth';
+import { DocumentAuth } from '../../types/document-auth';
+import type { TAuthenticationResponseJSONSchema } from '../../types/webauthn';
+import { getAuthenticatorOptions } from '../../utils/authenticator';
+import { extractDocumentAuthMethods } from '../../utils/document-auth';
+
+type IsRecipientAuthorizedOptions = {
+  type: 'ACCESS' | 'ACTION';
+  document: Document;
+  recipient: Recipient;
+
+  /**
+   * The ID of the user who initiated the request.
+   */
+  userId?: number;
+
+  /**
+   * The auth details to check.
+   *
+   * Optional because there are scenarios where no auth options are required such as
+   * using the user ID.
+   */
+  authOptions?: TDocumentAuthMethods;
+};
+
+const getUserByEmail = async (email: string) => {
+  return await prisma.user.findFirst({
+    where: {
+      email,
+    },
+    select: {
+      id: true,
+    },
+  });
+};
+
+/**
+ * Whether the recipient is authorized to perform the requested operation on a
+ * document, given the provided auth options.
+ *
+ * @returns True if the recipient can perform the requested operation.
+ */
+export const isRecipientAuthorized = async ({
+  type,
+  document,
+  recipient,
+  userId,
+  authOptions,
+}: IsRecipientAuthorizedOptions): Promise<boolean> => {
+  const { derivedRecipientAccessAuth, derivedRecipientActionAuth } = extractDocumentAuthMethods({
+    documentAuth: document.authOptions,
+    recipientAuth: recipient.authOptions,
+  });
+
+  const authMethod: TDocumentAuth | null =
+    type === 'ACCESS' ? derivedRecipientAccessAuth : derivedRecipientActionAuth;
+
+  // Early true return when auth is not required.
+  if (!authMethod || authMethod === DocumentAuth.EXPLICIT_NONE) {
+    return true;
+  }
+
+  // Create auth options when none are passed for account.
+  if (!authOptions && authMethod === DocumentAuth.ACCOUNT) {
+    authOptions = {
+      type: DocumentAuth.ACCOUNT,
+    };
+  }
+
+  // Authentication required does not match provided method.
+  if (!authOptions || authOptions.type !== authMethod || !userId) {
+    return false;
+  }
+
+  return await match(authOptions)
+    .with({ type: DocumentAuth.ACCOUNT }, async () => {
+      const recipientUser = await getUserByEmail(recipient.email);
+
+      if (!recipientUser) {
+        return false;
+      }
+
+      return recipientUser.id === userId;
+    })
+    .with({ type: DocumentAuth.PASSKEY }, async ({ authenticationResponse, tokenReference }) => {
+      return await isPasskeyAuthValid({
+        userId,
+        authenticationResponse,
+        tokenReference,
+      });
+    })
+    .with({ type: DocumentAuth.TWO_FACTOR_AUTH }, async ({ token }) => {
+      const user = await prisma.user.findFirst({
+        where: {
+          id: userId,
+        },
+      });
+
+      // Should not be possible.
+      if (!user) {
+        throw new AppError(AppErrorCode.NOT_FOUND, 'User not found');
+      }
+
+      return await verifyTwoFactorAuthenticationToken({
+        user,
+        totpCode: token,
+      });
+    })
+    .exhaustive();
+};
+
+type VerifyPasskeyOptions = {
+  /**
+   * The ID of the user who initiated the request.
+   */
+  userId: number;
+
+  /**
+   * The secondary ID of the verification token.
+   */
+  tokenReference: string;
+
+  /**
+   * The response from the passkey authenticator.
+   */
+  authenticationResponse: TAuthenticationResponseJSONSchema;
+};
+
+/**
+ * Whether the provided passkey authenticator response is valid and the user is
+ * authenticated.
+ */
+const isPasskeyAuthValid = async (options: VerifyPasskeyOptions): Promise<boolean> => {
+  return verifyPasskey(options)
+    .then(() => true)
+    .catch(() => false);
+};
+
+/**
+ * Verifies whether the provided passkey authenticator is valid and the user is
+ * authenticated.
+ *
+ * Will throw an error if the user should not be authenticated.
+ */
+const verifyPasskey = async ({
+  userId,
+  tokenReference,
+  authenticationResponse,
+}: VerifyPasskeyOptions): Promise<void> => {
+  const passkey = await prisma.passkey.findFirst({
+    where: {
+      credentialId: Buffer.from(authenticationResponse.id, 'base64'),
+      userId,
+    },
+  });
+
+  if (!passkey) {
+    throw new AppError(AppErrorCode.NOT_FOUND, 'Passkey not found');
+  }
+
+  const verificationToken = await prisma.verificationToken
+    .delete({
+      where: {
+        userId,
+        secondaryId: tokenReference,
+      },
+    })
+    .catch(() => null);
+
+  if (!verificationToken) {
+    throw new AppError(AppErrorCode.NOT_FOUND, 'Token not found');
+  }
+
+  if (verificationToken.expires < new Date()) {
+    throw new AppError(AppErrorCode.EXPIRED_CODE, 'Token expired');
+  }
+
+  const { rpId, origin } = getAuthenticatorOptions();
+
+  const verification = await verifyAuthenticationResponse({
+    response: authenticationResponse,
+    expectedChallenge: verificationToken.token,
+    expectedOrigin: origin,
+    expectedRPID: rpId,
+    authenticator: {
+      credentialID: new Uint8Array(Array.from(passkey.credentialId)),
+      credentialPublicKey: new Uint8Array(passkey.credentialPublicKey),
+      counter: Number(passkey.counter),
+    },
+  }).catch(() => null); // May want to log this for insights.
+
+  if (verification?.verified !== true) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, 'User is not authorized');
+  }
+
+  await prisma.passkey.update({
+    where: {
+      id: passkey.id,
+    },
+    data: {
+      lastUsedAt: new Date(),
+      counter: verification.authenticationInfo.newCounter,
+    },
+  });
+};

packages/lib/server-only/document/resend-document.tsx

@@ -1,6 +1,5 @@
 import { createElement } from 'react';
 
-import { mailer } from '@documenso/email/mailer';
 import { render } from '@documenso/email/render';
 import { DocumentInviteEmailTemplate } from '@documenso/email/templates/document-invite';
 import { FROM_ADDRESS, FROM_NAME } from '@documenso/lib/constants/email';
@@ -10,13 +9,13 @@ import {
 } from '@documenso/lib/constants/recipient-roles';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
-import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { renderCustomEmailTemplate } from '@documenso/lib/utils/render-custom-email-template';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, RecipientRole, SigningStatus } from '@documenso/prisma/client';
 import type { Prisma } from '@documenso/prisma/client';
 
 import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+import { queueJob } from '../queue/job';
 import { getDocumentWhereInput } from './get-document-by-id';
 
 export type ResendDocumentOptions = {
@@ -110,43 +109,42 @@ export const resendDocument = async ({
 
       const { actionVerb } = RECIPIENT_ROLES_DESCRIPTION[recipient.role];
 
-      await prisma.$transaction(
-        async (tx) => {
-          await mailer.sendMail({
-            to: {
-              address: email,
-              name,
-            },
-            from: {
-              name: FROM_NAME,
-              address: FROM_ADDRESS,
-            },
-            subject: customEmail?.subject
-              ? renderCustomEmailTemplate(customEmail.subject, customEmailTemplate)
-              : `Please ${actionVerb.toLowerCase()} this document`,
-            html: render(template),
-            text: render(template, { plainText: true }),
-          });
-
-          await tx.documentAuditLog.create({
-            data: createDocumentAuditLogData({
-              type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
-              documentId: document.id,
-              user,
-              requestMetadata,
-              data: {
-                emailType: recipientEmailType,
-                recipientEmail: recipient.email,
-                recipientName: recipient.name,
-                recipientRole: recipient.role,
-                recipientId: recipient.id,
-                isResending: true,
-              },
-            }),
-          });
+      await queueJob({
+        job: 'send-mail',
+        args: {
+          to: {
+            address: email,
+            name,
+          },
+          from: {
+            name: FROM_NAME,
+            address: FROM_ADDRESS,
+          },
+          subject: customEmail?.subject
+            ? renderCustomEmailTemplate(customEmail.subject, customEmailTemplate)
+            : `Please ${actionVerb.toLowerCase()} this document`,
+          html: render(template),
+          text: render(template, { plainText: true }),
         },
-        { timeout: 30_000 },
-      );
+      });
+
+      await queueJob({
+        job: 'create-document-audit-log',
+        args: {
+          type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
+          documentId: document.id,
+          user,
+          requestMetadata,
+          data: {
+            emailType: recipientEmailType,
+            recipientEmail: recipient.email,
+            recipientName: recipient.name,
+            recipientRole: recipient.role,
+            recipientId: recipient.id,
+            isResending: true,
+          },
+        },
+      });
     }),
   );
 };

packages/lib/server-only/document/seal-document.ts

@@ -2,22 +2,23 @@
 
 import { nanoid } from 'nanoid';
 import path from 'node:path';
-import { PDFDocument, PDFSignature, rectangle } from 'pdf-lib';
+import { PDFDocument } from 'pdf-lib';
 
 import PostHogServerClient from '@documenso/lib/server-only/feature-flags/get-post-hog-server-client';
-import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
-import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, RecipientRole, SigningStatus } from '@documenso/prisma/client';
 import { WebhookTriggerEvents } from '@documenso/prisma/client';
 import { signPdf } from '@documenso/signing';
 
+import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { getFile } from '../../universal/upload/get-file';
 import { putFile } from '../../universal/upload/put-file';
+import { flattenAnnotations } from '../pdf/flatten-annotations';
 import { insertFieldInPDF } from '../pdf/insert-field-in-pdf';
+import { normalizeSignatureAppearances } from '../pdf/normalize-signature-appearances';
+import { queueJob } from '../queue/job';
 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';
-import { sendCompletedEmail } from './send-completed-email';
 
 export type SealDocumentOptions = {
   documentId: number;
@@ -91,31 +92,10 @@ export const sealDocument = async ({
 
   const doc = await PDFDocument.load(pdfData);
 
-  const form = doc.getForm();
-
-  // Remove old signatures
-  for (const field of form.getFields()) {
-    if (field instanceof PDFSignature) {
-      field.acroField.getWidgets().forEach((widget) => {
-        widget.ensureAP();
-
-        try {
-          widget.getNormalAppearance();
-        } catch (e) {
-          const { context } = widget.dict;
-
-          const xobj = context.formXObject([rectangle(0, 0, 0, 0)]);
-
-          const streamRef = context.register(xobj);
-
-          widget.setNormalAppearance(streamRef);
-        }
-      });
-    }
-  }
-
-  // Flatten the form to stop annotation layers from appearing above documenso fields
-  form.flatten();
+  // Normalize and flatten layers that could cause issues with the signature
+  normalizeSignatureAppearances(doc);
+  doc.getForm().flatten();
+  flattenAnnotations(doc);
 
   for (const field of fields) {
     await insertFieldInPDF(doc, field);
@@ -145,31 +125,33 @@ export const sealDocument = async ({
     });
   }
 
-  await prisma.$transaction(async (tx) => {
-    await tx.documentData.update({
-      where: {
-        id: documentData.id,
-      },
-      data: {
-        data: newData,
-      },
-    });
+  await prisma.documentData.update({
+    where: {
+      id: documentData.id,
+    },
+    data: {
+      data: newData,
+    },
+  });
 
-    await tx.documentAuditLog.create({
-      data: createDocumentAuditLogData({
-        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_COMPLETED,
-        documentId: document.id,
-        requestMetadata,
-        user: null,
-        data: {
-          transactionId: nanoid(),
-        },
-      }),
-    });
+  await queueJob({
+    job: 'create-document-audit-log',
+    args: {
+      type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_COMPLETED,
+      documentId: document.id,
+      requestMetadata,
+      user: null,
+      data: {
+        transactionId: nanoid(),
+      },
+    },
   });
 
   if (sendEmail && !isResealing) {
-    await sendCompletedEmail({ documentId, requestMetadata });
+    await queueJob({
+      job: 'send-completed-email',
+      args: { documentId, requestMetadata },
+    });
   }
 
   await triggerWebhook({

packages/lib/server-only/document/send-completed-email.ts

@@ -9,7 +9,7 @@ import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { getFile } from '../../universal/upload/get-file';
-import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
+import { queueJob } from '../queue/job';
 
 export interface SendDocumentOptions {
   documentId: number;
@@ -86,8 +86,9 @@ export const sendCompletedEmail = async ({ documentId, requestMetadata }: SendDo
       ],
     });
 
-    await prisma.documentAuditLog.create({
-      data: createDocumentAuditLogData({
+    await queueJob({
+      job: 'create-document-audit-log',
+      args: {
         type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
         documentId: document.id,
         user: null,
@@ -95,12 +96,12 @@ export const sendCompletedEmail = async ({ documentId, requestMetadata }: SendDo
         data: {
           emailType: 'DOCUMENT_COMPLETED',
           recipientEmail: owner.email,
-          recipientName: owner.name,
+          recipientName: owner.name ?? '',
           recipientId: owner.id,
           recipientRole: 'OWNER',
           isResending: false,
         },
-      }),
+      },
     });
   }
 
@@ -136,8 +137,9 @@ export const sendCompletedEmail = async ({ documentId, requestMetadata }: SendDo
         ],
       });
 
-      await prisma.documentAuditLog.create({
-        data: createDocumentAuditLogData({
+      await queueJob({
+        job: 'create-document-audit-log',
+        args: {
           type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
           documentId: document.id,
           user: null,
@@ -150,7 +152,7 @@ export const sendCompletedEmail = async ({ documentId, requestMetadata }: SendDo
             recipientRole: recipient.role,
             isResending: false,
           },
-        }),
+        },
       });
     }),
   );

packages/lib/server-only/document/send-delete-email.ts

@@ -0,0 +1,52 @@
+import { createElement } from 'react';
+
+import { mailer } from '@documenso/email/mailer';
+import { render } from '@documenso/email/render';
+import { DocumentSuperDeleteEmailTemplate } from '@documenso/email/templates/document-super-delete';
+import { prisma } from '@documenso/prisma';
+
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+
+export interface SendDeleteEmailOptions {
+  documentId: number;
+  reason: string;
+}
+
+export const sendDeleteEmail = async ({ documentId, reason }: SendDeleteEmailOptions) => {
+  const document = await prisma.document.findFirst({
+    where: {
+      id: documentId,
+    },
+    include: {
+      User: true,
+    },
+  });
+
+  if (!document) {
+    throw new Error('Document not found');
+  }
+
+  const { email, name } = document.User;
+
+  const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+
+  const template = createElement(DocumentSuperDeleteEmailTemplate, {
+    documentName: document.title,
+    reason,
+    assetBaseUrl,
+  });
+
+  await mailer.sendMail({
+    to: {
+      address: email,
+      name: name || '',
+    },
+    from: {
+      name: process.env.NEXT_PRIVATE_SMTP_FROM_NAME || 'Documenso',
+      address: process.env.NEXT_PRIVATE_SMTP_FROM_ADDRESS || 'noreply@documenso.com',
+    },
+    subject: 'Document Deleted!',
+    html: render(template),
+    text: render(template, { plainText: true }),
+  });
+};

packages/lib/server-only/document/send-document.tsx

@@ -6,7 +6,6 @@ import { DocumentInviteEmailTemplate } from '@documenso/email/templates/document
 import { FROM_ADDRESS, FROM_NAME } from '@documenso/lib/constants/email';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
-import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { renderCustomEmailTemplate } from '@documenso/lib/utils/render-custom-email-template';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, RecipientRole, SendStatus } from '@documenso/prisma/client';
@@ -17,6 +16,7 @@ import {
   RECIPIENT_ROLES_DESCRIPTION,
   RECIPIENT_ROLE_TO_EMAIL_TYPE,
 } from '../../constants/recipient-roles';
+import { queueJob } from '../queue/job';
 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';
 
 export type SendDocumentOptions = {
@@ -113,79 +113,75 @@ export const sendDocument = async ({
 
       const { actionVerb } = RECIPIENT_ROLES_DESCRIPTION[recipient.role];
 
-      await prisma.$transaction(
-        async (tx) => {
-          await mailer.sendMail({
-            to: {
-              address: email,
-              name,
-            },
-            from: {
-              name: FROM_NAME,
-              address: FROM_ADDRESS,
-            },
-            subject: customEmail?.subject
-              ? renderCustomEmailTemplate(customEmail.subject, customEmailTemplate)
-              : `Please ${actionVerb.toLowerCase()} this document`,
-            html: render(template),
-            text: render(template, { plainText: true }),
-          });
-
-          await tx.recipient.update({
-            where: {
-              id: recipient.id,
-            },
-            data: {
-              sendStatus: SendStatus.SENT,
-            },
-          });
-
-          await tx.documentAuditLog.create({
-            data: createDocumentAuditLogData({
-              type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
-              documentId: document.id,
-              user,
-              requestMetadata,
-              data: {
-                emailType: recipientEmailType,
-                recipientEmail: recipient.email,
-                recipientName: recipient.name,
-                recipientRole: recipient.role,
-                recipientId: recipient.id,
-                isResending: false,
-              },
-            }),
-          });
+      // TODO: Move this to a seperate queue of it's own
+      await mailer.sendMail({
+        to: {
+          address: email,
+          name,
         },
-        { timeout: 30_000 },
-      );
+        from: {
+          name: FROM_NAME,
+          address: FROM_ADDRESS,
+        },
+        subject: customEmail?.subject
+          ? renderCustomEmailTemplate(customEmail.subject, customEmailTemplate)
+          : `Please ${actionVerb.toLowerCase()} this document`,
+        html: render(template),
+        text: render(template, { plainText: true }),
+      });
+
+      await prisma.recipient.update({
+        where: {
+          id: recipient.id,
+        },
+        data: {
+          sendStatus: SendStatus.SENT,
+        },
+      });
+
+      await queueJob({
+        job: 'create-document-audit-log',
+        args: {
+          type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
+          documentId: document.id,
+          user,
+          requestMetadata,
+          data: {
+            emailType: recipientEmailType,
+            recipientEmail: recipient.email,
+            recipientName: recipient.name,
+            recipientRole: recipient.role,
+            recipientId: recipient.id,
+            isResending: false,
+          },
+        },
+      });
     }),
   );
 
-  const updatedDocument = await prisma.$transaction(async (tx) => {
-    if (document.status === DocumentStatus.DRAFT) {
-      await tx.documentAuditLog.create({
-        data: createDocumentAuditLogData({
-          type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_SENT,
-          documentId: document.id,
-          requestMetadata,
-          user,
-          data: {},
-        }),
-      });
-    }
-
-    return await tx.document.update({
-      where: {
-        id: documentId,
-      },
-      data: {
-        status: DocumentStatus.PENDING,
-      },
-      include: {
-        Recipient: true,
+  if (document.status === DocumentStatus.DRAFT) {
+    await queueJob({
+      job: 'create-document-audit-log',
+      args: {
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_SENT,
+        documentId: document.id,
+        requestMetadata,
+        user,
+        data: {},
       },
     });
+  }
+
+  const updatedDocument = await prisma.document.update({
+    where: {
+      id: documentId,
+    },
+    data: {
+      status: DocumentStatus.PENDING,
+    },
+    include: {
+      Recipient: true,
+    },
   });
 
   await triggerWebhook({

packages/lib/server-only/document/super-delete-document.ts

@@ -0,0 +1,86 @@
+'use server';
+
+import { createElement } from 'react';
+
+import { render } from '@documenso/email/render';
+import DocumentCancelTemplate from '@documenso/email/templates/document-cancel';
+import { prisma } from '@documenso/prisma';
+import { DocumentStatus } from '@documenso/prisma/client';
+
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+import { FROM_ADDRESS, FROM_NAME } from '../../constants/email';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
+import { queueJob } from '../queue/job';
+
+export type SuperDeleteDocumentOptions = {
+  id: number;
+  requestMetadata?: RequestMetadata;
+};
+
+export const superDeleteDocument = async ({ id, requestMetadata }: SuperDeleteDocumentOptions) => {
+  const document = await prisma.document.findUnique({
+    where: {
+      id,
+    },
+    include: {
+      Recipient: true,
+      documentMeta: true,
+      User: true,
+    },
+  });
+
+  if (!document) {
+    throw new Error('Document not found');
+  }
+
+  const { status, User: user } = document;
+
+  // if the document is pending, send cancellation emails to all recipients
+  if (status === DocumentStatus.PENDING && document.Recipient.length > 0) {
+    await Promise.all(
+      document.Recipient.map(async (recipient) => {
+        const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+        const template = createElement(DocumentCancelTemplate, {
+          documentName: document.title,
+          inviterName: user.name || undefined,
+          inviterEmail: user.email,
+          assetBaseUrl,
+        });
+
+        await queueJob({
+          job: 'send-mail',
+          args: {
+            to: {
+              address: recipient.email,
+              name: recipient.name,
+            },
+            from: {
+              name: FROM_NAME,
+              address: FROM_ADDRESS,
+            },
+            subject: 'Document Cancelled',
+            html: render(template),
+            text: render(template, { plainText: true }),
+          },
+        });
+      }),
+    );
+  }
+
+  await queueJob({
+    job: 'create-document-audit-log',
+    args: {
+      documentId: id,
+      type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_DELETED,
+      user,
+      requestMetadata,
+      data: {
+        type: 'HARD',
+      },
+    },
+  });
+
+  // always hard delete if deleted from admin
+  return await prisma.document.delete({ where: { id } });
+};

packages/lib/server-only/document/update-document-settings.ts

@@ -0,0 +1,178 @@
+'use server';
+
+import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import type { CreateDocumentAuditLogDataResponse } from '@documenso/lib/utils/document-audit-logs';
+import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
+import { prisma } from '@documenso/prisma';
+import { DocumentStatus } from '@documenso/prisma/client';
+
+import { AppError, AppErrorCode } from '../../errors/app-error';
+import type { TDocumentAccessAuthTypes, TDocumentActionAuthTypes } from '../../types/document-auth';
+import { createDocumentAuthOptions, extractDocumentAuthMethods } from '../../utils/document-auth';
+
+export type UpdateDocumentSettingsOptions = {
+  userId: number;
+  teamId?: number;
+  documentId: number;
+  data: {
+    title?: string;
+    globalAccessAuth?: TDocumentAccessAuthTypes | null;
+    globalActionAuth?: TDocumentActionAuthTypes | null;
+  };
+  requestMetadata?: RequestMetadata;
+};
+
+export const updateDocumentSettings = async ({
+  userId,
+  teamId,
+  documentId,
+  data,
+  requestMetadata,
+}: UpdateDocumentSettingsOptions) => {
+  if (!data.title && !data.globalAccessAuth && !data.globalActionAuth) {
+    throw new AppError(AppErrorCode.INVALID_BODY, 'Missing data to update');
+  }
+
+  const user = await prisma.user.findFirstOrThrow({
+    where: {
+      id: userId,
+    },
+  });
+
+  const document = await prisma.document.findFirstOrThrow({
+    where: {
+      id: documentId,
+      ...(teamId
+        ? {
+            team: {
+              id: teamId,
+              members: {
+                some: {
+                  userId,
+                },
+              },
+            },
+          }
+        : {
+            userId,
+            teamId: null,
+          }),
+    },
+  });
+
+  const { documentAuthOption } = extractDocumentAuthMethods({
+    documentAuth: document.authOptions,
+  });
+
+  const documentGlobalAccessAuth = documentAuthOption?.globalAccessAuth ?? null;
+  const documentGlobalActionAuth = documentAuthOption?.globalActionAuth ?? null;
+
+  // If the new global auth values aren't passed in, fallback to the current document values.
+  const newGlobalAccessAuth =
+    data?.globalAccessAuth === undefined ? documentGlobalAccessAuth : data.globalAccessAuth;
+  const newGlobalActionAuth =
+    data?.globalActionAuth === undefined ? documentGlobalActionAuth : data.globalActionAuth;
+
+  // Check if user has permission to set the global action auth.
+  if (newGlobalActionAuth) {
+    const isDocumentEnterprise = await isUserEnterprise({
+      userId,
+      teamId,
+    });
+
+    if (!isDocumentEnterprise) {
+      throw new AppError(
+        AppErrorCode.UNAUTHORIZED,
+        'You do not have permission to set the action auth',
+      );
+    }
+  }
+
+  const isTitleSame = data.title === document.title;
+  const isGlobalAccessSame = documentGlobalAccessAuth === newGlobalAccessAuth;
+  const isGlobalActionSame = documentGlobalActionAuth === newGlobalActionAuth;
+
+  const auditLogs: CreateDocumentAuditLogDataResponse[] = [];
+
+  if (!isTitleSame && document.status !== DocumentStatus.DRAFT) {
+    throw new AppError(
+      AppErrorCode.INVALID_BODY,
+      'You cannot update the title if the document has been sent',
+    );
+  }
+
+  if (!isTitleSame) {
+    auditLogs.push(
+      createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_TITLE_UPDATED,
+        documentId,
+        user,
+        requestMetadata,
+        data: {
+          from: document.title,
+          to: data.title || '',
+        },
+      }),
+    );
+  }
+
+  if (!isGlobalAccessSame) {
+    auditLogs.push(
+      createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_GLOBAL_AUTH_ACCESS_UPDATED,
+        documentId,
+        user,
+        requestMetadata,
+        data: {
+          from: documentGlobalAccessAuth,
+          to: newGlobalAccessAuth,
+        },
+      }),
+    );
+  }
+
+  if (!isGlobalActionSame) {
+    auditLogs.push(
+      createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_GLOBAL_AUTH_ACTION_UPDATED,
+        documentId,
+        user,
+        requestMetadata,
+        data: {
+          from: documentGlobalActionAuth,
+          to: newGlobalActionAuth,
+        },
+      }),
+    );
+  }
+
+  // Early return if nothing is required.
+  if (auditLogs.length === 0) {
+    return document;
+  }
+
+  return await prisma.$transaction(async (tx) => {
+    const authOptions = createDocumentAuthOptions({
+      globalAccessAuth: newGlobalAccessAuth,
+      globalActionAuth: newGlobalActionAuth,
+    });
+
+    const updatedDocument = await tx.document.update({
+      where: {
+        id: documentId,
+      },
+      data: {
+        title: data.title,
+        authOptions,
+      },
+    });
+
+    await tx.documentAuditLog.createMany({
+      data: auditLogs,
+    });
+
+    return updatedDocument;
+  });
+};

packages/lib/server-only/document/update-title.ts

@@ -2,9 +2,10 @@
 
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
-import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
 
+import { queueJob } from '../queue/job';
+
 export type UpdateTitleOptions = {
   userId: number;
   teamId?: number;
@@ -51,33 +52,32 @@ export const updateTitle = async ({
     return document;
   }
 
-  return await prisma.$transaction(async (tx) => {
-    // Instead of doing everything in a transaction we can use our knowledge
-    // of the current document title to ensure we aren't performing a conflicting
-    // update.
-    const updatedDocument = await tx.document.update({
-      where: {
-        id: documentId,
-        title: document.title,
-      },
-      data: {
-        title,
-      },
-    });
-
-    await tx.documentAuditLog.create({
-      data: createDocumentAuditLogData({
-        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_TITLE_UPDATED,
-        documentId,
-        user,
-        requestMetadata,
-        data: {
-          from: document.title,
-          to: updatedDocument.title,
-        },
-      }),
-    });
-
-    return updatedDocument;
+  // Instead of doing everything in a transaction we can use our knowledge
+  // of the current document title to ensure we aren't performing a conflicting
+  // update.
+  const updatedDocument = await prisma.document.update({
+    where: {
+      id: documentId,
+      title: document.title,
+    },
+    data: {
+      title,
+    },
   });
+
+  await queueJob({
+    job: 'create-document-audit-log',
+    args: {
+      type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_TITLE_UPDATED,
+      documentId,
+      user,
+      requestMetadata,
+      data: {
+        from: document.title,
+        to: updatedDocument.title,
+      },
+    },
+  });
+
+  return updatedDocument;
 };