diff --git a/.github/workflows/budibase_ci.yml b/.github/workflows/budibase_ci.yml
index c07f9b2c28..e0263546ff 100644
--- a/.github/workflows/budibase_ci.yml
+++ b/.github/workflows/budibase_ci.yml
@@ -11,7 +11,6 @@ on:
     branches:
       - master
       - develop 
-      - release 
  workflow_dispatch:
 
 env:
@@ -20,9 +19,53 @@ env:
   PERSONAL_ACCESS_TOKEN : ${{ secrets.PERSONAL_ACCESS_TOKEN }}
 
 jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Use Node.js 14.x
+      uses: actions/setup-node@v1
+      with:
+        node-version: 14.x
+    - run: yarn
+    - run: yarn lint
+
   build:
     runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js 14.x
+        uses: actions/setup-node@v1
+        with:
+          node-version: 14.x
+      - name: Install Pro
+        run: yarn install:pro $BRANCH $BASE_BRANCH
+      - run: yarn
+      - run: yarn bootstrap
+      - run: yarn build
 
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js 14.x
+        uses: actions/setup-node@v1
+        with:
+          node-version: 14.x
+      - name: Install Pro
+        run: yarn install:pro $BRANCH $BASE_BRANCH
+      - run: yarn
+      - run: yarn bootstrap
+      - run: yarn test
+      - uses: codecov/codecov-action@v1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
+          files: ./packages/server/coverage/clover.xml,./packages/worker/coverage/clover.xml,./packages/backend-core/coverage/clover.xml
+          name: codecov-umbrella
+          verbose: true
+
+  integration-test:
+    runs-on: ubuntu-latest
     services:
       couchdb:
         image: ibmcom/couchdb3
@@ -31,39 +74,18 @@ jobs:
           COUCHDB_USER: budibase
         ports:
           - 4567:5984
-
-    strategy:
-      matrix:
-        node-version: [14.x]
-
     steps:
-    - uses: actions/checkout@v2
-
-    - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v1
-      with:
-        node-version: ${{ matrix.node-version }}
-
-    - name: Install Pro
-      run: yarn install:pro $BRANCH $BASE_BRANCH
-
-    - run: yarn
-    - run: yarn bootstrap
-    - run: yarn lint
-    - run: yarn build
-    - run: yarn test
-      env:
-        CI: true
-        name: Budibase CI
-    - uses: codecov/codecov-action@v1
-      with:
-        token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
-        files: ./packages/server/coverage/clover.xml,./packages/worker/coverage/clover.xml,./packages/backend-core/coverage/clover.xml
-        name: codecov-umbrella
-        verbose: true 
-
-    - name: QA Core Integration Tests
-      run: | 
-        cd qa-core
-        yarn
-        yarn api:test:ci
\ No newline at end of file
+      - uses: actions/checkout@v2
+      - name: Use Node.js 14.x
+        uses: actions/setup-node@v1
+        with:
+          node-version: 14.x
+      - name: Install Pro
+        run: yarn install:pro $BRANCH $BASE_BRANCH
+      - run: yarn
+      - run: yarn bootstrap
+      - run: yarn build
+      - run: |
+          cd qa-core
+          yarn
+          yarn api:test:ci
diff --git a/.github/workflows/release-develop.yml b/.github/workflows/release-develop.yml
index 1ac6b20003..16c6c37bbd 100644
--- a/.github/workflows/release-develop.yml
+++ b/.github/workflows/release-develop.yml
@@ -45,10 +45,9 @@ jobs:
 
       - run: yarn 
       - run: yarn bootstrap
-      - run: yarn lint 
       - run: yarn build
       - run: yarn build:sdk
-      - run: yarn test
+#      - run: yarn test
 
       - name: Publish budibase packages to NPM
         env:
@@ -194,5 +193,5 @@ jobs:
           PAYLOAD_VERSION: ${{ env.RELEASE_VERSION }}
         with:
           repository: budibase/budibase-deploys
-          event: deploy-budibase-develop-to-qa
+          event: budicloud-qa-deploy
           github_pat: ${{ secrets.GH_ACCESS_TOKEN }}
\ No newline at end of file
diff --git a/.github/workflows/smoke_test.yaml b/.github/workflows/smoke_test.yaml
index 29c7f5f85a..3fd61cd9c5 100644
--- a/.github/workflows/smoke_test.yaml
+++ b/.github/workflows/smoke_test.yaml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   nightly:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, qa]
 
     steps:
       - uses: actions/checkout@v2
@@ -15,30 +15,17 @@ jobs:
         uses: actions/setup-node@v1
         with:
           node-version: 14.x
-      - run: yarn
-      - run: yarn bootstrap
-      - run: yarn build
-      - name: Pull  from budibase-infra
+      - name: QA Core Integration Tests
         run: | 
-          curl -H "Authorization: token ${{ secrets.GH_PERSONAL_TOKEN }}" \
-          -H 'Accept: application/vnd.github.v3.raw' \
-          -o 
-          -L 
-          wc -l 
-      
-      - uses: actions/upload-artifact@v3
-        with:
-          name: Test Reports
-          path: 
+          cd qa-core
+          yarn
+          yarn api:test:ci
+        env:
+          BUDIBASE_HOST: budicloud.qa.budibase.net
+          BUDIBASE_ACCOUNTS_URL: https://account-portal.budicloud.qa.budibase.net
 
-      # TODO: enable once running in QA test env
-      # - name: Configure AWS Credentials
-      #   uses: aws-actions/configure-aws-credentials@v1
-      #   with:
-      #     aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      #     aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      #     aws-region: eu-west-1
-      
-      # - name: Upload test results HTML
-      #   uses: aws-actions/configure-aws-credentials@v1
-      #   run: aws s3 cp packages/builder/cypress/reports/testReport.html s3://{{ secrets.BUDI_QA_REPORTS_BUCKET_NAME }}/$GITHUB_RUN_ID/index.html
+      - name: Cypress Discord Notify
+        run: yarn test:notify
+        env:
+          WEBHOOK_URL: ${{ secrets.BUDI_QA_WEBHOOK }}
+          GITHUB_RUN_URL: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
\ No newline at end of file
diff --git a/.husky/pre-commit b/.husky/pre-commit
index 3b614330e0..6700f51282 100755
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,4 +1,2 @@
 #!/bin/sh
 . "$(dirname "$0")/_/husky.sh"
-
-yarn run lint
diff --git a/charts/budibase/templates/app-service-deployment.yaml b/charts/budibase/templates/app-service-deployment.yaml
index 9ac8a1e7c6..6b0a0338d6 100644
--- a/charts/budibase/templates/app-service-deployment.yaml
+++ b/charts/budibase/templates/app-service-deployment.yaml
@@ -4,9 +4,15 @@ metadata:
   annotations:
     kompose.cmd: kompose convert
     kompose.version: 1.21.0 (992df58d8)
+{{ if .Values.services.apps.deploymentAnnotations }}
+{{- toYaml .Values.services.apps.deploymentAnnotations | indent 4 -}}
+{{ end }}
   creationTimestamp: null
   labels:
     io.kompose.service: app-service
+{{ if .Values.services.apps.deploymentLabels }}
+{{- toYaml .Values.services.apps.deploymentLabels | indent 4 -}}
+{{ end }}
   name: app-service
 spec:
   replicas: {{ .Values.services.apps.replicaCount }}
@@ -20,12 +26,15 @@ spec:
       annotations:
         kompose.cmd: kompose convert
         kompose.version: 1.21.0 (992df58d8)
-{{ if .Values.services.apps.annotations }}
-{{- toYaml .Values.services.apps.annotations | indent 8 -}}
+{{ if .Values.services.apps.templateAnnotations }}
+{{- toYaml .Values.services.apps.templateAnnotations | indent 8 -}}
 {{ end }}
       creationTimestamp: null
       labels:
         io.kompose.service: app-service
+{{ if .Values.services.apps.templateLabels }}
+{{- toYaml .Values.services.apps.templateLabels | indent 8 -}}
+{{ end }}
     spec:
       containers:
       - env:
@@ -157,6 +166,14 @@ spec:
         - name: NODE_DEBUG
           value: {{ .Values.services.apps.nodeDebug | quote }}
         {{ end }}
+        {{ if .Values.globals.datadogApmEnabled }}
+        - name: DD_LOGS_INJECTION
+          value: {{ .Values.globals.datadogApmEnabled | quote }}
+        - name: DD_APM_ENABLED
+          value: {{ .Values.globals.datadogApmEnabled | quote }}
+        - name: DD_APM_DD_URL
+          value: https://trace.agent.datadoghq.eu
+        {{ end }}
         {{ if .Values.globals.elasticApmEnabled }}
         - name: ELASTIC_APM_ENABLED
           value: {{ .Values.globals.elasticApmEnabled | quote }}
diff --git a/charts/budibase/templates/proxy-service-deployment.yaml b/charts/budibase/templates/proxy-service-deployment.yaml
index 6064905c4c..e422df8db3 100644
--- a/charts/budibase/templates/proxy-service-deployment.yaml
+++ b/charts/budibase/templates/proxy-service-deployment.yaml
@@ -4,9 +4,15 @@ metadata:
   annotations:
     kompose.cmd: kompose convert
     kompose.version: 1.21.0 (992df58d8)
+{{ if .Values.services.proxy.deploymentAnnotations }}
+{{- toYaml .Values.services.proxy.deploymentAnnotations | indent 4 -}}
+{{ end }}
   creationTimestamp: null
   labels:
     app.kubernetes.io/name: budibase-proxy
+{{ if .Values.services.proxy.deploymentLabels }}
+{{- toYaml .Values.services.proxy.deploymentLabels | indent 4 -}}
+{{ end }}
   name: proxy-service
 spec:
   replicas: {{ .Values.services.proxy.replicaCount }}
@@ -20,12 +26,15 @@ spec:
       annotations:
         kompose.cmd: kompose convert
         kompose.version: 1.21.0 (992df58d8)
-{{ if .Values.services.proxy.annotations }}
-{{- toYaml .Values.services.proxy.annotations | indent 8 -}}
+{{ if .Values.services.proxy.templateAnnotations }}
+{{- toYaml .Values.services.proxy.templateAnnotations | indent 8 -}}
 {{ end }}
       creationTimestamp: null
       labels:
         app.kubernetes.io/name: budibase-proxy
+{{ if .Values.services.proxy.templateLabels }}
+{{- toYaml .Values.services.proxy.templateLabels | indent 8 -}}
+{{ end }}
     spec:
       containers:
       - image: budibase/proxy:{{ .Values.globals.appVersion }}
diff --git a/charts/budibase/templates/worker-service-deployment.yaml b/charts/budibase/templates/worker-service-deployment.yaml
index a16f839ea7..f4305fbb00 100644
--- a/charts/budibase/templates/worker-service-deployment.yaml
+++ b/charts/budibase/templates/worker-service-deployment.yaml
@@ -4,13 +4,18 @@ metadata:
   annotations:
     kompose.cmd: kompose convert
     kompose.version: 1.21.0 (992df58d8)
+{{ if .Values.services.worker.deploymentAnnotations }}
+{{- toYaml .Values.services.worker.deploymentAnnotations | indent 4 -}}
+{{ end }}
   creationTimestamp: null
   labels:
     io.kompose.service: worker-service
+{{ if .Values.services.worker.deploymentLabels }}
+{{- toYaml .Values.services.worker.deploymentLabels | indent 4 -}}
+{{ end }}
   name: worker-service
 spec:
   replicas: {{ .Values.services.worker.replicaCount }}
-
   selector:
     matchLabels:
       io.kompose.service: worker-service
@@ -21,12 +26,15 @@ spec:
       annotations:
         kompose.cmd: kompose convert
         kompose.version: 1.21.0 (992df58d8)
-{{ if .Values.services.worker.annotations }}
-{{- toYaml .Values.services.worker.annotations | indent 8 -}}
+{{ if .Values.services.worker.templateAnnotations }}
+{{- toYaml .Values.services.worker.templateAnnotations | indent 8 -}}
 {{ end }}
       creationTimestamp: null
       labels:
         io.kompose.service: worker-service
+{{ if .Values.services.worker.templateLabels }}
+{{- toYaml .Values.services.worker.templateLabels | indent 8 -}}
+{{ end }}
     spec:
       containers:
       - env:
@@ -148,6 +156,14 @@ spec:
           value: {{ .Values.globals.tenantFeatureFlags | quote }}
         - name: ENCRYPTION_KEY
           value: {{ .Values.globals.bbEncryptionKey | quote }}
+        {{ if .Values.globals.datadogApmEnabled }}
+        - name: DD_LOGS_INJECTION
+          value: {{ .Values.globals.datadogApmEnabled | quote }}
+        - name: DD_APM_ENABLED
+          value: {{ .Values.globals.datadogApmEnabled | quote }}
+        - name: DD_APM_DD_URL
+          value: https://trace.agent.datadoghq.eu
+        {{ end }}
         {{ if .Values.globals.elasticApmEnabled }}
         - name: ELASTIC_APM_ENABLED
           value: {{ .Values.globals.elasticApmEnabled | quote }}
diff --git a/hosting/proxy/nginx.prod.conf b/hosting/proxy/nginx.prod.conf
index 21b337deae..4d8b3466bf 100644
--- a/hosting/proxy/nginx.prod.conf
+++ b/hosting/proxy/nginx.prod.conf
@@ -55,7 +55,7 @@ http {
     set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com";
     set $csp_object "object-src 'none'";
     set $csp_base_uri "base-uri 'self'";
-    set $csp_connect "connect-src 'self' https://*.budibase.net https://api-iam.intercom.io https://api-iam.intercom.io  https://api-ping.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io  wss://nexus-websocket-b.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io  https://uploads.intercomcdn.com  https://uploads.intercomusercontent.com https://*.s3.amazonaws.com https://*.s3.us-east-2.amazonaws.com https://*.s3.us-east-1.amazonaws.com https://*.s3.us-west-1.amazonaws.com https://*.s3.us-west-2.amazonaws.com https://*.s3.af-south-1.amazonaws.com https://*.s3.ap-east-1.amazonaws.com https://*.s3.ap-southeast-3.amazonaws.com https://*.s3.ap-south-1.amazonaws.com https://*.s3.ap-northeast-3.amazonaws.com https://*.s3.ap-northeast-2.amazonaws.com https://*.s3.ap-southeast-1.amazonaws.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.ap-northeast-1.amazonaws.com https://*.s3.ca-central-1.amazonaws.com https://*.s3.cn-north-1.amazonaws.com https://*.s3.cn-northwest-1.amazonaws.com https://*.s3.eu-central-1.amazonaws.com https://*.s3.eu-west-1.amazonaws.com https://*.s3.eu-west-2.amazonaws.com https://*.s3.eu-south-1.amazonaws.com https://*.s3.eu-west-3.amazonaws.com https://*.s3.eu-north-1.amazonaws.com https://*.s3.sa-east-1.amazonaws.com https://*.s3.me-south-1.amazonaws.com https://*.s3.us-gov-east-1.amazonaws.com https://*.s3.us-gov-west-1.amazonaws.com https://api.github.com";
+    set $csp_connect "connect-src 'self' https://*.budibase.net https://api-iam.intercom.io https://api-iam.intercom.io  https://api-ping.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io  wss://nexus-websocket-b.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io  https://uploads.intercomcdn.com  https://uploads.intercomusercontent.com https://*.s3.*.amazonaws.com https://s3.*.amazonaws.com https://api.github.com";
     set $csp_font "font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me https://maxcdn.bootstrapcdn.com  https://js.intercomcdn.com  https://fonts.intercomcdn.com";
     set $csp_frame "frame-src 'self' https:";
     set $csp_img "img-src http: https: data: blob:";
diff --git a/lerna.json b/lerna.json
index 1106160923..a881722de6 100644
--- a/lerna.json
+++ b/lerna.json
@@ -1,5 +1,5 @@
 {
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "npmClient": "yarn",
   "packages": [
     "packages/*"
diff --git a/packages/backend-core/jest.config.ts b/packages/backend-core/jest.config.ts
index 0483fb073a..1e69797e71 100644
--- a/packages/backend-core/jest.config.ts
+++ b/packages/backend-core/jest.config.ts
@@ -9,15 +9,9 @@ const baseConfig: Config.InitialProjectOptions = {
   transform: {
     "^.+\\.ts?$": "@swc/jest",
   },
-}
-
-if (!process.env.CI) {
-  // use sources when not in CI
-  baseConfig.moduleNameMapper = {
+  moduleNameMapper: {
     "@budibase/types": "<rootDir>/../types/src",
-  }
-} else {
-  console.log("Running tests with compiled dependency sources")
+  },
 }
 
 const config: Config.InitialOptions = {
diff --git a/packages/backend-core/package.json b/packages/backend-core/package.json
index 705e4b1114..a32f5fd4dd 100644
--- a/packages/backend-core/package.json
+++ b/packages/backend-core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@budibase/backend-core",
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "description": "Budibase backend core libraries used in server and worker",
   "main": "dist/src/index.js",
   "types": "dist/src/index.d.ts",
@@ -18,13 +18,13 @@
     "build:pro": "../../scripts/pro/build.sh",
     "postbuild": "yarn run build:pro",
     "build:dev": "yarn prebuild && tsc --build --watch --preserveWatchOutput",
-    "test": "jest --coverage --maxWorkers=2",
+    "test": "jest --coverage --runInBand",
     "test:watch": "jest --watchAll"
   },
   "dependencies": {
     "@budibase/nano": "10.1.1",
     "@budibase/pouchdb-replication-stream": "1.2.10",
-    "@budibase/types": "2.3.14-alpha.0",
+    "@budibase/types": "2.3.18-alpha.0",
     "@shopify/jest-koa-mocks": "5.0.1",
     "@techpass/passport-openidconnect": "0.3.2",
     "aws-cloudfront-sign": "2.2.0",
@@ -62,7 +62,7 @@
     "@trendyol/jest-testcontainers": "^2.1.1",
     "@types/chance": "1.1.3",
     "@types/ioredis": "4.28.0",
-    "@types/jest": "27.5.1",
+    "@types/jest": "28.1.1",
     "@types/koa": "2.13.4",
     "@types/koa-pino-logger": "3.0.0",
     "@types/lodash": "4.14.180",
diff --git a/packages/backend-core/src/cloud/accounts.ts b/packages/backend-core/src/accounts/accounts.ts
similarity index 69%
rename from packages/backend-core/src/cloud/accounts.ts
rename to packages/backend-core/src/accounts/accounts.ts
index 90fa7ab824..a16d0f1074 100644
--- a/packages/backend-core/src/cloud/accounts.ts
+++ b/packages/backend-core/src/accounts/accounts.ts
@@ -1,13 +1,24 @@
 import API from "./api"
 import env from "../environment"
 import { Header } from "../constants"
-import { CloudAccount } from "@budibase/types"
+import { CloudAccount, HealthStatusResponse } from "@budibase/types"
 
 const api = new API(env.ACCOUNT_PORTAL_URL)
 
+/**
+ * This client is intended to be used in a cloud hosted deploy only.
+ * Rather than relying on each consumer to perform the necessary environmental checks
+ * we use the following check to exit early with a undefined response which should be
+ * handled by the caller.
+ */
+const EXIT_EARLY = env.SELF_HOSTED || env.DISABLE_ACCOUNT_PORTAL
+
 export const getAccount = async (
   email: string
 ): Promise<CloudAccount | undefined> => {
+  if (EXIT_EARLY) {
+    return
+  }
   const payload = {
     email,
   }
@@ -29,6 +40,9 @@ export const getAccount = async (
 export const getAccountByTenantId = async (
   tenantId: string
 ): Promise<CloudAccount | undefined> => {
+  if (EXIT_EARLY) {
+    return
+  }
   const payload = {
     tenantId,
   }
@@ -47,7 +61,12 @@ export const getAccountByTenantId = async (
   return json[0]
 }
 
-export const getStatus = async () => {
+export const getStatus = async (): Promise<
+  HealthStatusResponse | undefined
+> => {
+  if (EXIT_EARLY) {
+    return
+  }
   const response = await api.get(`/api/status`, {
     headers: {
       [Header.API_KEY]: env.ACCOUNT_PORTAL_API_KEY,
diff --git a/packages/backend-core/src/cloud/api.ts b/packages/backend-core/src/accounts/api.ts
similarity index 100%
rename from packages/backend-core/src/cloud/api.ts
rename to packages/backend-core/src/accounts/api.ts
diff --git a/packages/backend-core/src/accounts/index.ts b/packages/backend-core/src/accounts/index.ts
new file mode 100644
index 0000000000..f2ae03040e
--- /dev/null
+++ b/packages/backend-core/src/accounts/index.ts
@@ -0,0 +1 @@
+export * from "./accounts"
diff --git a/packages/backend-core/src/auth/auth.ts b/packages/backend-core/src/auth/auth.ts
index bbefb2933d..bee245a3ae 100644
--- a/packages/backend-core/src/auth/auth.ts
+++ b/packages/backend-core/src/auth/auth.ts
@@ -1,10 +1,11 @@
 const _passport = require("koa-passport")
 const LocalStrategy = require("passport-local").Strategy
 const JwtStrategy = require("passport-jwt").Strategy
-import { getGlobalDB } from "../tenancy"
+import { getGlobalDB } from "../context"
 const refresh = require("passport-oauth2-refresh")
-import { Config } from "../constants"
+import { Config, Cookie } from "../constants"
 import { getScopedConfig } from "../db"
+import { getSessionsForUser, invalidateSessions } from "../security/sessions"
 import {
   jwt as jwtPassport,
   local,
@@ -15,8 +16,11 @@ import {
   google,
 } from "../middleware"
 import { invalidateUser } from "../cache/user"
-import { User } from "@budibase/types"
+import { PlatformLogoutOpts, User } from "@budibase/types"
 import { logAlert } from "../logging"
+import * as events from "../events"
+import * as userCache from "../cache/user"
+import { clearCookie, getCookie } from "../utils"
 export {
   auditLog,
   authError,
@@ -29,6 +33,7 @@ export {
   google,
   oidc,
 } from "../middleware"
+import { ssoSaveUserNoOp } from "../middleware/passport/sso/sso"
 export const buildAuthMiddleware = authenticated
 export const buildTenancyMiddleware = tenancy
 export const buildCsrfMiddleware = csrf
@@ -71,7 +76,7 @@ async function refreshOIDCAccessToken(
     if (!enrichedConfig) {
       throw new Error("OIDC Config contents invalid")
     }
-    strategy = await oidc.strategyFactory(enrichedConfig)
+    strategy = await oidc.strategyFactory(enrichedConfig, ssoSaveUserNoOp)
   } catch (err) {
     console.error(err)
     throw new Error("Could not refresh OAuth Token")
@@ -103,7 +108,11 @@ async function refreshGoogleAccessToken(
 
   let strategy
   try {
-    strategy = await google.strategyFactory(config, callbackUrl)
+    strategy = await google.strategyFactory(
+      config,
+      callbackUrl,
+      ssoSaveUserNoOp
+    )
   } catch (err: any) {
     console.error(err)
     throw new Error(
@@ -161,6 +170,8 @@ export async function refreshOAuthToken(
   return refreshResponse
 }
 
+// TODO: Refactor to use user save function instead to prevent the need for
+// manually saving and invalidating on callback
 export async function updateUserOAuth(userId: string, oAuthConfig: any) {
   const details = {
     accessToken: oAuthConfig.accessToken,
@@ -188,3 +199,32 @@ export async function updateUserOAuth(userId: string, oAuthConfig: any) {
     console.error("Could not update OAuth details for current user", e)
   }
 }
+
+/**
+ * Logs a user out from budibase. Re-used across account portal and builder.
+ */
+export async function platformLogout(opts: PlatformLogoutOpts) {
+  const ctx = opts.ctx
+  const userId = opts.userId
+  const keepActiveSession = opts.keepActiveSession
+
+  if (!ctx) throw new Error("Koa context must be supplied to logout.")
+
+  const currentSession = getCookie(ctx, Cookie.Auth)
+  let sessions = await getSessionsForUser(userId)
+
+  if (keepActiveSession) {
+    sessions = sessions.filter(
+      session => session.sessionId !== currentSession.sessionId
+    )
+  } else {
+    // clear cookies
+    clearCookie(ctx, Cookie.Auth)
+    clearCookie(ctx, Cookie.CurrentApp)
+  }
+
+  const sessionIds = sessions.map(({ sessionId }) => sessionId)
+  await invalidateSessions(userId, { sessionIds, reason: "logout" })
+  await events.auth.logout()
+  await userCache.invalidateUser(userId)
+}
diff --git a/packages/backend-core/src/auth/tests/auth.spec.ts b/packages/backend-core/src/auth/tests/auth.spec.ts
new file mode 100644
index 0000000000..307f6a63c8
--- /dev/null
+++ b/packages/backend-core/src/auth/tests/auth.spec.ts
@@ -0,0 +1,13 @@
+import { structures, testEnv } from "../../../tests"
+import * as auth from "../auth"
+import * as events from "../../events"
+
+describe("platformLogout", () => {
+  it("should call platform logout", async () => {
+    await testEnv.withTenant(async () => {
+      const ctx = structures.koa.newContext()
+      await auth.platformLogout({ ctx, userId: "test" })
+      expect(events.auth.logout).toBeCalledTimes(1)
+    })
+  })
+})
diff --git a/packages/backend-core/src/cache/tests/writethrough.spec.js b/packages/backend-core/src/cache/tests/writethrough.spec.js
deleted file mode 100644
index fefca30c18..0000000000
--- a/packages/backend-core/src/cache/tests/writethrough.spec.js
+++ /dev/null
@@ -1,61 +0,0 @@
-require("../../../tests")
-const { Writethrough } = require("../writethrough")
-const { getDB } = require("../../db")
-const tk = require("timekeeper")
-const { structures } = require("../../../tests")
-
-const START_DATE = Date.now()
-tk.freeze(START_DATE)
-
-
-const DELAY = 5000
-
-const db = getDB(structures.db.id())
-const db2 = getDB(structures.db.id())
-const writethrough = new Writethrough(db, DELAY), writethrough2 = new Writethrough(db2, DELAY)
-
-describe("writethrough", () => {
-  describe("put", () => {
-    let first
-    it("should be able to store, will go to DB", async () => {
-      const response = await writethrough.put({ _id: "test", value: 1 })
-      const output = await db.get(response.id)
-      first = output
-      expect(output.value).toBe(1)
-    })
-
-    it("second put shouldn't update DB", async () => {
-      const response = await writethrough.put({ ...first, value: 2 })
-      const output = await db.get(response.id)
-      expect(first._rev).toBe(output._rev)
-      expect(output.value).toBe(1)
-    })
-
-    it("should put it again after delay period", async () => {
-      tk.freeze(START_DATE + DELAY + 1)
-      const response = await writethrough.put({ ...first, value: 3 })
-      const output = await db.get(response.id)
-      expect(response.rev).not.toBe(first._rev)
-      expect(output.value).toBe(3)
-    })
-  })
-
-  describe("get", () => {
-    it("should be able to retrieve", async () => {
-      const response = await writethrough.get("test")
-      expect(response.value).toBe(3)
-    })
-  })
-
-  describe("same doc, different databases (tenancy)", () => {
-    it("should be able to two different databases", async () => {
-      const resp1 = await writethrough.put({ _id: "db1", value: "first" })
-      const resp2 = await writethrough2.put({ _id: "db1", value: "second" })
-      expect(resp1.rev).toBeDefined()
-      expect(resp2.rev).toBeDefined()
-      expect((await db.get("db1")).value).toBe("first")
-      expect((await db2.get("db1")).value).toBe("second")
-    })
-  })
-})
-
diff --git a/packages/backend-core/src/cache/tests/writethrough.spec.ts b/packages/backend-core/src/cache/tests/writethrough.spec.ts
new file mode 100644
index 0000000000..d346788121
--- /dev/null
+++ b/packages/backend-core/src/cache/tests/writethrough.spec.ts
@@ -0,0 +1,73 @@
+import { structures, DBTestConfiguration } from "../../../tests"
+import { Writethrough } from "../writethrough"
+import { getDB } from "../../db"
+import tk from "timekeeper"
+
+const START_DATE = Date.now()
+tk.freeze(START_DATE)
+
+const DELAY = 5000
+
+describe("writethrough", () => {
+  const config = new DBTestConfiguration()
+
+  const db = getDB(structures.db.id())
+  const db2 = getDB(structures.db.id())
+
+  const writethrough = new Writethrough(db, DELAY)
+  const writethrough2 = new Writethrough(db2, DELAY)
+
+  describe("put", () => {
+    let first: any
+
+    it("should be able to store, will go to DB", async () => {
+      await config.doInTenant(async () => {
+        const response = await writethrough.put({ _id: "test", value: 1 })
+        const output = await db.get(response.id)
+        first = output
+        expect(output.value).toBe(1)
+      })
+    })
+
+    it("second put shouldn't update DB", async () => {
+      await config.doInTenant(async () => {
+        const response = await writethrough.put({ ...first, value: 2 })
+        const output = await db.get(response.id)
+        expect(first._rev).toBe(output._rev)
+        expect(output.value).toBe(1)
+      })
+    })
+
+    it("should put it again after delay period", async () => {
+      await config.doInTenant(async () => {
+        tk.freeze(START_DATE + DELAY + 1)
+        const response = await writethrough.put({ ...first, value: 3 })
+        const output = await db.get(response.id)
+        expect(response.rev).not.toBe(first._rev)
+        expect(output.value).toBe(3)
+      })
+    })
+  })
+
+  describe("get", () => {
+    it("should be able to retrieve", async () => {
+      await config.doInTenant(async () => {
+        const response = await writethrough.get("test")
+        expect(response.value).toBe(3)
+      })
+    })
+  })
+
+  describe("same doc, different databases (tenancy)", () => {
+    it("should be able to two different databases", async () => {
+      await config.doInTenant(async () => {
+        const resp1 = await writethrough.put({ _id: "db1", value: "first" })
+        const resp2 = await writethrough2.put({ _id: "db1", value: "second" })
+        expect(resp1.rev).toBeDefined()
+        expect(resp2.rev).toBeDefined()
+        expect((await db.get("db1")).value).toBe("first")
+        expect((await db2.get("db1")).value).toBe("second")
+      })
+    })
+  })
+})
diff --git a/packages/backend-core/src/cache/user.ts b/packages/backend-core/src/cache/user.ts
index a128465cd6..b514c3af9b 100644
--- a/packages/backend-core/src/cache/user.ts
+++ b/packages/backend-core/src/cache/user.ts
@@ -1,8 +1,9 @@
 import * as redis from "../redis/init"
-import { getTenantId, lookupTenantId, doWithGlobalDB } from "../tenancy"
+import * as tenancy from "../tenancy"
+import * as context from "../context"
+import * as platform from "../platform"
 import env from "../environment"
-import * as accounts from "../cloud/accounts"
-import { Database } from "@budibase/types"
+import * as accounts from "../accounts"
 
 const EXPIRY_SECONDS = 3600
 
@@ -10,7 +11,8 @@ const EXPIRY_SECONDS = 3600
  * The default populate user function
  */
 async function populateFromDB(userId: string, tenantId: string) {
-  const user = await doWithGlobalDB(tenantId, (db: Database) => db.get(userId))
+  const db = tenancy.getTenantDB(tenantId)
+  const user = await db.get(userId)
   user.budibaseAccess = true
   if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {
     const account = await accounts.getAccount(user.email)
@@ -42,9 +44,9 @@ export async function getUser(
   }
   if (!tenantId) {
     try {
-      tenantId = getTenantId()
+      tenantId = context.getTenantId()
     } catch (err) {
-      tenantId = await lookupTenantId(userId)
+      tenantId = await platform.users.lookupTenantId(userId)
     }
   }
   const client = await redis.getUserClient()
diff --git a/packages/backend-core/src/context/deprovision.ts b/packages/backend-core/src/context/deprovision.ts
deleted file mode 100644
index 81f03096dc..0000000000
--- a/packages/backend-core/src/context/deprovision.ts
+++ /dev/null
@@ -1,108 +0,0 @@
-import {
-  getGlobalUserParams,
-  getAllApps,
-  doWithDB,
-  StaticDatabases,
-} from "../db"
-import { doWithGlobalDB } from "../tenancy"
-import { App, Tenants, User, Database } from "@budibase/types"
-
-const TENANT_DOC = StaticDatabases.PLATFORM_INFO.docs.tenants
-const PLATFORM_INFO_DB = StaticDatabases.PLATFORM_INFO.name
-
-async function removeTenantFromInfoDB(tenantId: string) {
-  try {
-    await doWithDB(PLATFORM_INFO_DB, async (infoDb: Database) => {
-      const tenants = (await infoDb.get(TENANT_DOC)) as Tenants
-      tenants.tenantIds = tenants.tenantIds.filter(id => id !== tenantId)
-
-      await infoDb.put(tenants)
-    })
-  } catch (err) {
-    console.error(`Error removing tenant ${tenantId} from info db`, err)
-    throw err
-  }
-}
-
-export async function removeUserFromInfoDB(dbUser: User) {
-  await doWithDB(PLATFORM_INFO_DB, async (infoDb: Database) => {
-    const keys = [dbUser._id!, dbUser.email]
-    const userDocs = await infoDb.allDocs({
-      keys,
-      include_docs: true,
-    })
-    const toDelete = userDocs.rows.map((row: any) => {
-      return {
-        ...row.doc,
-        _deleted: true,
-      }
-    })
-    await infoDb.bulkDocs(toDelete)
-  })
-}
-
-async function removeUsersFromInfoDB(tenantId: string) {
-  return doWithGlobalDB(tenantId, async (db: any) => {
-    try {
-      const allUsers = await db.allDocs(
-        getGlobalUserParams(null, {
-          include_docs: true,
-        })
-      )
-      await doWithDB(PLATFORM_INFO_DB, async (infoDb: any) => {
-        const allEmails = allUsers.rows.map((row: any) => row.doc.email)
-        // get the id docs
-        let keys = allUsers.rows.map((row: any) => row.id)
-        // and the email docs
-        keys = keys.concat(allEmails)
-        // retrieve the docs and delete them
-        const userDocs = await infoDb.allDocs({
-          keys,
-          include_docs: true,
-        })
-        const toDelete = userDocs.rows.map((row: any) => {
-          return {
-            ...row.doc,
-            _deleted: true,
-          }
-        })
-        await infoDb.bulkDocs(toDelete)
-      })
-    } catch (err) {
-      console.error(`Error removing tenant ${tenantId} users from info db`, err)
-      throw err
-    }
-  })
-}
-
-async function removeGlobalDB(tenantId: string) {
-  return doWithGlobalDB(tenantId, async (db: Database) => {
-    try {
-      await db.destroy()
-    } catch (err) {
-      console.error(`Error removing tenant ${tenantId} users from info db`, err)
-      throw err
-    }
-  })
-}
-
-async function removeTenantApps(tenantId: string) {
-  try {
-    const apps = (await getAllApps({ all: true })) as App[]
-    const destroyPromises = apps.map(app =>
-      doWithDB(app.appId, (db: Database) => db.destroy())
-    )
-    await Promise.allSettled(destroyPromises)
-  } catch (err) {
-    console.error(`Error removing tenant ${tenantId} apps`, err)
-    throw err
-  }
-}
-
-// can't live in tenancy package due to circular dependency on db/utils
-export async function deleteTenant(tenantId: string) {
-  await removeTenantFromInfoDB(tenantId)
-  await removeUsersFromInfoDB(tenantId)
-  await removeGlobalDB(tenantId)
-  await removeTenantApps(tenantId)
-}
diff --git a/packages/backend-core/src/context/tests/index.spec.ts b/packages/backend-core/src/context/tests/index.spec.ts
index c9b5870ffa..5c8ce6fc19 100644
--- a/packages/backend-core/src/context/tests/index.spec.ts
+++ b/packages/backend-core/src/context/tests/index.spec.ts
@@ -1,11 +1,14 @@
-require("../../../tests")
+import { testEnv } from "../../../tests"
 const context = require("../")
 const { DEFAULT_TENANT_ID } = require("../../constants")
-import env from "../../environment"
 
 describe("context", () => {
   describe("doInTenant", () => {
     describe("single-tenancy", () => {
+      beforeAll(() => {
+        testEnv.singleTenant()
+      })
+
       it("defaults to the default tenant", () => {
         const tenantId = context.getTenantId()
         expect(tenantId).toBe(DEFAULT_TENANT_ID)
@@ -20,8 +23,8 @@ describe("context", () => {
     })
 
     describe("multi-tenancy", () => {
-      beforeEach(() => {
-        env._set("MULTI_TENANCY", 1)
+      beforeAll(() => {
+        testEnv.multiTenant()
       })
 
       it("fails when no tenant id is set", () => {
diff --git a/packages/backend-core/src/db/db.ts b/packages/backend-core/src/db/db.ts
index bd6b5e13c1..f13eb9a965 100644
--- a/packages/backend-core/src/db/db.ts
+++ b/packages/backend-core/src/db/db.ts
@@ -1,7 +1,6 @@
 import env from "../environment"
-import { directCouchQuery, getPouchDB } from "./couch"
+import { directCouchQuery, DatabaseImpl } from "./couch"
 import { CouchFindOptions, Database } from "@budibase/types"
-import { DatabaseImpl } from "../db"
 
 const dbList = new Set()
 
diff --git a/packages/backend-core/src/db/tests/utils.seq.spec.ts b/packages/backend-core/src/db/tests/utils.seq.spec.ts
deleted file mode 100644
index 83253402f7..0000000000
--- a/packages/backend-core/src/db/tests/utils.seq.spec.ts
+++ /dev/null
@@ -1,190 +0,0 @@
-require("../../../tests")
-const {
-  getDevelopmentAppID,
-  getProdAppID,
-  isDevAppID,
-  isProdAppID,
-} = require("../conversions")
-const { generateAppID, getPlatformUrl, getScopedConfig } = require("../utils")
-const tenancy = require("../../tenancy")
-const { Config, DEFAULT_TENANT_ID } = require("../../constants")
-import { generator } from "../../../tests"
-import env from "../../environment"
-
-describe("utils", () => {
-  describe("app ID manipulation", () => {
-    function getID() {
-      const appId = generateAppID()
-      const split = appId.split("_")
-      const uuid = split[split.length - 1]
-      const devAppId = `app_dev_${uuid}`
-      return { appId, devAppId, split, uuid }
-    }
-
-    it("should be able to generate a new app ID", () => {
-      expect(generateAppID().startsWith("app_")).toEqual(true)
-    })
-
-    it("should be able to convert a production app ID to development", () => {
-      const { appId, uuid } = getID()
-      expect(getDevelopmentAppID(appId)).toEqual(`app_dev_${uuid}`)
-    })
-
-    it("should be able to convert a development app ID to development", () => {
-      const { devAppId, uuid } = getID()
-      expect(getDevelopmentAppID(devAppId)).toEqual(`app_dev_${uuid}`)
-    })
-
-    it("should be able to convert a development ID to a production", () => {
-      const { devAppId, uuid } = getID()
-      expect(getProdAppID(devAppId)).toEqual(`app_${uuid}`)
-    })
-
-    it("should be able to convert a production ID to production", () => {
-      const { appId, uuid } = getID()
-      expect(getProdAppID(appId)).toEqual(`app_${uuid}`)
-    })
-
-    it("should be able to confirm dev app ID is development", () => {
-      const { devAppId } = getID()
-      expect(isDevAppID(devAppId)).toEqual(true)
-    })
-
-    it("should be able to confirm prod app ID is not development", () => {
-      const { appId } = getID()
-      expect(isDevAppID(appId)).toEqual(false)
-    })
-
-    it("should be able to confirm prod app ID is prod", () => {
-      const { appId } = getID()
-      expect(isProdAppID(appId)).toEqual(true)
-    })
-
-    it("should be able to confirm dev app ID is not prod", () => {
-      const { devAppId } = getID()
-      expect(isProdAppID(devAppId)).toEqual(false)
-    })
-  })
-})
-
-const DEFAULT_URL = "http://localhost:10000"
-const ENV_URL = "http://env.com"
-
-const setDbPlatformUrl = async (dbUrl: string) => {
-  const db = tenancy.getGlobalDB()
-  await db.put({
-    _id: "config_settings",
-    type: Config.SETTINGS,
-    config: {
-      platformUrl: dbUrl,
-    },
-  })
-}
-
-const clearSettingsConfig = async () => {
-  await tenancy.doInTenant(DEFAULT_TENANT_ID, async () => {
-    const db = tenancy.getGlobalDB()
-    try {
-      const config = await db.get("config_settings")
-      await db.remove("config_settings", config._rev)
-    } catch (e: any) {
-      if (e.status !== 404) {
-        throw e
-      }
-    }
-  })
-}
-
-describe("getPlatformUrl", () => {
-  describe("self host", () => {
-    beforeEach(async () => {
-      env._set("SELF_HOST", 1)
-      await clearSettingsConfig()
-    })
-
-    it("gets the default url", async () => {
-      await tenancy.doInTenant(null, async () => {
-        const url = await getPlatformUrl()
-        expect(url).toBe(DEFAULT_URL)
-      })
-    })
-
-    it("gets the platform url from the environment", async () => {
-      await tenancy.doInTenant(null, async () => {
-        env._set("PLATFORM_URL", ENV_URL)
-        const url = await getPlatformUrl()
-        expect(url).toBe(ENV_URL)
-      })
-    })
-
-    it("gets the platform url from the database", async () => {
-      await tenancy.doInTenant(null, async () => {
-        const dbUrl = generator.url()
-        await setDbPlatformUrl(dbUrl)
-        const url = await getPlatformUrl()
-        expect(url).toBe(dbUrl)
-      })
-    })
-  })
-
-  describe("cloud", () => {
-    const TENANT_AWARE_URL = "http://default.env.com"
-
-    beforeEach(async () => {
-      env._set("SELF_HOSTED", 0)
-      env._set("MULTI_TENANCY", 1)
-      env._set("PLATFORM_URL", ENV_URL)
-      await clearSettingsConfig()
-    })
-
-    it("gets the platform url from the environment without tenancy", async () => {
-      await tenancy.doInTenant(DEFAULT_TENANT_ID, async () => {
-        const url = await getPlatformUrl({ tenantAware: false })
-        expect(url).toBe(ENV_URL)
-      })
-    })
-
-    it("gets the platform url from the environment with tenancy", async () => {
-      await tenancy.doInTenant(DEFAULT_TENANT_ID, async () => {
-        const url = await getPlatformUrl()
-        expect(url).toBe(TENANT_AWARE_URL)
-      })
-    })
-
-    it("never gets the platform url from the database", async () => {
-      await tenancy.doInTenant(DEFAULT_TENANT_ID, async () => {
-        await setDbPlatformUrl(generator.url())
-        const url = await getPlatformUrl()
-        expect(url).toBe(TENANT_AWARE_URL)
-      })
-    })
-  })
-})
-
-describe("getScopedConfig", () => {
-  describe("settings config", () => {
-    beforeEach(async () => {
-      env._set("SELF_HOSTED", 1)
-      env._set("PLATFORM_URL", "")
-      await clearSettingsConfig()
-    })
-
-    it("returns the platform url with an existing config", async () => {
-      await tenancy.doInTenant(DEFAULT_TENANT_ID, async () => {
-        const dbUrl = generator.url()
-        await setDbPlatformUrl(dbUrl)
-        const db = tenancy.getGlobalDB()
-        const config = await getScopedConfig(db, { type: Config.SETTINGS })
-        expect(config.platformUrl).toBe(dbUrl)
-      })
-    })
-
-    it("returns the platform url without an existing config", async () => {
-      await tenancy.doInTenant(DEFAULT_TENANT_ID, async () => {
-        const db = tenancy.getGlobalDB()
-        const config = await getScopedConfig(db, { type: Config.SETTINGS })
-        expect(config.platformUrl).toBe(DEFAULT_URL)
-      })
-    })
-  })
-})
diff --git a/packages/backend-core/src/db/tests/utils.spec.ts b/packages/backend-core/src/db/tests/utils.spec.ts
new file mode 100644
index 0000000000..7bdca5ae8b
--- /dev/null
+++ b/packages/backend-core/src/db/tests/utils.spec.ts
@@ -0,0 +1,192 @@
+import { generator, DBTestConfiguration, testEnv } from "../../../tests"
+import {
+  getDevelopmentAppID,
+  getProdAppID,
+  isDevAppID,
+  isProdAppID,
+} from "../conversions"
+import { generateAppID, getPlatformUrl, getScopedConfig } from "../utils"
+import * as context from "../../context"
+import { Config } from "../../constants"
+import env from "../../environment"
+
+describe("utils", () => {
+  const config = new DBTestConfiguration()
+
+  describe("app ID manipulation", () => {
+    function getID() {
+      const appId = generateAppID()
+      const split = appId.split("_")
+      const uuid = split[split.length - 1]
+      const devAppId = `app_dev_${uuid}`
+      return { appId, devAppId, split, uuid }
+    }
+
+    it("should be able to generate a new app ID", () => {
+      expect(generateAppID().startsWith("app_")).toEqual(true)
+    })
+
+    it("should be able to convert a production app ID to development", () => {
+      const { appId, uuid } = getID()
+      expect(getDevelopmentAppID(appId)).toEqual(`app_dev_${uuid}`)
+    })
+
+    it("should be able to convert a development app ID to development", () => {
+      const { devAppId, uuid } = getID()
+      expect(getDevelopmentAppID(devAppId)).toEqual(`app_dev_${uuid}`)
+    })
+
+    it("should be able to convert a development ID to a production", () => {
+      const { devAppId, uuid } = getID()
+      expect(getProdAppID(devAppId)).toEqual(`app_${uuid}`)
+    })
+
+    it("should be able to convert a production ID to production", () => {
+      const { appId, uuid } = getID()
+      expect(getProdAppID(appId)).toEqual(`app_${uuid}`)
+    })
+
+    it("should be able to confirm dev app ID is development", () => {
+      const { devAppId } = getID()
+      expect(isDevAppID(devAppId)).toEqual(true)
+    })
+
+    it("should be able to confirm prod app ID is not development", () => {
+      const { appId } = getID()
+      expect(isDevAppID(appId)).toEqual(false)
+    })
+
+    it("should be able to confirm prod app ID is prod", () => {
+      const { appId } = getID()
+      expect(isProdAppID(appId)).toEqual(true)
+    })
+
+    it("should be able to confirm dev app ID is not prod", () => {
+      const { devAppId } = getID()
+      expect(isProdAppID(devAppId)).toEqual(false)
+    })
+  })
+
+  const DEFAULT_URL = "http://localhost:10000"
+  const ENV_URL = "http://env.com"
+
+  const setDbPlatformUrl = async (dbUrl: string) => {
+    const db = context.getGlobalDB()
+    await db.put({
+      _id: "config_settings",
+      type: Config.SETTINGS,
+      config: {
+        platformUrl: dbUrl,
+      },
+    })
+  }
+
+  const clearSettingsConfig = async () => {
+    await config.doInTenant(async () => {
+      const db = context.getGlobalDB()
+      try {
+        const config = await db.get("config_settings")
+        await db.remove("config_settings", config._rev)
+      } catch (e: any) {
+        if (e.status !== 404) {
+          throw e
+        }
+      }
+    })
+  }
+
+  describe("getPlatformUrl", () => {
+    describe("self host", () => {
+      beforeEach(async () => {
+        testEnv.selfHosted()
+        await clearSettingsConfig()
+      })
+
+      it("gets the default url", async () => {
+        await config.doInTenant(async () => {
+          const url = await getPlatformUrl()
+          expect(url).toBe(DEFAULT_URL)
+        })
+      })
+
+      it("gets the platform url from the environment", async () => {
+        await config.doInTenant(async () => {
+          env._set("PLATFORM_URL", ENV_URL)
+          const url = await getPlatformUrl()
+          expect(url).toBe(ENV_URL)
+        })
+      })
+
+      it("gets the platform url from the database", async () => {
+        await config.doInTenant(async () => {
+          const dbUrl = generator.url()
+          await setDbPlatformUrl(dbUrl)
+          const url = await getPlatformUrl()
+          expect(url).toBe(dbUrl)
+        })
+      })
+    })
+
+    describe("cloud", () => {
+      const TENANT_AWARE_URL = `http://${config.tenantId}.env.com`
+
+      beforeEach(async () => {
+        testEnv.cloudHosted()
+        testEnv.multiTenant()
+
+        env._set("PLATFORM_URL", ENV_URL)
+        await clearSettingsConfig()
+      })
+
+      it("gets the platform url from the environment without tenancy", async () => {
+        await config.doInTenant(async () => {
+          const url = await getPlatformUrl({ tenantAware: false })
+          expect(url).toBe(ENV_URL)
+        })
+      })
+
+      it("gets the platform url from the environment with tenancy", async () => {
+        await config.doInTenant(async () => {
+          const url = await getPlatformUrl()
+          expect(url).toBe(TENANT_AWARE_URL)
+        })
+      })
+
+      it("never gets the platform url from the database", async () => {
+        await config.doInTenant(async () => {
+          await setDbPlatformUrl(generator.url())
+          const url = await getPlatformUrl()
+          expect(url).toBe(TENANT_AWARE_URL)
+        })
+      })
+    })
+  })
+
+  describe("getScopedConfig", () => {
+    describe("settings config", () => {
+      beforeEach(async () => {
+        env._set("SELF_HOSTED", 1)
+        env._set("PLATFORM_URL", "")
+        await clearSettingsConfig()
+      })
+
+      it("returns the platform url with an existing config", async () => {
+        await config.doInTenant(async () => {
+          const dbUrl = generator.url()
+          await setDbPlatformUrl(dbUrl)
+          const db = context.getGlobalDB()
+          const config = await getScopedConfig(db, { type: Config.SETTINGS })
+          expect(config.platformUrl).toBe(dbUrl)
+        })
+      })
+
+      it("returns the platform url without an existing config", async () => {
+        await config.doInTenant(async () => {
+          const db = context.getGlobalDB()
+          const config = await getScopedConfig(db, { type: Config.SETTINGS })
+          expect(config.platformUrl).toBe(DEFAULT_URL)
+        })
+      })
+    })
+  })
+})
diff --git a/packages/backend-core/src/db/views.ts b/packages/backend-core/src/db/views.ts
index 4a87be0a68..8a2c2e7efd 100644
--- a/packages/backend-core/src/db/views.ts
+++ b/packages/backend-core/src/db/views.ts
@@ -1,13 +1,14 @@
 import {
-  DocumentType,
-  ViewName,
   DeprecatedViews,
+  DocumentType,
   SEPARATOR,
   StaticDatabases,
+  ViewName,
 } from "../constants"
 import { getGlobalDB } from "../context"
 import { doWithDB } from "./"
 import { Database, DatabaseQueryOpts } from "@budibase/types"
+import env from "../environment"
 
 const DESIGN_DB = "_design/database"
 
@@ -69,17 +70,6 @@ export const createNewUserEmailView = async () => {
   await createView(db, viewJs, ViewName.USER_BY_EMAIL)
 }
 
-export const createAccountEmailView = async () => {
-  const viewJs = `function(doc) {
-    if (doc._id.startsWith("${DocumentType.ACCOUNT_METADATA}${SEPARATOR}")) {
-      emit(doc.email.toLowerCase(), doc._id)
-    }
-  }`
-  await doWithDB(StaticDatabases.PLATFORM_INFO.name, async (db: Database) => {
-    await createView(db, viewJs, ViewName.ACCOUNT_BY_EMAIL)
-  })
-}
-
 export const createUserAppView = async () => {
   const db = getGlobalDB()
   const viewJs = `function(doc) {
@@ -113,17 +103,6 @@ export const createUserBuildersView = async () => {
   await createView(db, viewJs, ViewName.USER_BY_BUILDERS)
 }
 
-export const createPlatformUserView = async () => {
-  const viewJs = `function(doc) {
-    if (doc.tenantId) {
-      emit(doc._id.toLowerCase(), doc._id)
-    }
-  }`
-  await doWithDB(StaticDatabases.PLATFORM_INFO.name, async (db: Database) => {
-    await createView(db, viewJs, ViewName.PLATFORM_USERS_LOWERCASE)
-  })
-}
-
 export interface QueryViewOptions {
   arrayResponse?: boolean
 }
@@ -162,13 +141,48 @@ export const queryView = async <T>(
   }
 }
 
+// PLATFORM
+
+async function createPlatformView(viewJs: string, viewName: ViewName) {
+  try {
+    await doWithDB(StaticDatabases.PLATFORM_INFO.name, async (db: Database) => {
+      await createView(db, viewJs, viewName)
+    })
+  } catch (e: any) {
+    if (e.status === 409 && env.isTest()) {
+      // multiple tests can try to initialise platforms views
+      // at once - safe to exit on conflict
+      return
+    }
+    throw e
+  }
+}
+
+export const createPlatformAccountEmailView = async () => {
+  const viewJs = `function(doc) {
+    if (doc._id.startsWith("${DocumentType.ACCOUNT_METADATA}${SEPARATOR}")) {
+      emit(doc.email.toLowerCase(), doc._id)
+    }
+  }`
+  await createPlatformView(viewJs, ViewName.ACCOUNT_BY_EMAIL)
+}
+
+export const createPlatformUserView = async () => {
+  const viewJs = `function(doc) {
+    if (doc.tenantId) {
+      emit(doc._id.toLowerCase(), doc._id)
+    }
+  }`
+  await createPlatformView(viewJs, ViewName.PLATFORM_USERS_LOWERCASE)
+}
+
 export const queryPlatformView = async <T>(
   viewName: ViewName,
   params: DatabaseQueryOpts,
   opts?: QueryViewOptions
 ): Promise<T[] | T | undefined> => {
   const CreateFuncByName: any = {
-    [ViewName.ACCOUNT_BY_EMAIL]: createAccountEmailView,
+    [ViewName.ACCOUNT_BY_EMAIL]: createPlatformAccountEmailView,
     [ViewName.PLATFORM_USERS_LOWERCASE]: createPlatformUserView,
   }
 
diff --git a/packages/backend-core/src/environment.ts b/packages/backend-core/src/environment.ts
index d742ca1cc9..ed7a161160 100644
--- a/packages/backend-core/src/environment.ts
+++ b/packages/backend-core/src/environment.ts
@@ -44,8 +44,9 @@ const environment = {
   GOOGLE_CLIENT_ID: process.env.GOOGLE_CLIENT_ID,
   GOOGLE_CLIENT_SECRET: process.env.GOOGLE_CLIENT_SECRET,
   SALT_ROUNDS: process.env.SALT_ROUNDS,
-  REDIS_URL: process.env.REDIS_URL,
-  REDIS_PASSWORD: process.env.REDIS_PASSWORD,
+  REDIS_URL: process.env.REDIS_URL || "localhost:6379",
+  REDIS_PASSWORD: process.env.REDIS_PASSWORD || "budibase",
+  MOCK_REDIS: process.env.MOCK_REDIS,
   MINIO_ACCESS_KEY: process.env.MINIO_ACCESS_KEY,
   MINIO_SECRET_KEY: process.env.MINIO_SECRET_KEY,
   AWS_REGION: process.env.AWS_REGION,
@@ -82,6 +83,7 @@ const environment = {
   SESSION_UPDATE_PERIOD: process.env.SESSION_UPDATE_PERIOD,
   DEPLOYMENT_ENVIRONMENT:
     process.env.DEPLOYMENT_ENVIRONMENT || "docker-compose",
+  ENABLE_4XX_HTTP_LOGGING: process.env.ENABLE_4XX_HTTP_LOGGING || true,
   _set(key: any, value: any) {
     process.env[key] = value
     // @ts-ignore
diff --git a/packages/backend-core/src/events/analytics.ts b/packages/backend-core/src/events/analytics.ts
index f621a9c98b..7fbc6d9c2b 100644
--- a/packages/backend-core/src/events/analytics.ts
+++ b/packages/backend-core/src/events/analytics.ts
@@ -1,5 +1,5 @@
 import env from "../environment"
-import * as tenancy from "../tenancy"
+import * as context from "../context"
 import * as dbUtils from "../db/utils"
 import { Config } from "../constants"
 import { withCache, TTL, CacheKey } from "../cache"
@@ -42,7 +42,7 @@ export const enabled = async () => {
 }
 
 const getSettingsDoc = async () => {
-  const db = tenancy.getGlobalDB()
+  const db = context.getGlobalDB()
   let settings
   try {
     settings = await db.get(dbUtils.generateConfigID({ type: Config.SETTINGS }))
diff --git a/packages/backend-core/src/events/identification.ts b/packages/backend-core/src/events/identification.ts
index 8ac22b471c..7cade9e14b 100644
--- a/packages/backend-core/src/events/identification.ts
+++ b/packages/backend-core/src/events/identification.ts
@@ -16,6 +16,7 @@ import {
   InstallationGroup,
   UserContext,
   Group,
+  isSSOUser,
 } from "@budibase/types"
 import { processors } from "./processors"
 import * as dbUtils from "../db/utils"
@@ -166,7 +167,10 @@ const identifyUser = async (
   const type = IdentityType.USER
   let builder = user.builder?.global || false
   let admin = user.admin?.global || false
-  let providerType = user.providerType
+  let providerType
+  if (isSSOUser(user)) {
+    providerType = user.providerType
+  }
   const accountHolder = account?.budibaseUserId === user._id || false
   const verified =
     account && account?.budibaseUserId === user._id ? account.verified : false
diff --git a/packages/backend-core/src/events/processors/posthog/tests/PosthogProcessor.spec.ts b/packages/backend-core/src/events/processors/posthog/tests/PosthogProcessor.spec.ts
index 349a0427ac..2c1340d36e 100644
--- a/packages/backend-core/src/events/processors/posthog/tests/PosthogProcessor.spec.ts
+++ b/packages/backend-core/src/events/processors/posthog/tests/PosthogProcessor.spec.ts
@@ -1,4 +1,4 @@
-import "../../../../../tests"
+import { testEnv } from "../../../../../tests"
 import PosthogProcessor from "../PosthogProcessor"
 import { Event, IdentityType, Hosting } from "@budibase/types"
 const tk = require("timekeeper")
@@ -16,6 +16,10 @@ const newIdentity = () => {
 }
 
 describe("PosthogProcessor", () => {
+  beforeAll(() => {
+    testEnv.singleTenant()
+  })
+
   beforeEach(async () => {
     jest.clearAllMocks()
     await cache.bustCache(
diff --git a/packages/backend-core/src/featureFlags/index.ts b/packages/backend-core/src/featureFlags/index.ts
index 34ee3599a5..877cd60e1a 100644
--- a/packages/backend-core/src/featureFlags/index.ts
+++ b/packages/backend-core/src/featureFlags/index.ts
@@ -1,5 +1,5 @@
 import env from "../environment"
-import * as tenancy from "../tenancy"
+import * as context from "../context"
 
 /**
  * Read the TENANT_FEATURE_FLAGS env var and return an array of features flags for each tenant.
@@ -28,7 +28,7 @@ export function buildFeatureFlags() {
 }
 
 export function isEnabled(featureFlag: string) {
-  const tenantId = tenancy.getTenantId()
+  const tenantId = context.getTenantId()
   const flags = getTenantFeatureFlags(tenantId)
   return flags.includes(featureFlag)
 }
diff --git a/packages/backend-core/src/index.ts b/packages/backend-core/src/index.ts
index aa205e0317..2631020bd4 100644
--- a/packages/backend-core/src/index.ts
+++ b/packages/backend-core/src/index.ts
@@ -3,12 +3,11 @@ export * as migrations from "./migrations"
 export * as users from "./users"
 export * as roles from "./security/roles"
 export * as permissions from "./security/permissions"
-export * as accounts from "./cloud/accounts"
+export * as accounts from "./accounts"
 export * as installation from "./installation"
-export * as tenancy from "./tenancy"
 export * as featureFlags from "./featureFlags"
 export * as sessions from "./security/sessions"
-export * as deprovisioning from "./context/deprovision"
+export * as platform from "./platform"
 export * as auth from "./auth"
 export * as constants from "./constants"
 export * as logging from "./logging"
@@ -21,11 +20,20 @@ export * as context from "./context"
 export * as cache from "./cache"
 export * as objectStore from "./objectStore"
 export * as redis from "./redis"
+export * as locks from "./redis/redlock"
 export * as utils from "./utils"
 export * as errors from "./errors"
 export { default as env } from "./environment"
-
 export { SearchParams } from "./db"
+// Add context to tenancy for backwards compatibility
+// only do this for external usages to prevent internal
+// circular dependencies
+import * as context from "./context"
+import * as _tenancy from "./tenancy"
+export const tenancy = {
+  ..._tenancy,
+  ...context,
+}
 
 // expose error classes directly
 export * from "./errors"
@@ -33,10 +41,6 @@ export * from "./errors"
 // expose constants directly
 export * from "./constants"
 
-// expose inner locks from redis directly
-import * as redis from "./redis"
-export const locks = redis.redlock
-
 // expose package init function
 import * as db from "./db"
 export const init = (opts: any = {}) => {
diff --git a/packages/backend-core/src/middleware/authenticated.ts b/packages/backend-core/src/middleware/authenticated.ts
index 3b5e9ae162..4bb2aaba76 100644
--- a/packages/backend-core/src/middleware/authenticated.ts
+++ b/packages/backend-core/src/middleware/authenticated.ts
@@ -4,7 +4,7 @@ import { getUser } from "../cache/user"
 import { getSession, updateSessionTTL } from "../security/sessions"
 import { buildMatcherRegex, matches } from "./matchers"
 import { SEPARATOR, queryGlobalView, ViewName } from "../db"
-import { getGlobalDB, doInTenant } from "../tenancy"
+import { getGlobalDB, doInTenant } from "../context"
 import { decrypt } from "../security/encryption"
 import * as identity from "../context/identity"
 import env from "../environment"
diff --git a/packages/backend-core/src/middleware/errorHandling.ts b/packages/backend-core/src/middleware/errorHandling.ts
new file mode 100644
index 0000000000..5ac70c33e5
--- /dev/null
+++ b/packages/backend-core/src/middleware/errorHandling.ts
@@ -0,0 +1,28 @@
+import { APIError } from "@budibase/types"
+import * as errors from "../errors"
+import env from "../environment"
+
+export async function errorHandling(ctx: any, next: any) {
+  try {
+    await next()
+  } catch (err: any) {
+    const status = err.status || err.statusCode || 500
+    ctx.status = status
+
+    if (status > 499 || env.ENABLE_4XX_HTTP_LOGGING) {
+      ctx.log.error(err)
+    }
+
+    const error = errors.getPublicError(err)
+    const body: APIError = {
+      message: err.message,
+      status: status,
+      validationErrors: err.validation,
+      error,
+    }
+
+    ctx.body = body
+  }
+}
+
+export default errorHandling
diff --git a/packages/backend-core/src/middleware/index.ts b/packages/backend-core/src/middleware/index.ts
index 4986cde64b..de609f9a3e 100644
--- a/packages/backend-core/src/middleware/index.ts
+++ b/packages/backend-core/src/middleware/index.ts
@@ -1,7 +1,7 @@
 export * as jwt from "./passport/jwt"
 export * as local from "./passport/local"
-export * as google from "./passport/google"
-export * as oidc from "./passport/oidc"
+export * as google from "./passport/sso/google"
+export * as oidc from "./passport/sso/oidc"
 import * as datasourceGoogle from "./passport/datasource/google"
 export const datasource = {
   google: datasourceGoogle,
@@ -16,4 +16,5 @@ export { default as adminOnly } from "./adminOnly"
 export { default as builderOrAdmin } from "./builderOrAdmin"
 export { default as builderOnly } from "./builderOnly"
 export { default as logging } from "./logging"
+export { default as errorHandling } from "./errorHandling"
 export * as joiValidator from "./joi-validator"
diff --git a/packages/backend-core/src/middleware/passport/datasource/google.ts b/packages/backend-core/src/middleware/passport/datasource/google.ts
index 65620d7aa3..112f8d2096 100644
--- a/packages/backend-core/src/middleware/passport/datasource/google.ts
+++ b/packages/backend-core/src/middleware/passport/datasource/google.ts
@@ -1,10 +1,11 @@
-import * as google from "../google"
+import * as google from "../sso/google"
 import { Cookie, Config } from "../../../constants"
 import { clearCookie, getCookie } from "../../../utils"
 import { getScopedConfig, getPlatformUrl, doWithDB } from "../../../db"
 import environment from "../../../environment"
-import { getGlobalDB } from "../../../tenancy"
+import { getGlobalDB } from "../../../context"
 import { BBContext, Database, SSOProfile } from "@budibase/types"
+import { ssoSaveUserNoOp } from "../sso/sso"
 const GoogleStrategy = require("passport-google-oauth").OAuth2Strategy
 
 type Passport = {
@@ -36,7 +37,11 @@ export async function preAuth(
   const platformUrl = await getPlatformUrl({ tenantAware: false })
 
   let callbackUrl = `${platformUrl}/api/global/auth/datasource/google/callback`
-  const strategy = await google.strategyFactory(googleConfig, callbackUrl)
+  const strategy = await google.strategyFactory(
+    googleConfig,
+    callbackUrl,
+    ssoSaveUserNoOp
+  )
 
   if (!ctx.query.appId || !ctx.query.datasourceId) {
     ctx.throw(400, "appId and datasourceId query params not present.")
diff --git a/packages/backend-core/src/middleware/passport/local.ts b/packages/backend-core/src/middleware/passport/local.ts
index 8b85d3734c..e198032532 100644
--- a/packages/backend-core/src/middleware/passport/local.ts
+++ b/packages/backend-core/src/middleware/passport/local.ts
@@ -1,15 +1,10 @@
 import { UserStatus } from "../../constants"
-import { compare, newid } from "../../utils"
-import env from "../../environment"
+import { compare } from "../../utils"
 import * as users from "../../users"
 import { authError } from "./utils"
-import { createASession } from "../../security/sessions"
-import { getTenantId } from "../../tenancy"
 import { BBContext } from "@budibase/types"
-const jwt = require("jsonwebtoken")
 
 const INVALID_ERR = "Invalid credentials"
-const SSO_NO_PASSWORD = "SSO user does not have a password set"
 const EXPIRED = "This account has expired. Please reset your password"
 
 export const options = {
@@ -35,50 +30,25 @@ export async function authenticate(
 
   const dbUser = await users.getGlobalUserByEmail(email)
   if (dbUser == null) {
-    return authError(done, `User not found: [${email}]`)
-  }
-
-  // check that the user is currently inactive, if this is the case throw invalid
-  if (dbUser.status === UserStatus.INACTIVE) {
+    console.info(`user=${email} could not be found`)
     return authError(done, INVALID_ERR)
   }
 
-  // check that the user has a stored password before proceeding
-  if (!dbUser.password) {
-    if (
-      (dbUser.account && dbUser.account.authType === "sso") || // root account sso
-      dbUser.thirdPartyProfile // internal sso
-    ) {
-      return authError(done, SSO_NO_PASSWORD)
-    }
+  if (dbUser.status === UserStatus.INACTIVE) {
+    console.info(`user=${email} is inactive`, dbUser)
+    return authError(done, INVALID_ERR)
+  }
 
-    console.error("Non SSO usser has no password set", dbUser)
+  if (!dbUser.password) {
+    console.info(`user=${email} has no password set`, dbUser)
     return authError(done, EXPIRED)
   }
 
-  // authenticate
-  if (await compare(password, dbUser.password)) {
-    const sessionId = newid()
-    const tenantId = getTenantId()
-
-    await createASession(dbUser._id!, { sessionId, tenantId })
-
-    const token = jwt.sign(
-      {
-        userId: dbUser._id,
-        sessionId,
-        tenantId,
-      },
-      env.JWT_SECRET
-    )
-    // Remove users password in payload
-    delete dbUser.password
-
-    return done(null, {
-      ...dbUser,
-      token,
-    })
-  } else {
+  if (!(await compare(password, dbUser.password))) {
     return authError(done, INVALID_ERR)
   }
+
+  // intentionally remove the users password in payload
+  delete dbUser.password
+  return done(null, dbUser)
 }
diff --git a/packages/backend-core/src/middleware/passport/google.ts b/packages/backend-core/src/middleware/passport/sso/google.ts
similarity index 76%
rename from packages/backend-core/src/middleware/passport/google.ts
rename to packages/backend-core/src/middleware/passport/sso/google.ts
index dd3dc8b86d..d26d7d6a8d 100644
--- a/packages/backend-core/src/middleware/passport/google.ts
+++ b/packages/backend-core/src/middleware/passport/sso/google.ts
@@ -1,18 +1,26 @@
-import { ssoCallbackUrl } from "./utils"
-import { authenticateThirdParty, SaveUserFunction } from "./third-party-common"
-import { ConfigType, GoogleConfig, Database, SSOProfile } from "@budibase/types"
+import { ssoCallbackUrl } from "../utils"
+import * as sso from "./sso"
+import {
+  ConfigType,
+  GoogleConfig,
+  Database,
+  SSOProfile,
+  SSOAuthDetails,
+  SSOProviderType,
+  SaveSSOUserFunction,
+} from "@budibase/types"
 const GoogleStrategy = require("passport-google-oauth").OAuth2Strategy
 
-export function buildVerifyFn(saveUserFn?: SaveUserFunction) {
+export function buildVerifyFn(saveUserFn: SaveSSOUserFunction) {
   return (
     accessToken: string,
     refreshToken: string,
     profile: SSOProfile,
     done: Function
   ) => {
-    const thirdPartyUser = {
-      provider: profile.provider, // should always be 'google'
-      providerType: "google",
+    const details: SSOAuthDetails = {
+      provider: "google",
+      providerType: SSOProviderType.GOOGLE,
       userId: profile.id,
       profile: profile,
       email: profile._json.email,
@@ -22,8 +30,8 @@ export function buildVerifyFn(saveUserFn?: SaveUserFunction) {
       },
     }
 
-    return authenticateThirdParty(
-      thirdPartyUser,
+    return sso.authenticate(
+      details,
       true, // require local accounts to exist
       done,
       saveUserFn
@@ -39,7 +47,7 @@ export function buildVerifyFn(saveUserFn?: SaveUserFunction) {
 export async function strategyFactory(
   config: GoogleConfig["config"],
   callbackUrl: string,
-  saveUserFn?: SaveUserFunction
+  saveUserFn: SaveSSOUserFunction
 ) {
   try {
     const { clientID, clientSecret } = config
diff --git a/packages/backend-core/src/middleware/passport/oidc.ts b/packages/backend-core/src/middleware/passport/sso/oidc.ts
similarity index 85%
rename from packages/backend-core/src/middleware/passport/oidc.ts
rename to packages/backend-core/src/middleware/passport/sso/oidc.ts
index 7caa177cf0..1fb44b84a3 100644
--- a/packages/backend-core/src/middleware/passport/oidc.ts
+++ b/packages/backend-core/src/middleware/passport/sso/oidc.ts
@@ -1,22 +1,20 @@
 import fetch from "node-fetch"
-import { authenticateThirdParty, SaveUserFunction } from "./third-party-common"
-import { ssoCallbackUrl } from "./utils"
+import * as sso from "./sso"
+import { ssoCallbackUrl } from "../utils"
 import {
   ConfigType,
-  OIDCInnerCfg,
+  OIDCInnerConfig,
   Database,
   SSOProfile,
-  ThirdPartyUser,
-  OIDCConfiguration,
+  OIDCStrategyConfiguration,
+  SSOAuthDetails,
+  SSOProviderType,
+  JwtClaims,
+  SaveSSOUserFunction,
 } from "@budibase/types"
 const OIDCStrategy = require("@techpass/passport-openidconnect").Strategy
 
-type JwtClaims = {
-  preferred_username: string
-  email: string
-}
-
-export function buildVerifyFn(saveUserFn?: SaveUserFunction) {
+export function buildVerifyFn(saveUserFn: SaveSSOUserFunction) {
   /**
    * @param {*} issuer The identity provider base URL
    * @param {*} sub The user ID
@@ -39,10 +37,10 @@ export function buildVerifyFn(saveUserFn?: SaveUserFunction) {
     params: any,
     done: Function
   ) => {
-    const thirdPartyUser: ThirdPartyUser = {
+    const details: SSOAuthDetails = {
       // store the issuer info to enable sync in future
       provider: issuer,
-      providerType: "oidc",
+      providerType: SSOProviderType.OIDC,
       userId: profile.id,
       profile: profile,
       email: getEmail(profile, jwtClaims),
@@ -52,8 +50,8 @@ export function buildVerifyFn(saveUserFn?: SaveUserFunction) {
       },
     }
 
-    return authenticateThirdParty(
-      thirdPartyUser,
+    return sso.authenticate(
+      details,
       false, // don't require local accounts to exist
       done,
       saveUserFn
@@ -104,8 +102,8 @@ function validEmail(value: string) {
  * @returns Dynamically configured Passport OIDC Strategy
  */
 export async function strategyFactory(
-  config: OIDCConfiguration,
-  saveUserFn?: SaveUserFunction
+  config: OIDCStrategyConfiguration,
+  saveUserFn: SaveSSOUserFunction
 ) {
   try {
     const verify = buildVerifyFn(saveUserFn)
@@ -119,14 +117,14 @@ export async function strategyFactory(
 }
 
 export async function fetchStrategyConfig(
-  enrichedConfig: OIDCInnerCfg,
+  oidcConfig: OIDCInnerConfig,
   callbackUrl?: string
-): Promise<OIDCConfiguration> {
+): Promise<OIDCStrategyConfiguration> {
   try {
-    const { clientID, clientSecret, configUrl } = enrichedConfig
+    const { clientID, clientSecret, configUrl } = oidcConfig
 
     if (!clientID || !clientSecret || !callbackUrl || !configUrl) {
-      //check for remote config and all required elements
+      // check for remote config and all required elements
       throw new Error(
         "Configuration invalid. Must contain clientID, clientSecret, callbackUrl and configUrl"
       )
diff --git a/packages/backend-core/src/middleware/passport/sso/sso.ts b/packages/backend-core/src/middleware/passport/sso/sso.ts
new file mode 100644
index 0000000000..2fc1184722
--- /dev/null
+++ b/packages/backend-core/src/middleware/passport/sso/sso.ts
@@ -0,0 +1,165 @@
+import { generateGlobalUserID } from "../../../db"
+import { authError } from "../utils"
+import * as users from "../../../users"
+import * as context from "../../../context"
+import fetch from "node-fetch"
+import {
+  SaveSSOUserFunction,
+  SaveUserOpts,
+  SSOAuthDetails,
+  SSOUser,
+  User,
+} from "@budibase/types"
+
+// no-op function for user save
+// - this allows datasource auth and access token refresh to work correctly
+// - prefer no-op over an optional argument to ensure function is provided to login flows
+export const ssoSaveUserNoOp: SaveSSOUserFunction = (
+  user: SSOUser,
+  opts: SaveUserOpts
+) => Promise.resolve(user)
+
+/**
+ * Common authentication logic for third parties. e.g. OAuth, OIDC.
+ */
+export async function authenticate(
+  details: SSOAuthDetails,
+  requireLocalAccount: boolean = true,
+  done: any,
+  saveUserFn: SaveSSOUserFunction
+) {
+  if (!saveUserFn) {
+    throw new Error("Save user function must be provided")
+  }
+  if (!details.userId) {
+    return authError(done, "sso user id required")
+  }
+  if (!details.email) {
+    return authError(done, "sso user email required")
+  }
+
+  // use the third party id
+  const userId = generateGlobalUserID(details.userId)
+
+  let dbUser: User | undefined
+
+  // try to load by id
+  try {
+    dbUser = await users.getById(userId)
+  } catch (err: any) {
+    // abort when not 404 error
+    if (!err.status || err.status !== 404) {
+      return authError(
+        done,
+        "Unexpected error when retrieving existing user",
+        err
+      )
+    }
+  }
+
+  // fallback to loading by email
+  if (!dbUser) {
+    dbUser = await users.getGlobalUserByEmail(details.email)
+  }
+
+  // exit early if there is still no user and auto creation is disabled
+  if (!dbUser && requireLocalAccount) {
+    return authError(
+      done,
+      "Email does not yet exist. You must set up your local budibase account first."
+    )
+  }
+
+  // first time creation
+  if (!dbUser) {
+    // setup a blank user using the third party id
+    dbUser = {
+      _id: userId,
+      email: details.email,
+      roles: {},
+      tenantId: context.getTenantId(),
+    }
+  }
+
+  let ssoUser = await syncUser(dbUser, details)
+  // never prompt for password reset
+  ssoUser.forceResetPassword = false
+
+  try {
+    // don't try to re-save any existing password
+    delete ssoUser.password
+    // create or sync the user
+    ssoUser = (await saveUserFn(ssoUser, {
+      hashPassword: false,
+      requirePassword: false,
+    })) as SSOUser
+  } catch (err: any) {
+    return authError(done, "Error saving user", err)
+  }
+
+  return done(null, ssoUser)
+}
+
+async function getProfilePictureUrl(user: User, details: SSOAuthDetails) {
+  const pictureUrl = details.profile?._json.picture
+  if (pictureUrl) {
+    const response = await fetch(pictureUrl)
+    if (response.status === 200) {
+      const type = response.headers.get("content-type") as string
+      if (type.startsWith("image/")) {
+        return pictureUrl
+      }
+    }
+  }
+}
+
+/**
+ * @returns a user that has been sync'd with third party information
+ */
+async function syncUser(user: User, details: SSOAuthDetails): Promise<SSOUser> {
+  let firstName
+  let lastName
+  let pictureUrl
+  let oauth2
+  let thirdPartyProfile
+
+  if (details.profile) {
+    const profile = details.profile
+
+    if (profile.name) {
+      const name = profile.name
+      // first name
+      if (name.givenName) {
+        firstName = name.givenName
+      }
+      // last name
+      if (name.familyName) {
+        lastName = name.familyName
+      }
+    }
+
+    pictureUrl = await getProfilePictureUrl(user, details)
+
+    thirdPartyProfile = {
+      ...profile._json,
+    }
+  }
+
+  // oauth tokens for future use
+  if (details.oauth2) {
+    oauth2 = {
+      ...details.oauth2,
+    }
+  }
+
+  return {
+    ...user,
+    provider: details.provider,
+    providerType: details.providerType,
+    firstName,
+    lastName,
+    thirdPartyProfile,
+    pictureUrl,
+    oauth2,
+  }
+}
diff --git a/packages/backend-core/src/middleware/passport/sso/tests/google.spec.ts b/packages/backend-core/src/middleware/passport/sso/tests/google.spec.ts
new file mode 100644
index 0000000000..d0689a1f0a
--- /dev/null
+++ b/packages/backend-core/src/middleware/passport/sso/tests/google.spec.ts
@@ -0,0 +1,67 @@
+import { generator, structures } from "../../../../../tests"
+import { SSOProviderType } from "@budibase/types"
+
+jest.mock("passport-google-oauth")
+const mockStrategy = require("passport-google-oauth").OAuth2Strategy
+
+jest.mock("../sso")
+import * as _sso from "../sso"
+const sso = jest.mocked(_sso)
+
+const mockSaveUserFn = jest.fn()
+const mockDone = jest.fn()
+
+import * as google from "../google"
+
+describe("google", () => {
+  describe("strategyFactory", () => {
+    const googleConfig = structures.sso.googleConfig()
+    const callbackUrl = generator.url()
+
+    it("should create successfully create a google strategy", async () => {
+      await google.strategyFactory(googleConfig, callbackUrl, mockSaveUserFn)
+
+      const expectedOptions = {
+        clientID: googleConfig.clientID,
+        clientSecret: googleConfig.clientSecret,
+        callbackURL: callbackUrl,
+      }
+
+      expect(mockStrategy).toHaveBeenCalledWith(
+        expectedOptions,
+        expect.anything()
+      )
+    })
+  })
+
+  describe("authenticate", () => {
+    const details = structures.sso.authDetails()
+    details.provider = "google"
+    details.providerType = SSOProviderType.GOOGLE
+
+    const profile = details.profile!
+    profile.provider = "google"
+
+    beforeEach(() => {
+      jest.clearAllMocks()
+    })
+
+    it("delegates authentication to third party common", async () => {
+      const authenticate = await google.buildVerifyFn(mockSaveUserFn)
+
+      await authenticate(
+        details.oauth2.accessToken,
+        details.oauth2.refreshToken!,
+        profile,
+        mockDone
+      )
+
+      expect(sso.authenticate).toHaveBeenCalledWith(
+        details,
+        true,
+        mockDone,
+        mockSaveUserFn
+      )
+    })
+  })
+})
diff --git a/packages/backend-core/src/middleware/passport/sso/tests/oidc.spec.ts b/packages/backend-core/src/middleware/passport/sso/tests/oidc.spec.ts
new file mode 100644
index 0000000000..a705739bd6
--- /dev/null
+++ b/packages/backend-core/src/middleware/passport/sso/tests/oidc.spec.ts
@@ -0,0 +1,152 @@
+import { generator, mocks, structures } from "../../../../../tests"
+import {
+  JwtClaims,
+  OIDCInnerConfig,
+  SSOAuthDetails,
+  SSOProviderType,
+} from "@budibase/types"
+import * as _sso from "../sso"
+import * as oidc from "../oidc"
+
+jest.mock("@techpass/passport-openidconnect")
+const mockStrategy = require("@techpass/passport-openidconnect").Strategy
+
+jest.mock("../sso")
+const sso = jest.mocked(_sso)
+
+const mockSaveUser = jest.fn()
+const mockDone = jest.fn()
+
+describe("oidc", () => {
+  const callbackUrl = generator.url()
+  const oidcConfig: OIDCInnerConfig = structures.sso.oidcConfig()
+  const wellKnownConfig = structures.sso.oidcWellKnownConfig()
+
+  function mockRetrieveWellKnownConfig() {
+    // mock the request to retrieve the oidc configuration
+    mocks.fetch.mockReturnValue({
+      ok: true,
+      json: () => wellKnownConfig,
+    })
+  }
+
+  beforeEach(() => {
+    mockRetrieveWellKnownConfig()
+  })
+
+  describe("strategyFactory", () => {
+    it("should create successfully create an oidc strategy", async () => {
+      const strategyConfiguration = await oidc.fetchStrategyConfig(
+        oidcConfig,
+        callbackUrl
+      )
+      await oidc.strategyFactory(strategyConfiguration, mockSaveUser)
+
+      expect(mocks.fetch).toHaveBeenCalledWith(oidcConfig.configUrl)
+
+      const expectedOptions = {
+        issuer: wellKnownConfig.issuer,
+        authorizationURL: wellKnownConfig.authorization_endpoint,
+        tokenURL: wellKnownConfig.token_endpoint,
+        userInfoURL: wellKnownConfig.userinfo_endpoint,
+        clientID: oidcConfig.clientID,
+        clientSecret: oidcConfig.clientSecret,
+        callbackURL: callbackUrl,
+      }
+      expect(mockStrategy).toHaveBeenCalledWith(
+        expectedOptions,
+        expect.anything()
+      )
+    })
+  })
+
+  describe("authenticate", () => {
+    const details: SSOAuthDetails = structures.sso.authDetails()
+    details.providerType = SSOProviderType.OIDC
+    const profile = details.profile!
+    const issuer = profile.provider
+
+    const sub = generator.string()
+    const idToken = generator.string()
+    const params = {}
+
+    let authenticateFn: any
+    let jwtClaims: JwtClaims
+
+    beforeEach(async () => {
+      jest.clearAllMocks()
+      authenticateFn = await oidc.buildVerifyFn(mockSaveUser)
+    })
+
+    async function authenticate() {
+      await authenticateFn(
+        issuer,
+        sub,
+        profile,
+        jwtClaims,
+        details.oauth2.accessToken,
+        details.oauth2.refreshToken,
+        idToken,
+        params,
+        mockDone
+      )
+    }
+
+    it("passes auth details to sso module", async () => {
+      await authenticate()
+
+      expect(sso.authenticate).toHaveBeenCalledWith(
+        details,
+        false,
+        mockDone,
+        mockSaveUser
+      )
+    })
+
+    it("uses JWT email to get email", async () => {
+      delete profile._json.email
+
+      jwtClaims = {
+        email: details.email,
+      }
+
+      await authenticate()
+
+      expect(sso.authenticate).toHaveBeenCalledWith(
+        details,
+        false,
+        mockDone,
+        mockSaveUser
+      )
+    })
+
+    it("uses JWT username to get email", async () => {
+      delete profile._json.email
+
+      jwtClaims = {
+        email: details.email,
+      }
+
+      await authenticate()
+
+      expect(sso.authenticate).toHaveBeenCalledWith(
+        details,
+        false,
+        mockDone,
+        mockSaveUser
+      )
+    })
+
+    it("uses JWT invalid username to get email", async () => {
+      delete profile._json.email
+
+      jwtClaims = {
+        preferred_username: "invalidUsername",
+      }
+
+      await expect(authenticate()).rejects.toThrow(
+        "Could not determine user email from profile"
+      )
+    })
+  })
+})
diff --git a/packages/backend-core/src/middleware/passport/sso/tests/sso.spec.ts b/packages/backend-core/src/middleware/passport/sso/tests/sso.spec.ts
new file mode 100644
index 0000000000..ae42fc01ea
--- /dev/null
+++ b/packages/backend-core/src/middleware/passport/sso/tests/sso.spec.ts
@@ -0,0 +1,196 @@
+import { structures, testEnv, mocks } from "../../../../../tests"
+import { SSOAuthDetails, User } from "@budibase/types"
+
+import { HTTPError } from "../../../../errors"
+import * as sso from "../sso"
+import * as context from "../../../../context"
+
+const mockDone = jest.fn()
+const mockSaveUser = jest.fn()
+
+jest.mock("../../../../users")
+import * as _users from "../../../../users"
+const users = jest.mocked(_users)
+
+const getErrorMessage = () => {
+  return mockDone.mock.calls[0][2].message
+}
+
+describe("sso", () => {
+  describe("authenticate", () => {
+    beforeEach(() => {
+      jest.clearAllMocks()
+      testEnv.singleTenant()
+    })
+
+    describe("validation", () => {
+      const testValidation = async (
+        details: SSOAuthDetails,
+        message: string
+      ) => {
+        await sso.authenticate(details, false, mockDone, mockSaveUser)
+
+        expect(mockDone.mock.calls.length).toBe(1)
+        expect(getErrorMessage()).toContain(message)
+      }
+
+      it("user id fails", async () => {
+        const details = structures.sso.authDetails()
+        details.userId = undefined!
+
+        await testValidation(details, "sso user id required")
+      })
+
+      it("email fails", async () => {
+        const details = structures.sso.authDetails()
+        details.email = undefined!
+
+        await testValidation(details, "sso user email required")
+      })
+    })
+
+    function mockGetProfilePicture() {
+      mocks.fetch.mockReturnValueOnce(
+        Promise.resolve({
+          status: 200,
+          headers: { get: () => "image/" },
+        })
+      )
+    }
+
+    describe("when the user doesn't exist", () => {
+      let user: User
+      let details: SSOAuthDetails
+
+      beforeEach(() => {
+        users.getById.mockImplementationOnce(() => {
+          throw new HTTPError("", 404)
+        })
+        mockGetProfilePicture()
+
+        user = structures.users.user()
+        delete user._rev
+        delete user._id
+
+        details = structures.sso.authDetails(user)
+        details.userId = structures.uuid()
+      })
+
+      describe("when a local account is required", () => {
+        it("returns an error message", async () => {
+          const details = structures.sso.authDetails()
+
+          await sso.authenticate(details, true, mockDone, mockSaveUser)
+
+          expect(mockDone.mock.calls.length).toBe(1)
+          expect(getErrorMessage()).toContain(
+            "Email does not yet exist. You must set up your local budibase account first."
+          )
+        })
+      })
+
+      describe("when a local account isn't required", () => {
+        it("creates and authenticates the user", async () => {
+          const ssoUser = structures.users.ssoUser({ user, details })
+          mockSaveUser.mockReturnValueOnce(ssoUser)
+
+          await sso.authenticate(details, false, mockDone, mockSaveUser)
+
+          // default roles for new user
+          ssoUser.roles = {}
+
+          // modified external id to match user format
+          ssoUser._id = "us_" + details.userId
+
+          // new sso user won't have a password
+          delete ssoUser.password
+
+          // new user isn't saved with rev
+          delete ssoUser._rev
+
+          // tenant id added
+          ssoUser.tenantId = context.getTenantId()
+
+          expect(mockSaveUser).toBeCalledWith(ssoUser, {
+            hashPassword: false,
+            requirePassword: false,
+          })
+          expect(mockDone).toBeCalledWith(null, ssoUser)
+        })
+      })
+    })
+
+    describe("when the user exists", () => {
+      let existingUser: User
+      let details: SSOAuthDetails
+
+      beforeEach(() => {
+        existingUser = structures.users.user()
+        existingUser._id = structures.uuid()
+        details = structures.sso.authDetails(existingUser)
+        mockGetProfilePicture()
+      })
+
+      describe("exists by email", () => {
+        beforeEach(() => {
+          users.getById.mockImplementationOnce(() => {
+            throw new HTTPError("", 404)
+          })
+          users.getGlobalUserByEmail.mockReturnValueOnce(
+            Promise.resolve(existingUser)
+          )
+        })
+
+        it("syncs and authenticates the user", async () => {
+          const ssoUser = structures.users.ssoUser({
+            user: existingUser,
+            details,
+          })
+          mockSaveUser.mockReturnValueOnce(ssoUser)
+
+          await sso.authenticate(details, true, mockDone, mockSaveUser)
+
+          // roles preserved
+          ssoUser.roles = existingUser.roles
+
+          // existing id preserved
+          ssoUser._id = existingUser._id
+
+          expect(mockSaveUser).toBeCalledWith(ssoUser, {
+            hashPassword: false,
+            requirePassword: false,
+          })
+          expect(mockDone).toBeCalledWith(null, ssoUser)
+        })
+      })
+
+      describe("exists by id", () => {
+        beforeEach(() => {
+          users.getById.mockReturnValueOnce(Promise.resolve(existingUser))
+        })
+
+        it("syncs and authenticates the user", async () => {
+          const ssoUser = structures.users.ssoUser({
+            user: existingUser,
+            details,
+          })
+          mockSaveUser.mockReturnValueOnce(ssoUser)
+
+          await sso.authenticate(details, true, mockDone, mockSaveUser)
+
+          // roles preserved
+          ssoUser.roles = existingUser.roles
+
+          // existing id preserved
+          ssoUser._id = existingUser._id
+
+          expect(mockSaveUser).toBeCalledWith(ssoUser, {
+            hashPassword: false,
+            requirePassword: false,
+          })
+          expect(mockDone).toBeCalledWith(null, ssoUser)
+        })
+      })
+    })
+  })
+})
diff --git a/packages/backend-core/src/middleware/passport/tests/google.spec.js b/packages/backend-core/src/middleware/passport/tests/google.spec.js
deleted file mode 100644
index c5580ea309..0000000000
--- a/packages/backend-core/src/middleware/passport/tests/google.spec.js
+++ /dev/null
@@ -1,79 +0,0 @@
-// Mock data
-
-const { data } = require("./utilities/mock-data")
-
-const TENANT_ID = "default"
-
-const googleConfig = {
-  clientID: data.clientID,
-  clientSecret: data.clientSecret,
-}
-
-const profile = {
-  id: "mockId",
-  _json: {
-    email : data.email
-  },
-  provider: "google"
-}
-
-const user = data.buildThirdPartyUser("google", "google", profile)
-
-describe("google", () => {
-  describe("strategyFactory", () => {  
-    // mock passport strategy factory
-    jest.mock("passport-google-oauth")
-    const mockStrategy = require("passport-google-oauth").OAuth2Strategy
-  
-    it("should create successfully create a google strategy", async () => {
-      const google = require("../google")
-
-      const callbackUrl = `/api/global/auth/${TENANT_ID}/google/callback`
-      await google.strategyFactory(googleConfig, callbackUrl)
-  
-      const expectedOptions = {
-        clientID: googleConfig.clientID,
-        clientSecret: googleConfig.clientSecret,
-        callbackURL: callbackUrl,
-      }
-
-      expect(mockStrategy).toHaveBeenCalledWith(
-        expectedOptions,
-        expect.anything()
-      )
-    })
-  })
-  
-  describe("authenticate", () => {    
-    afterEach(() => {
-      jest.clearAllMocks();
-    });
-
-    // mock third party common authentication
-    jest.mock("../third-party-common")
-    const authenticateThirdParty = require("../third-party-common").authenticateThirdParty
-
-    // mock the passport callback
-    const mockDone = jest.fn()
-
-    it("delegates authentication to third party common", async () => {
-      const google = require("../google")
-      const mockSaveUserFn = jest.fn()
-      const authenticate = await google.buildVerifyFn(mockSaveUserFn)
-
-      await authenticate(
-        data.accessToken,
-        data.refreshToken,
-        profile,
-        mockDone
-      )
-
-      expect(authenticateThirdParty).toHaveBeenCalledWith(
-        user,
-        true, 
-        mockDone,
-        mockSaveUserFn)
-    })
-  })
-})
-
diff --git a/packages/backend-core/src/middleware/passport/tests/oidc.spec.js b/packages/backend-core/src/middleware/passport/tests/oidc.spec.js
deleted file mode 100644
index 4c8aa94ddf..0000000000
--- a/packages/backend-core/src/middleware/passport/tests/oidc.spec.js
+++ /dev/null
@@ -1,144 +0,0 @@
-// Mock data
-const mockFetch = require("node-fetch")
-const { data } = require("./utilities/mock-data")
-const issuer = "mockIssuer"
-const sub = "mockSub"
-const profile = {
-  id: "mockId",
-  _json: {
-    email : data.email
-  }
-}
-let jwtClaims = {}  
-const idToken = "mockIdToken"
-const params = {}
-
-const callbackUrl = "http://somecallbackurl"
-
-// response from .well-known/openid-configuration
-const oidcConfigUrlResponse = {
-  issuer: issuer,
-  authorization_endpoint: "mockAuthorizationEndpoint",
-  token_endpoint: "mockTokenEndpoint",
-  userinfo_endpoint: "mockUserInfoEndpoint"
-}
-
-const oidcConfig = {
-  configUrl: "http://someconfigurl",
-  clientID: data.clientID,
-  clientSecret: data.clientSecret,
-}
-
-const user = data.buildThirdPartyUser(issuer, "oidc", profile)
-
-describe("oidc", () => {
-  describe("strategyFactory", () => {  
-    // mock passport strategy factory
-    jest.mock("@techpass/passport-openidconnect")
-    const mockStrategy = require("@techpass/passport-openidconnect").Strategy
-    
-    // mock the request to retrieve the oidc configuration
-    mockFetch.mockReturnValue({
-      ok: true,
-      json: () => oidcConfigUrlResponse
-    })
-  
-    it("should create successfully create an oidc strategy", async () => {
-      const oidc = require("../oidc")
-      const enrichedConfig = await oidc.fetchStrategyConfig(oidcConfig, callbackUrl)
-      await oidc.strategyFactory(enrichedConfig, callbackUrl)
-  
-      expect(mockFetch).toHaveBeenCalledWith(oidcConfig.configUrl)
-
-      const expectedOptions = {
-        issuer: oidcConfigUrlResponse.issuer,
-        authorizationURL: oidcConfigUrlResponse.authorization_endpoint,
-        tokenURL: oidcConfigUrlResponse.token_endpoint,
-        userInfoURL: oidcConfigUrlResponse.userinfo_endpoint,
-        clientID: oidcConfig.clientID,
-        clientSecret: oidcConfig.clientSecret,
-        callbackURL: callbackUrl,
-      }
-      expect(mockStrategy).toHaveBeenCalledWith(
-        expectedOptions,
-        expect.anything()
-      )
-    })
-  })
-  
-  describe("authenticate", () => {    
-    afterEach(() => {
-      jest.clearAllMocks()
-    });
-
-    // mock third party common authentication
-    jest.mock("../third-party-common")
-    const authenticateThirdParty = require("../third-party-common").authenticateThirdParty
-    
-    // mock the passport callback
-    const mockDone = jest.fn()
-    const mockSaveUserFn = jest.fn()
-
-    async function doAuthenticate() {
-      const oidc = require("../oidc")
-      const authenticate = await oidc.buildVerifyFn(mockSaveUserFn)
-
-      await authenticate(
-        issuer,
-        sub,
-        profile,
-        jwtClaims,
-        data.accessToken,
-        data.refreshToken,
-        idToken,
-        params,
-        mockDone
-      )
-    }
-
-    async function doTest() {
-      await doAuthenticate()
-
-      expect(authenticateThirdParty).toHaveBeenCalledWith(
-        user,
-        false, 
-        mockDone,
-        mockSaveUserFn,
-      )
-    }
-
-    it("delegates authentication to third party common", async () => {
-      await doTest()
-    })
-
-    it("uses JWT email to get email", async () => {
-      delete profile._json.email
-      jwtClaims = {
-        email : "mock@budibase.com"
-      }
-
-      await doTest()
-    })
-  
-    it("uses JWT username to get email", async () => {
-      delete profile._json.email
-      jwtClaims = {
-        preferred_username : "mock@budibase.com"
-      }
-
-      await doTest()
-    })
-
-    it("uses JWT invalid username to get email", async () => {
-      delete profile._json.email
-
-      jwtClaims = {
-        preferred_username : "invalidUsername"
-      }
-
-      await expect(doAuthenticate()).rejects.toThrow("Could not determine user email from profile");
-    })
-  
-  })
-})
-
diff --git a/packages/backend-core/src/middleware/passport/tests/third-party-common.seq.spec.js b/packages/backend-core/src/middleware/passport/tests/third-party-common.seq.spec.js
deleted file mode 100644
index d377d602f1..0000000000
--- a/packages/backend-core/src/middleware/passport/tests/third-party-common.seq.spec.js
+++ /dev/null
@@ -1,178 +0,0 @@
-require("../../../../tests")
-const { authenticateThirdParty } = require("../third-party-common")
-const { data } = require("./utilities/mock-data")
-const { DEFAULT_TENANT_ID } = require("../../../constants")
-
-const { generateGlobalUserID } = require("../../../db/utils")
-const { newid } = require("../../../utils")
-const { doWithGlobalDB, doInTenant } = require("../../../tenancy")
-
-const done = jest.fn()
-
-const getErrorMessage = () => {
-  return done.mock.calls[0][2].message
-}
-
-const saveUser = async (user) => {
-  return doWithGlobalDB(DEFAULT_TENANT_ID, async db => {
-    return await db.put(user)
-  })
-}
-
-function authenticate(user, requireLocal, saveFn) {
-  return doInTenant(DEFAULT_TENANT_ID, () => {
-    return authenticateThirdParty(user, requireLocal, done, saveFn)
-  })
-}
-
-describe("third party common", () => {
-  describe("authenticateThirdParty", () => {
-    let thirdPartyUser
-
-    beforeEach(() => {
-      thirdPartyUser = data.buildThirdPartyUser()
-    })
-
-    afterEach(async () => {
-      return doWithGlobalDB(DEFAULT_TENANT_ID, async db => {
-        jest.clearAllMocks()
-        await db.destroy()
-      })
-    })
-
-    describe("validation", () => {
-      const testValidation = async (message) => {
-        await authenticate(thirdPartyUser, false, saveUser)
-        expect(done.mock.calls.length).toBe(1)
-        expect(getErrorMessage()).toContain(message)
-      }
-
-      it("provider fails", async () => {
-        delete thirdPartyUser.provider
-        await testValidation("third party user provider required")
-      })
-
-      it("user id fails", async () => {
-        delete thirdPartyUser.userId
-        await testValidation("third party user id required")
-      })
-
-      it("email fails", async () => {
-        delete thirdPartyUser.email
-        await testValidation("third party user email required")
-      })
-    })
-
-    const expectUserIsAuthenticated = () => {
-      const user = done.mock.calls[0][1]
-      expect(user).toBeDefined()
-      expect(user._id).toBeDefined()
-      expect(user._rev).toBeDefined()
-      expect(user.token).toBeDefined()
-      return user
-    }
-
-    const expectUserIsSynced = (user, thirdPartyUser) => {
-      expect(user.provider).toBe(thirdPartyUser.provider)
-      expect(user.firstName).toBe(thirdPartyUser.profile.name.givenName)
-      expect(user.lastName).toBe(thirdPartyUser.profile.name.familyName)
-      expect(user.thirdPartyProfile).toStrictEqual(thirdPartyUser.profile._json)
-      expect(user.oauth2).toStrictEqual(thirdPartyUser.oauth2)
-    }
-
-    describe("when the user doesn't exist", () => {
-      describe("when a local account is required", () => {
-        it("returns an error message", async () => {
-          await authenticate(thirdPartyUser, true, saveUser)
-          expect(done.mock.calls.length).toBe(1)
-          expect(getErrorMessage()).toContain("Email does not yet exist. You must set up your local budibase account first.")
-        })
-      })
-
-      describe("when a local account isn't required", () => {
-        it("creates and authenticates the user", async () => {
-          await authenticate(thirdPartyUser, false, saveUser)
-          const user = expectUserIsAuthenticated()
-          expectUserIsSynced(user, thirdPartyUser)
-          expect(user.roles).toStrictEqual({})
-        })
-      })
-    })
-
-    describe("when the user exists", () => {
-      let dbUser
-      let id
-      let email
-
-      const createUser = async () => {
-        return doWithGlobalDB(DEFAULT_TENANT_ID, async db => {
-          dbUser = {
-            _id: id,
-            email: email,
-          }
-          const response = await db.put(dbUser)
-          dbUser._rev = response.rev
-          return dbUser
-        })
-      }
-
-      const expectUserIsUpdated = (user) => {
-        // id is unchanged
-        expect(user._id).toBe(id)
-        // user is updated
-        expect(user._rev).not.toBe(dbUser._rev)
-      }
-
-      describe("exists by email", () => {
-        beforeEach(async () => {
-          id = generateGlobalUserID(newid()) // random id
-          email = thirdPartyUser.email //  matching email
-          await createUser()
-        })
-
-        it("syncs and authenticates the user", async () => {
-          await authenticate(thirdPartyUser, true, saveUser)
-
-          const user = expectUserIsAuthenticated()
-          expectUserIsSynced(user, thirdPartyUser)
-          expectUserIsUpdated(user)
-        })
-      })
-
-      describe("exists by email with different casing", () => {
-        beforeEach(async () => {
-          id = generateGlobalUserID(newid()) // random id
-          email = thirdPartyUser.email.toUpperCase() //  matching email except for casing
-          await createUser()
-        })
-
-        it("syncs and authenticates the user", async () => {
-          await authenticate(thirdPartyUser, true, saveUser)
-
-          const user = expectUserIsAuthenticated()
-          expectUserIsSynced(user, thirdPartyUser)
-          expectUserIsUpdated(user)
-          expect(user.email).toBe(thirdPartyUser.email.toUpperCase())
-        })
-      })
-
-
-      describe("exists by id", () => {
-        beforeEach(async () => {
-          id = generateGlobalUserID(thirdPartyUser.userId) // matching id
-          email = "test@test.com" // random email
-          await createUser()
-        })
-
-        it("syncs and authenticates the user", async () => {
-          await authenticate(thirdPartyUser, true, saveUser)
-
-          const user = expectUserIsAuthenticated()
-          expectUserIsSynced(user, thirdPartyUser)
-          expectUserIsUpdated(user)
-        })
-      })
-    })
-  })
-})
-
diff --git a/packages/backend-core/src/middleware/passport/tests/utilities/mock-data.js b/packages/backend-core/src/middleware/passport/tests/utilities/mock-data.js
deleted file mode 100644
index 00ae82e47e..0000000000
--- a/packages/backend-core/src/middleware/passport/tests/utilities/mock-data.js
+++ /dev/null
@@ -1,54 +0,0 @@
-// Mock Data
-
-const mockClientID = "mockClientID"
-const mockClientSecret = "mockClientSecret"
-
-const mockEmail = "mock@budibase.com"
-const mockAccessToken = "mockAccessToken"
-const mockRefreshToken = "mockRefreshToken"
-
-const mockProvider = "mockProvider"
-const mockProviderType = "mockProviderType"
-
-const mockProfile = {
-  id: "mockId",
-  name: {
-    givenName: "mockGivenName",
-    familyName: "mockFamilyName",
-  },
-  _json: {
-    email: mockEmail,
-  },
-}
-
-const buildOauth2 = (
-  accessToken = mockAccessToken,
-  refreshToken = mockRefreshToken
-) => ({
-  accessToken: accessToken,
-  refreshToken: refreshToken,
-})
-
-const buildThirdPartyUser = (
-  provider = mockProvider,
-  providerType = mockProviderType,
-  profile = mockProfile,
-  email = mockEmail,
-  oauth2 = buildOauth2()
-) => ({
-  provider: provider,
-  providerType: providerType,
-  userId: profile.id,
-  profile: profile,
-  email: email,
-  oauth2: oauth2,
-})
-
-exports.data = {
-  clientID: mockClientID,
-  clientSecret: mockClientSecret,
-  email: mockEmail,
-  accessToken: mockAccessToken,
-  refreshToken: mockRefreshToken,
-  buildThirdPartyUser,
-}
diff --git a/packages/backend-core/src/middleware/passport/third-party-common.ts b/packages/backend-core/src/middleware/passport/third-party-common.ts
deleted file mode 100644
index 451cdf6cc6..0000000000
--- a/packages/backend-core/src/middleware/passport/third-party-common.ts
+++ /dev/null
@@ -1,177 +0,0 @@
-import env from "../../environment"
-import { generateGlobalUserID } from "../../db"
-import { authError } from "./utils"
-import { newid } from "../../utils"
-import { createASession } from "../../security/sessions"
-import * as users from "../../users"
-import { getGlobalDB, getTenantId } from "../../tenancy"
-import fetch from "node-fetch"
-import { ThirdPartyUser } from "@budibase/types"
-const jwt = require("jsonwebtoken")
-
-type SaveUserOpts = {
-  requirePassword?: boolean
-  hashPassword?: boolean
-  currentUserId?: string
-}
-
-export type SaveUserFunction = (
-  user: ThirdPartyUser,
-  opts: SaveUserOpts
-) => Promise<any>
-
-/**
- * Common authentication logic for third parties. e.g. OAuth, OIDC.
- */
-export async function authenticateThirdParty(
-  thirdPartyUser: ThirdPartyUser,
-  requireLocalAccount: boolean = true,
-  done: Function,
-  saveUserFn?: SaveUserFunction
-) {
-  if (!saveUserFn) {
-    throw new Error("Save user function must be provided")
-  }
-  if (!thirdPartyUser.provider) {
-    return authError(done, "third party user provider required")
-  }
-  if (!thirdPartyUser.userId) {
-    return authError(done, "third party user id required")
-  }
-  if (!thirdPartyUser.email) {
-    return authError(done, "third party user email required")
-  }
-
-  // use the third party id
-  const userId = generateGlobalUserID(thirdPartyUser.userId)
-  const db = getGlobalDB()
-
-  let dbUser
-
-  // try to load by id
-  try {
-    dbUser = await db.get(userId)
-  } catch (err: any) {
-    // abort when not 404 error
-    if (!err.status || err.status !== 404) {
-      return authError(
-        done,
-        "Unexpected error when retrieving existing user",
-        err
-      )
-    }
-  }
-
-  // fallback to loading by email
-  if (!dbUser) {
-    dbUser = await users.getGlobalUserByEmail(thirdPartyUser.email)
-  }
-
-  // exit early if there is still no user and auto creation is disabled
-  if (!dbUser && requireLocalAccount) {
-    return authError(
-      done,
-      "Email does not yet exist. You must set up your local budibase account first."
-    )
-  }
-
-  // first time creation
-  if (!dbUser) {
-    // setup a blank user using the third party id
-    dbUser = {
-      _id: userId,
-      email: thirdPartyUser.email,
-      roles: {},
-    }
-  }
-
-  dbUser = await syncUser(dbUser, thirdPartyUser)
-
-  // never prompt for password reset
-  dbUser.forceResetPassword = false
-
-  // create or sync the user
-  try {
-    await saveUserFn(dbUser, { hashPassword: false, requirePassword: false })
-  } catch (err: any) {
-    return authError(done, err)
-  }
-
-  // now that we're sure user exists, load them from the db
-  dbUser = await db.get(dbUser._id)
-
-  // authenticate
-  const sessionId = newid()
-  const tenantId = getTenantId()
-  await createASession(dbUser._id, { sessionId, tenantId })
-
-  dbUser.token = jwt.sign(
-    {
-      userId: dbUser._id,
-      sessionId,
-    },
-    env.JWT_SECRET
-  )
-
-  return done(null, dbUser)
-}
-
-async function syncProfilePicture(
-  user: ThirdPartyUser,
-  thirdPartyUser: ThirdPartyUser
-) {
-  const pictureUrl = thirdPartyUser.profile?._json.picture
-  if (pictureUrl) {
-    const response = await fetch(pictureUrl)
-
-    if (response.status === 200) {
-      const type = response.headers.get("content-type") as string
-      if (type.startsWith("image/")) {
-        user.pictureUrl = pictureUrl
-      }
-    }
-  }
-
-  return user
-}
-
-/**
- * @returns a user that has been sync'd with third party information
- */
-async function syncUser(user: ThirdPartyUser, thirdPartyUser: ThirdPartyUser) {
-  // provider
-  user.provider = thirdPartyUser.provider
-  user.providerType = thirdPartyUser.providerType
-
-  if (thirdPartyUser.profile) {
-    const profile = thirdPartyUser.profile
-
-    if (profile.name) {
-      const name = profile.name
-      // first name
-      if (name.givenName) {
-        user.firstName = name.givenName
-      }
-      // last name
-      if (name.familyName) {
-        user.lastName = name.familyName
-      }
-    }
-
-    user = await syncProfilePicture(user, thirdPartyUser)
-
-    // profile
-    user.thirdPartyProfile = {
-      ...profile._json,
-    }
-  }
-
-  // oauth tokens for future use
-  if (thirdPartyUser.oauth2) {
-    user.oauth2 = {
-      ...thirdPartyUser.oauth2,
-    }
-  }
-
-  return user
-}
diff --git a/packages/backend-core/src/middleware/passport/utils.ts b/packages/backend-core/src/middleware/passport/utils.ts
index 3d79aada28..6eb3bc29d1 100644
--- a/packages/backend-core/src/middleware/passport/utils.ts
+++ b/packages/backend-core/src/middleware/passport/utils.ts
@@ -1,6 +1,6 @@
-import { isMultiTenant, getTenantId } from "../../tenancy"
+import { isMultiTenant, getTenantId } from "../../context"
 import { getScopedConfig } from "../../db"
-import { ConfigType, Database, Config } from "@budibase/types"
+import { ConfigType, Database } from "@budibase/types"
 
 /**
  * Utility to handle authentication errors.
diff --git a/packages/backend-core/src/middleware/tenancy.ts b/packages/backend-core/src/middleware/tenancy.ts
index a09c463045..22b7cc213d 100644
--- a/packages/backend-core/src/middleware/tenancy.ts
+++ b/packages/backend-core/src/middleware/tenancy.ts
@@ -1,4 +1,5 @@
-import { doInTenant, getTenantIDFromCtx } from "../tenancy"
+import { doInTenant } from "../context"
+import { getTenantIDFromCtx } from "../tenancy"
 import { buildMatcherRegex, matches } from "./matchers"
 import { Header } from "../constants"
 import {
diff --git a/packages/backend-core/src/migrations/migrations.ts b/packages/backend-core/src/migrations/migrations.ts
index 55b8ab1938..2e3524775f 100644
--- a/packages/backend-core/src/migrations/migrations.ts
+++ b/packages/backend-core/src/migrations/migrations.ts
@@ -4,10 +4,10 @@ import {
   StaticDatabases,
   getAllApps,
   getGlobalDBName,
-  doWithDB,
+  getDB,
 } from "../db"
 import environment from "../environment"
-import { doInTenant, getTenantIds, getTenantId } from "../tenancy"
+import * as platform from "../platform"
 import * as context from "../context"
 import { DEFINITIONS } from "."
 import {
@@ -47,7 +47,7 @@ export const runMigration = async (
   const migrationType = migration.type
   let tenantId: string | undefined
   if (migrationType !== MigrationType.INSTALLATION) {
-    tenantId = getTenantId()
+    tenantId = context.getTenantId()
   }
   const migrationName = migration.name
   const silent = migration.silent
@@ -86,66 +86,65 @@ export const runMigration = async (
     count++
     const lengthStatement = length > 1 ? `[${count}/${length}]` : ""
 
-    await doWithDB(dbName, async (db: any) => {
-      try {
-        const doc = await getMigrationsDoc(db)
+    const db = getDB(dbName)
+    try {
+      const doc = await getMigrationsDoc(db)
 
-        // the migration has already been run
-        if (doc[migrationName]) {
-          // check for force
-          if (
-            options.force &&
-            options.force[migrationType] &&
-            options.force[migrationType].includes(migrationName)
-          ) {
-            log(
-              `[Tenant: ${tenantId}] [Migration: ${migrationName}] [DB: ${dbName}] Forcing`
-            )
-          } else {
-            // no force, exit
-            return
-          }
-        }
-
-        // check if the migration is not a no-op
-        if (!options.noOp) {
+      // the migration has already been run
+      if (doc[migrationName]) {
+        // check for force
+        if (
+          options.force &&
+          options.force[migrationType] &&
+          options.force[migrationType].includes(migrationName)
+        ) {
           log(
-            `[Tenant: ${tenantId}] [Migration: ${migrationName}] [DB: ${dbName}] Running ${lengthStatement}`
-          )
-
-          if (migration.preventRetry) {
-            // eagerly set the completion date
-            // so that we never run this migration twice even upon failure
-            doc[migrationName] = Date.now()
-            const response = await db.put(doc)
-            doc._rev = response.rev
-          }
-
-          // run the migration
-          if (migrationType === MigrationType.APP) {
-            await context.doInAppContext(db.name, async () => {
-              await migration.fn(db)
-            })
-          } else {
-            await migration.fn(db)
-          }
-
-          log(
-            `[Tenant: ${tenantId}] [Migration: ${migrationName}] [DB: ${dbName}] Complete`
+            `[Tenant: ${tenantId}] [Migration: ${migrationName}] [DB: ${dbName}] Forcing`
           )
+        } else {
+          // no force, exit
+          return
         }
-
-        // mark as complete
-        doc[migrationName] = Date.now()
-        await db.put(doc)
-      } catch (err) {
-        console.error(
-          `[Tenant: ${tenantId}] [Migration: ${migrationName}] [DB: ${dbName}] Error: `,
-          err
-        )
-        throw err
       }
-    })
+
+      // check if the migration is not a no-op
+      if (!options.noOp) {
+        log(
+          `[Tenant: ${tenantId}] [Migration: ${migrationName}] [DB: ${dbName}] Running ${lengthStatement}`
+        )
+
+        if (migration.preventRetry) {
+          // eagerly set the completion date
+          // so that we never run this migration twice even upon failure
+          doc[migrationName] = Date.now()
+          const response = await db.put(doc)
+          doc._rev = response.rev
+        }
+
+        // run the migration
+        if (migrationType === MigrationType.APP) {
+          await context.doInAppContext(db.name, async () => {
+            await migration.fn(db)
+          })
+        } else {
+          await migration.fn(db)
+        }
+
+        log(
+          `[Tenant: ${tenantId}] [Migration: ${migrationName}] [DB: ${dbName}] Complete`
+        )
+      }
+
+      // mark as complete
+      doc[migrationName] = Date.now()
+      await db.put(doc)
+    } catch (err) {
+      console.error(
+        `[Tenant: ${tenantId}] [Migration: ${migrationName}] [DB: ${dbName}] Error: `,
+        err
+      )
+      throw err
+    }
   }
 }
 
@@ -160,7 +159,7 @@ export const runMigrations = async (
       tenantIds = [options.noOp.tenantId]
     } else if (!options.tenantIds || !options.tenantIds.length) {
       // run for all tenants
-      tenantIds = await getTenantIds()
+      tenantIds = await platform.tenants.getTenantIds()
     } else {
       tenantIds = options.tenantIds
     }
@@ -185,7 +184,10 @@ export const runMigrations = async (
     // for all migrations
     for (const migration of migrations) {
       // run the migration
-      await doInTenant(tenantId, () => runMigration(migration, options))
+      await context.doInTenant(
+        tenantId,
+        async () => await runMigration(migration, options)
+      )
     }
   }
   console.log("Migrations complete")
diff --git a/packages/backend-core/src/migrations/tests/__snapshots__/index.spec.js.snap b/packages/backend-core/src/migrations/tests/__snapshots__/migrations.spec.ts.snap
similarity index 100%
rename from packages/backend-core/src/migrations/tests/__snapshots__/index.spec.js.snap
rename to packages/backend-core/src/migrations/tests/__snapshots__/migrations.spec.ts.snap
diff --git a/packages/backend-core/src/migrations/tests/index.spec.js b/packages/backend-core/src/migrations/tests/index.spec.js
deleted file mode 100644
index c1915510c3..0000000000
--- a/packages/backend-core/src/migrations/tests/index.spec.js
+++ /dev/null
@@ -1,57 +0,0 @@
-require("../../../tests")
-const { runMigrations, getMigrationsDoc } = require("../index")
-const { getGlobalDBName, getDB } = require("../../db")
-
-const { structures, testEnv } = require("../../../tests")
-testEnv.multiTenant()
-
-let db
-
-describe("migrations", () => {
-
-  const migrationFunction = jest.fn()
-
-  const MIGRATIONS = [{
-    type: "global",
-    name: "test",
-    fn: migrationFunction
-  }]
-
-  let tenantId
-
-  beforeEach(() => {
-    tenantId = structures.tenant.id()
-    db = getDB(getGlobalDBName(tenantId))
-  })
-
-  afterEach(async () => {
-    jest.clearAllMocks()
-    await db.destroy()
-  })
-
-  const migrate = () => {
-    return runMigrations(MIGRATIONS, { tenantIds: [tenantId]})
-  }
-
-  it("should run a new migration", async () => {
-    await migrate()
-    expect(migrationFunction).toHaveBeenCalled()
-    const doc = await getMigrationsDoc(db)
-    expect(doc.test).toBeDefined()
-  })
-
-  it("should match snapshot", async () => {
-    await migrate()
-    const doc = await getMigrationsDoc(db)
-    expect(doc).toMatchSnapshot()
-  })
-
-  it("should skip a previously run migration", async () => {
-    await migrate()
-    const previousMigrationTime = await getMigrationsDoc(db).test
-    await migrate()
-    const currentMigrationTime = await getMigrationsDoc(db).test
-    expect(migrationFunction).toHaveBeenCalledTimes(1)
-    expect(currentMigrationTime).toBe(previousMigrationTime)
-  })
-})
\ No newline at end of file
diff --git a/packages/backend-core/src/migrations/tests/migrations.spec.ts b/packages/backend-core/src/migrations/tests/migrations.spec.ts
new file mode 100644
index 0000000000..c74ab816c1
--- /dev/null
+++ b/packages/backend-core/src/migrations/tests/migrations.spec.ts
@@ -0,0 +1,64 @@
+import { testEnv, DBTestConfiguration } from "../../../tests"
+import * as migrations from "../index"
+import * as context from "../../context"
+import { MigrationType } from "@budibase/types"
+
+testEnv.multiTenant()
+
+describe("migrations", () => {
+  const config = new DBTestConfiguration()
+
+  const migrationFunction = jest.fn()
+
+  const MIGRATIONS = [
+    {
+      type: MigrationType.GLOBAL,
+      name: "test" as any,
+      fn: migrationFunction,
+    },
+  ]
+
+  beforeEach(() => {
+    config.newTenant()
+  })
+
+  afterEach(async () => {
+    jest.clearAllMocks()
+  })
+
+  const migrate = () => {
+    return migrations.runMigrations(MIGRATIONS, {
+      tenantIds: [config.tenantId],
+    })
+  }
+
+  it("should run a new migration", async () => {
+    await config.doInTenant(async () => {
+      await migrate()
+      expect(migrationFunction).toHaveBeenCalled()
+      const db = context.getGlobalDB()
+      const doc = await migrations.getMigrationsDoc(db)
+      expect(doc.test).toBeDefined()
+    })
+  })
+
+  it("should match snapshot", async () => {
+    await config.doInTenant(async () => {
+      await migrate()
+      const doc = await migrations.getMigrationsDoc(context.getGlobalDB())
+      expect(doc).toMatchSnapshot()
+    })
+  })
+
+  it("should skip a previously run migration", async () => {
+    await config.doInTenant(async () => {
+      const db = context.getGlobalDB()
+      await migrate()
+      const previousDoc = await migrations.getMigrationsDoc(db)
+      await migrate()
+      const currentDoc = await migrations.getMigrationsDoc(db)
+      expect(migrationFunction).toHaveBeenCalledTimes(1)
+      expect(currentDoc.test).toBe(previousDoc.test)
+    })
+  })
+})
diff --git a/packages/backend-core/src/objectStore/buckets/global.ts b/packages/backend-core/src/objectStore/buckets/global.ts
index 8bf883b11e..69e201bb98 100644
--- a/packages/backend-core/src/objectStore/buckets/global.ts
+++ b/packages/backend-core/src/objectStore/buckets/global.ts
@@ -1,5 +1,5 @@
 import env from "../../environment"
-import * as tenancy from "../../tenancy"
+import * as context from "../../context"
 import * as objectStore from "../objectStore"
 import * as cloudfront from "../cloudfront"
 
@@ -22,7 +22,7 @@ export const getGlobalFileUrl = (type: string, name: string, etag?: string) => {
 export const getGlobalFileS3Key = (type: string, name: string) => {
   let file = `${type}/${name}`
   if (env.MULTI_TENANCY) {
-    const tenantId = tenancy.getTenantId()
+    const tenantId = context.getTenantId()
     file = `${tenantId}/${file}`
   }
   return file
diff --git a/packages/backend-core/src/objectStore/buckets/plugins.ts b/packages/backend-core/src/objectStore/buckets/plugins.ts
index cd3bf77e87..f7721afb23 100644
--- a/packages/backend-core/src/objectStore/buckets/plugins.ts
+++ b/packages/backend-core/src/objectStore/buckets/plugins.ts
@@ -1,6 +1,6 @@
 import env from "../../environment"
 import * as objectStore from "../objectStore"
-import * as tenancy from "../../tenancy"
+import * as context from "../../context"
 import * as cloudfront from "../cloudfront"
 import { Plugin } from "@budibase/types"
 
@@ -61,7 +61,7 @@ const getPluginS3Key = (plugin: Plugin, fileName: string) => {
 export const getPluginS3Dir = (pluginName: string) => {
   let s3Key = `${pluginName}`
   if (env.MULTI_TENANCY) {
-    const tenantId = tenancy.getTenantId()
+    const tenantId = context.getTenantId()
     s3Key = `${tenantId}/${s3Key}`
   }
   if (env.CLOUDFRONT_CDN) {
diff --git a/packages/backend-core/src/platform/index.ts b/packages/backend-core/src/platform/index.ts
new file mode 100644
index 0000000000..877d85ade0
--- /dev/null
+++ b/packages/backend-core/src/platform/index.ts
@@ -0,0 +1,3 @@
+export * as users from "./users"
+export * as tenants from "./tenants"
+export * from "./platformDb"
diff --git a/packages/backend-core/src/platform/platformDb.ts b/packages/backend-core/src/platform/platformDb.ts
new file mode 100644
index 0000000000..90b683dd33
--- /dev/null
+++ b/packages/backend-core/src/platform/platformDb.ts
@@ -0,0 +1,6 @@
+import { StaticDatabases } from "../constants"
+import { getDB } from "../db/db"
+
+export function getPlatformDB() {
+  return getDB(StaticDatabases.PLATFORM_INFO.name)
+}
diff --git a/packages/backend-core/src/platform/tenants.ts b/packages/backend-core/src/platform/tenants.ts
new file mode 100644
index 0000000000..b9f946a735
--- /dev/null
+++ b/packages/backend-core/src/platform/tenants.ts
@@ -0,0 +1,101 @@
+import { StaticDatabases } from "../constants"
+import { getPlatformDB } from "./platformDb"
+import { LockName, LockOptions, LockType, Tenants } from "@budibase/types"
+import * as locks from "../redis/redlock"
+
+const TENANT_DOC = StaticDatabases.PLATFORM_INFO.docs.tenants
+
+export const tenacyLockOptions: LockOptions = {
+  type: LockType.DEFAULT,
+  name: LockName.UPDATE_TENANTS_DOC,
+  ttl: 10 * 1000, // auto expire after 10 seconds
+  systemLock: true,
+}
+
+// READ
+
+export async function getTenantIds(): Promise<string[]> {
+  const tenants = await getTenants()
+  return tenants.tenantIds
+}
+
+async function getTenants(): Promise<Tenants> {
+  const db = getPlatformDB()
+  let tenants: Tenants
+
+  try {
+    tenants = await db.get(TENANT_DOC)
+  } catch (e: any) {
+    // doesn't exist yet - create
+    if (e.status === 404) {
+      tenants = await createTenantsDoc()
+    } else {
+      throw e
+    }
+  }
+
+  return tenants
+}
+
+export async function exists(tenantId: string) {
+  const tenants = await getTenants()
+  return tenants.tenantIds.indexOf(tenantId) !== -1
+}
+
+// CREATE / UPDATE
+
+function newTenantsDoc(): Tenants {
+  return {
+    _id: TENANT_DOC,
+    tenantIds: [],
+  }
+}
+
+async function createTenantsDoc(): Promise<Tenants> {
+  const db = getPlatformDB()
+  let tenants = newTenantsDoc()
+
+  try {
+    const response = await db.put(tenants)
+    tenants._rev = response.rev
+  } catch (e: any) {
+    // don't throw 409 is doc has already been created
+    if (e.status === 409) {
+      return db.get(TENANT_DOC)
+    }
+    throw e
+  }
+
+  return tenants
+}
+
+export async function addTenant(tenantId: string) {
+  const db = getPlatformDB()
+
+  // use a lock as tenant creation is conflict prone
+  await locks.doWithLock(tenacyLockOptions, async () => {
+    const tenants = await getTenants()
+
+    // write the new tenant if it doesn't already exist
+    if (tenants.tenantIds.indexOf(tenantId) === -1) {
+      tenants.tenantIds.push(tenantId)
+      await db.put(tenants)
+    }
+  })
+}
+
+// DELETE
+
+export async function removeTenant(tenantId: string) {
+  try {
+    await locks.doWithLock(tenacyLockOptions, async () => {
+      const db = getPlatformDB()
+      const tenants = await getTenants()
+      tenants.tenantIds = tenants.tenantIds.filter(id => id !== tenantId)
+      await db.put(tenants)
+    })
+  } catch (err) {
+    console.error(`Error removing tenant ${tenantId} from info db`, err)
+    throw err
+  }
+}
diff --git a/packages/backend-core/src/platform/tests/tenants.spec.ts b/packages/backend-core/src/platform/tests/tenants.spec.ts
new file mode 100644
index 0000000000..92e999cb2d
--- /dev/null
+++ b/packages/backend-core/src/platform/tests/tenants.spec.ts
@@ -0,0 +1,25 @@
+import { DBTestConfiguration, structures } from "../../../tests"
+import * as tenants from "../tenants"
+
+describe("tenants", () => {
+  const config = new DBTestConfiguration()
+
+  describe("addTenant", () => {
+    it("concurrently adds multiple tenants safely", async () => {
+      const tenant1 = structures.tenant.id()
+      const tenant2 = structures.tenant.id()
+      const tenant3 = structures.tenant.id()
+
+      await Promise.all([
+        tenants.addTenant(tenant1),
+        tenants.addTenant(tenant2),
+        tenants.addTenant(tenant3),
+      ])
+
+      const tenantIds = await tenants.getTenantIds()
+      expect(tenantIds.includes(tenant1)).toBe(true)
+      expect(tenantIds.includes(tenant2)).toBe(true)
+      expect(tenantIds.includes(tenant3)).toBe(true)
+    })
+  })
+})
diff --git a/packages/backend-core/src/platform/users.ts b/packages/backend-core/src/platform/users.ts
new file mode 100644
index 0000000000..c65a7e0ec4
--- /dev/null
+++ b/packages/backend-core/src/platform/users.ts
@@ -0,0 +1,90 @@
+import { getPlatformDB } from "./platformDb"
+import { DEFAULT_TENANT_ID } from "../constants"
+import env from "../environment"
+import {
+  PlatformUser,
+  PlatformUserByEmail,
+  PlatformUserById,
+  User,
+} from "@budibase/types"
+
+// READ
+
+export async function lookupTenantId(userId: string) {
+  if (!env.MULTI_TENANCY) {
+    return DEFAULT_TENANT_ID
+  }
+
+  const user = await getUserDoc(userId)
+  return user.tenantId
+}
+
+async function getUserDoc(emailOrId: string): Promise<PlatformUser> {
+  const db = getPlatformDB()
+  return db.get(emailOrId)
+}
+
+// CREATE
+
+function newUserIdDoc(id: string, tenantId: string): PlatformUserById {
+  return {
+    _id: id,
+    tenantId,
+  }
+}
+
+function newUserEmailDoc(
+  userId: string,
+  email: string,
+  tenantId: string
+): PlatformUserByEmail {
+  return {
+    _id: email,
+    userId,
+    tenantId,
+  }
+}
+
+/**
+ * Add a new user id or email doc if it doesn't exist.
+ */
+async function addUserDoc(emailOrId: string, newDocFn: () => PlatformUser) {
+  const db = getPlatformDB()
+  let user: PlatformUser
+
+  try {
+    await db.get(emailOrId)
+  } catch (e: any) {
+    if (e.status === 404) {
+      user = newDocFn()
+      await db.put(user)
+    } else {
+      throw e
+    }
+  }
+}
+
+export async function addUser(tenantId: string, userId: string, email: string) {
+  await Promise.all([
+    addUserDoc(userId, () => newUserIdDoc(userId, tenantId)),
+    addUserDoc(email, () => newUserEmailDoc(userId, email, tenantId)),
+  ])
+}
+
+// DELETE
+
+export async function removeUser(user: User) {
+  const db = getPlatformDB()
+  const keys = [user._id!, user.email]
+  const userDocs = await db.allDocs({
+    keys,
+    include_docs: true,
+  })
+  const toDelete = userDocs.rows.map((row: any) => {
+    return {
+      ...row.doc,
+      _deleted: true,
+    }
+  })
+  await db.bulkDocs(toDelete)
+}
diff --git a/packages/backend-core/src/queue/queue.ts b/packages/backend-core/src/queue/queue.ts
index b34d46e463..8e1fc1fbf3 100644
--- a/packages/backend-core/src/queue/queue.ts
+++ b/packages/backend-core/src/queue/queue.ts
@@ -4,7 +4,6 @@ import { JobQueue } from "./constants"
 import InMemoryQueue from "./inMemoryQueue"
 import BullQueue from "bull"
 import { addListeners, StalledFn } from "./listeners"
-const { opts: redisOpts, redisProtocolUrl } = getRedisOptions()
 
 const CLEANUP_PERIOD_MS = 60 * 1000
 let QUEUES: BullQueue.Queue[] | InMemoryQueue[] = []
@@ -20,6 +19,7 @@ export function createQueue<T>(
   jobQueue: JobQueue,
   opts: { removeStalledCb?: StalledFn } = {}
 ): BullQueue.Queue<T> {
+  const { opts: redisOpts, redisProtocolUrl } = getRedisOptions()
   const queueConfig: any = redisProtocolUrl || { redis: redisOpts }
   let queue: any
   if (!env.isTest()) {
diff --git a/packages/backend-core/src/redis/index.ts b/packages/backend-core/src/redis/index.ts
index ea4379f048..5bf2c65c39 100644
--- a/packages/backend-core/src/redis/index.ts
+++ b/packages/backend-core/src/redis/index.ts
@@ -3,4 +3,4 @@
 export { default as Client } from "./redis"
 export * as utils from "./utils"
 export * as clients from "./init"
-export * as redlock from "./redlock"
+export * as locks from "./redlock"
diff --git a/packages/backend-core/src/redis/init.ts b/packages/backend-core/src/redis/init.ts
index 00329ffb84..485268edad 100644
--- a/packages/backend-core/src/redis/init.ts
+++ b/packages/backend-core/src/redis/init.ts
@@ -20,13 +20,17 @@ async function init() {
   ).init()
 }
 
-process.on("exit", async () => {
+export async function shutdown() {
   if (userClient) await userClient.finish()
   if (sessionClient) await sessionClient.finish()
   if (appClient) await appClient.finish()
   if (cacheClient) await cacheClient.finish()
   if (writethroughClient) await writethroughClient.finish()
   if (lockClient) await lockClient.finish()
+}
+
+process.on("exit", async () => {
+  await shutdown()
 })
 
 export async function getUserClient() {
diff --git a/packages/backend-core/src/redis/redis.ts b/packages/backend-core/src/redis/redis.ts
index 0267709cdc..951369496a 100644
--- a/packages/backend-core/src/redis/redis.ts
+++ b/packages/backend-core/src/redis/redis.ts
@@ -1,6 +1,6 @@
 import env from "../environment"
 // ioredis mock is all in memory
-const Redis = env.isTest() ? require("ioredis-mock") : require("ioredis")
+const Redis = env.MOCK_REDIS ? require("ioredis-mock") : require("ioredis")
 import {
   addDbPrefix,
   removeDbPrefix,
@@ -17,8 +17,13 @@ const DEFAULT_SELECT_DB = SelectableDatabase.DEFAULT
 // for testing just generate the client once
 let CLOSED = false
 let CLIENTS: { [key: number]: any } = {}
-// if in test always connected
-let CONNECTED = env.isTest()
+
+let CONNECTED = false
+
+// mock redis always connected
+if (env.MOCK_REDIS) {
+  CONNECTED = true
+}
 
 function pickClient(selectDb: number): any {
   return CLIENTS[selectDb]
@@ -57,7 +62,7 @@ function init(selectDb = DEFAULT_SELECT_DB) {
     return
   }
   // testing uses a single in memory client
-  if (env.isTest()) {
+  if (env.MOCK_REDIS) {
     CLIENTS[selectDb] = new Redis(getRedisOptions())
   }
   // start the timer - only allowed 5 seconds to connect
@@ -86,6 +91,11 @@ function init(selectDb = DEFAULT_SELECT_DB) {
   }
   // attach handlers
   client.on("end", (err: Error) => {
+    if (env.isTest()) {
+      // don't try to re-connect in test env
+      // allow the process to exit
+      return
+    }
     connectionError(selectDb, timeout, err)
   })
   client.on("error", (err: Error) => {
diff --git a/packages/backend-core/src/redis/redlock.ts b/packages/backend-core/src/redis/redlock.ts
index 54b2c0a8d1..2021da2b56 100644
--- a/packages/backend-core/src/redis/redlock.ts
+++ b/packages/backend-core/src/redis/redlock.ts
@@ -1,29 +1,22 @@
 import Redlock, { Options } from "redlock"
 import { getLockClient } from "./init"
 import { LockOptions, LockType } from "@budibase/types"
-import * as tenancy from "../tenancy"
-
-let noRetryRedlock: Redlock | undefined
+import * as context from "../context"
+import env from "../environment"
 
 const getClient = async (type: LockType): Promise<Redlock> => {
+  if (env.isTest() && type !== LockType.TRY_ONCE) {
+    return newRedlock(OPTIONS.TEST)
+  }
   switch (type) {
     case LockType.TRY_ONCE: {
-      if (!noRetryRedlock) {
-        noRetryRedlock = await newRedlock(OPTIONS.TRY_ONCE)
-      }
-      return noRetryRedlock
+      return newRedlock(OPTIONS.TRY_ONCE)
     }
     case LockType.DEFAULT: {
-      if (!noRetryRedlock) {
-        noRetryRedlock = await newRedlock(OPTIONS.DEFAULT)
-      }
-      return noRetryRedlock
+      return newRedlock(OPTIONS.DEFAULT)
     }
     case LockType.DELAY_500: {
-      if (!noRetryRedlock) {
-        noRetryRedlock = await newRedlock(OPTIONS.DELAY_500)
-      }
-      return noRetryRedlock
+      return newRedlock(OPTIONS.DELAY_500)
     }
     default: {
       throw new Error(`Could not get redlock client: ${type}`)
@@ -36,6 +29,11 @@ export const OPTIONS = {
     // immediately throws an error if the lock is already held
     retryCount: 0,
   },
+  TEST: {
+    // higher retry count in unit tests
+    // due to high contention.
+    retryCount: 100,
+  },
   DEFAULT: {
     // the expected clock drift; for more details
     // see http://redis.io/topics/distlock
@@ -69,12 +67,19 @@ export const doWithLock = async (opts: LockOptions, task: any) => {
   const redlock = await getClient(opts.type)
   let lock
   try {
-    // aquire lock
-    let name: string = `lock:${tenancy.getTenantId()}_${opts.name}`
+    // determine lock name
+    // by default use the tenantId for uniqueness, unless using a system lock
+    const prefix = opts.systemLock ? "system" : context.getTenantId()
+    let name: string = `lock:${prefix}_${opts.name}`
+
+    // add additional unique name if required
     if (opts.nameSuffix) {
       name = name + `_${opts.nameSuffix}`
     }
+
+    // create the lock
     lock = await redlock.lock(name, opts.ttl)
+
     // perform locked task
     // need to await to ensure completion before unlocking
     const result = await task()
diff --git a/packages/backend-core/src/redis/utils.ts b/packages/backend-core/src/redis/utils.ts
index 4c556ebd54..7606c77b87 100644
--- a/packages/backend-core/src/redis/utils.ts
+++ b/packages/backend-core/src/redis/utils.ts
@@ -2,8 +2,6 @@ import env from "../environment"
 
 const SLOT_REFRESH_MS = 2000
 const CONNECT_TIMEOUT_MS = 10000
-const REDIS_URL = !env.REDIS_URL ? "localhost:6379" : env.REDIS_URL
-const REDIS_PASSWORD = !env.REDIS_PASSWORD ? "budibase" : env.REDIS_PASSWORD
 export const SEPARATOR = "-"
 
 /**
@@ -60,8 +58,8 @@ export enum SelectableDatabase {
 }
 
 export function getRedisOptions(clustered = false) {
-  let password = REDIS_PASSWORD
-  let url: string[] | string = REDIS_URL.split("//")
+  let password = env.REDIS_PASSWORD
+  let url: string[] | string = env.REDIS_URL.split("//")
   // get rid of the protocol
   url = url.length > 1 ? url[1] : url[0]
   // check for a password etc
@@ -78,8 +76,8 @@ export function getRedisOptions(clustered = false) {
   let redisProtocolUrl
 
   // fully qualified redis URL
-  if (/rediss?:\/\//.test(REDIS_URL)) {
-    redisProtocolUrl = REDIS_URL
+  if (/rediss?:\/\//.test(env.REDIS_URL)) {
+    redisProtocolUrl = env.REDIS_URL
   }
 
   const opts: any = {
diff --git a/packages/backend-core/src/tenancy/db.ts b/packages/backend-core/src/tenancy/db.ts
new file mode 100644
index 0000000000..10477a8579
--- /dev/null
+++ b/packages/backend-core/src/tenancy/db.ts
@@ -0,0 +1,6 @@
+import { getDB } from "../db/db"
+import { getGlobalDBName } from "../context"
+
+export function getTenantDB(tenantId: string) {
+  return getDB(getGlobalDBName(tenantId))
+}
diff --git a/packages/backend-core/src/tenancy/index.ts b/packages/backend-core/src/tenancy/index.ts
index 1618a136dd..3f17e33271 100644
--- a/packages/backend-core/src/tenancy/index.ts
+++ b/packages/backend-core/src/tenancy/index.ts
@@ -1,2 +1,2 @@
-export * from "../context"
+export * from "./db"
 export * from "./tenancy"
diff --git a/packages/backend-core/src/tenancy/tenancy.ts b/packages/backend-core/src/tenancy/tenancy.ts
index 732402bcb7..e8ddf88226 100644
--- a/packages/backend-core/src/tenancy/tenancy.ts
+++ b/packages/backend-core/src/tenancy/tenancy.ts
@@ -1,4 +1,3 @@
-import { doWithDB, getGlobalDBName } from "../db"
 import {
   DEFAULT_TENANT_ID,
   getTenantId,
@@ -11,10 +10,7 @@ import {
   TenantResolutionStrategy,
   GetTenantIdOptions,
 } from "@budibase/types"
-import { Header, StaticDatabases } from "../constants"
-
-const TENANT_DOC = StaticDatabases.PLATFORM_INFO.docs.tenants
-const PLATFORM_INFO_DB = StaticDatabases.PLATFORM_INFO.name
+import { Header } from "../constants"
 
 export function addTenantToUrl(url: string) {
   const tenantId = getTenantId()
@@ -27,89 +23,6 @@ export function addTenantToUrl(url: string) {
   return url
 }
 
-export async function doesTenantExist(tenantId: string) {
-  return doWithDB(PLATFORM_INFO_DB, async (db: any) => {
-    let tenants
-    try {
-      tenants = await db.get(TENANT_DOC)
-    } catch (err) {
-      // if theres an error the doc doesn't exist, no tenants exist
-      return false
-    }
-    return (
-      tenants &&
-      Array.isArray(tenants.tenantIds) &&
-      tenants.tenantIds.indexOf(tenantId) !== -1
-    )
-  })
-}
-
-export async function tryAddTenant(
-  tenantId: string,
-  userId: string,
-  email: string,
-  afterCreateTenant: () => Promise<void>
-) {
-  return doWithDB(PLATFORM_INFO_DB, async (db: any) => {
-    const getDoc = async (id: string) => {
-      if (!id) {
-        return null
-      }
-      try {
-        return await db.get(id)
-      } catch (err) {
-        return { _id: id }
-      }
-    }
-    let [tenants, userIdDoc, emailDoc] = await Promise.all([
-      getDoc(TENANT_DOC),
-      getDoc(userId),
-      getDoc(email),
-    ])
-    if (!Array.isArray(tenants.tenantIds)) {
-      tenants = {
-        _id: TENANT_DOC,
-        tenantIds: [],
-      }
-    }
-    let promises = []
-    if (userIdDoc) {
-      userIdDoc.tenantId = tenantId
-      promises.push(db.put(userIdDoc))
-    }
-    if (emailDoc) {
-      emailDoc.tenantId = tenantId
-      emailDoc.userId = userId
-      promises.push(db.put(emailDoc))
-    }
-    if (tenants.tenantIds.indexOf(tenantId) === -1) {
-      tenants.tenantIds.push(tenantId)
-      promises.push(db.put(tenants))
-      await afterCreateTenant()
-    }
-    await Promise.all(promises)
-  })
-}
-
-export function doWithGlobalDB(tenantId: string, cb: any) {
-  return doWithDB(getGlobalDBName(tenantId), cb)
-}
-
-export async function lookupTenantId(userId: string) {
-  return doWithDB(StaticDatabases.PLATFORM_INFO.name, async (db: any) => {
-    let tenantId = env.MULTI_TENANCY ? DEFAULT_TENANT_ID : null
-    try {
-      const doc = await db.get(userId)
-      if (doc && doc.tenantId) {
-        tenantId = doc.tenantId
-      }
-    } catch (err) {
-      // just return the default
-    }
-    return tenantId
-  })
-}
-
 export const isUserInAppTenant = (appId: string, user?: any) => {
   let userTenantId
   if (user) {
@@ -121,19 +34,6 @@ export const isUserInAppTenant = (appId: string, user?: any) => {
   return tenantId === userTenantId
 }
 
-export async function getTenantIds() {
-  return doWithDB(PLATFORM_INFO_DB, async (db: any) => {
-    let tenants
-    try {
-      tenants = await db.get(TENANT_DOC)
-    } catch (err) {
-      // if theres an error the doc doesn't exist, no tenants exist
-      return []
-    }
-    return (tenants && tenants.tenantIds) || []
-  })
-}
-
 const ALL_STRATEGIES = Object.values(TenantResolutionStrategy)
 
 export const getTenantIDFromCtx = (
diff --git a/packages/backend-core/src/users.ts b/packages/backend-core/src/users.ts
index 1720a79a83..ef76af390d 100644
--- a/packages/backend-core/src/users.ts
+++ b/packages/backend-core/src/users.ts
@@ -8,6 +8,7 @@ import {
 } from "./db"
 import { BulkDocsResponse, User } from "@budibase/types"
 import { getGlobalDB } from "./context"
+import * as context from "./context"
 
 export const bulkGetGlobalUsersById = async (userIds: string[]) => {
   const db = getGlobalDB()
@@ -24,6 +25,11 @@ export const bulkUpdateGlobalUsers = async (users: User[]) => {
   return (await db.bulkDocs(users)) as BulkDocsResponse
 }
 
+export async function getById(id: string): Promise<User> {
+  const db = context.getGlobalDB()
+  return db.get(id)
+}
+
 /**
  * Given an email address this will use a view to search through
  * all the users to find one with this email address.
diff --git a/packages/backend-core/src/utils/tests/utils.spec.ts b/packages/backend-core/src/utils/tests/utils.spec.ts
index b3cd527fb3..7d6c5561e8 100644
--- a/packages/backend-core/src/utils/tests/utils.spec.ts
+++ b/packages/backend-core/src/utils/tests/utils.spec.ts
@@ -1,21 +1,12 @@
-import { structures } from "../../../tests"
+import { structures, DBTestConfiguration } from "../../../tests"
 import * as utils from "../../utils"
-import * as events from "../../events"
 import * as db from "../../db"
 import { Header } from "../../constants"
-import { doInTenant } from "../../context"
 import { newid } from "../../utils"
+import env from "../../environment"
 
 describe("utils", () => {
-  describe("platformLogout", () => {
-    it("should call platform logout", async () => {
-      await doInTenant(structures.tenant.id(), async () => {
-        const ctx = structures.koa.newContext()
-        await utils.platformLogout({ ctx, userId: "test" })
-        expect(events.auth.logout).toBeCalledTimes(1)
-      })
-    })
-  })
+  const config = new DBTestConfiguration()
 
   describe("getAppIdFromCtx", () => {
     it("gets appId from header", async () => {
@@ -50,21 +41,28 @@ describe("utils", () => {
     })
 
     it("gets appId from url", async () => {
-      const ctx = structures.koa.newContext()
-      const expected = db.generateAppID()
-      const app = structures.apps.app(expected)
+      await config.doInTenant(async () => {
+        const url = "http://test.com"
+        env._set("PLATFORM_URL", url)
 
-      // set custom url
-      const appUrl = newid()
-      app.url = `/${appUrl}`
-      ctx.path = `/app/${appUrl}`
+        const ctx = structures.koa.newContext()
+        ctx.host = `${config.tenantId}.test.com`
 
-      // save the app
-      const database = db.getDB(expected)
-      await database.put(app)
+        const expected = db.generateAppID(config.tenantId)
+        const app = structures.apps.app(expected)
 
-      const actual = await utils.getAppIdFromCtx(ctx)
-      expect(actual).toBe(expected)
+        // set custom url
+        const appUrl = newid()
+        app.url = `/${appUrl}`
+        ctx.path = `/app/${appUrl}`
+
+        // save the app
+        const database = db.getDB(expected)
+        await database.put(app)
+
+        const actual = await utils.getAppIdFromCtx(ctx)
+        expect(actual).toBe(expected)
+      })
     })
 
     it("doesn't get appId from url when previewing", async () => {
diff --git a/packages/backend-core/src/utils/utils.ts b/packages/backend-core/src/utils/utils.ts
index 0556a80c74..1458c94e77 100644
--- a/packages/backend-core/src/utils/utils.ts
+++ b/packages/backend-core/src/utils/utils.ts
@@ -2,23 +2,15 @@ import { getAllApps, queryGlobalView } from "../db"
 import { options } from "../middleware/passport/jwt"
 import {
   Header,
-  Cookie,
   MAX_VALID_DATE,
   DocumentType,
   SEPARATOR,
   ViewName,
 } from "../constants"
 import env from "../environment"
-import * as userCache from "../cache/user"
-import { getSessionsForUser, invalidateSessions } from "../security/sessions"
-import * as events from "../events"
 import * as tenancy from "../tenancy"
-import {
-  App,
-  Ctx,
-  PlatformLogoutOpts,
-  TenantResolutionStrategy,
-} from "@budibase/types"
+import * as context from "../context"
+import { App, Ctx, TenantResolutionStrategy } from "@budibase/types"
 import { SetOption } from "cookies"
 const jwt = require("jsonwebtoken")
 
@@ -38,7 +30,7 @@ export async function resolveAppUrl(ctx: Ctx) {
   const appUrl = ctx.path.split("/")[2]
   let possibleAppUrl = `/${appUrl.toLowerCase()}`
 
-  let tenantId: string | null = tenancy.getTenantId()
+  let tenantId: string | null = context.getTenantId()
   if (env.MULTI_TENANCY) {
     // always use the tenant id from the subdomain in multi tenancy
     // this ensures the logged-in user tenant id doesn't overwrite
@@ -49,7 +41,7 @@ export async function resolveAppUrl(ctx: Ctx) {
   }
 
   // search prod apps for a url that matches
-  const apps: App[] = await tenancy.doInTenant(tenantId, () =>
+  const apps: App[] = await context.doInTenant(tenantId, () =>
     getAllApps({ dev: false })
   )
   const app = apps.filter(
diff --git a/packages/backend-core/tests/jestEnv.ts b/packages/backend-core/tests/jestEnv.ts
index 1190eb3bb7..ec8de2942e 100644
--- a/packages/backend-core/tests/jestEnv.ts
+++ b/packages/backend-core/tests/jestEnv.ts
@@ -1,23 +1,6 @@
-import env from "../src/environment"
-import { mocks } from "./utilities"
-
-// must explicitly enable fetch mock
-mocks.fetch.enable()
-
-// mock all dates to 2020-01-01T00:00:00.000Z
-// use tk.reset() to use real dates in individual tests
-import tk from "timekeeper"
-tk.freeze(mocks.date.MOCK_DATE)
-
-env._set("SELF_HOSTED", "1")
-env._set("NODE_ENV", "jest")
-
-if (!process.env.DEBUG) {
-  global.console.log = jest.fn() // console.log are ignored in tests
-}
-
-if (!process.env.CI) {
-  // set a longer timeout in dev for debugging
-  // 100 seconds
-  jest.setTimeout(100000)
-}
+process.env.SELF_HOSTED = "1"
+process.env.MULTI_TENANCY = "1"
+process.env.NODE_ENV = "jest"
+process.env.MOCK_REDIS = "1"
+process.env.LOG_LEVEL = process.env.LOG_LEVEL || "error"
+process.env.ENABLE_4XX_HTTP_LOGGING = "0"
diff --git a/packages/backend-core/tests/jestSetup.ts b/packages/backend-core/tests/jestSetup.ts
index f7887ec824..e786086de6 100644
--- a/packages/backend-core/tests/jestSetup.ts
+++ b/packages/backend-core/tests/jestSetup.ts
@@ -1,4 +1,23 @@
+import "./logging"
 import env from "../src/environment"
-import { testContainerUtils } from "./utilities"
+import { mocks, testContainerUtils } from "./utilities"
+
+// must explicitly enable fetch mock
+mocks.fetch.enable()
+
+// mock all dates to 2020-01-01T00:00:00.000Z
+// use tk.reset() to use real dates in individual tests
+import tk from "timekeeper"
+tk.freeze(mocks.date.MOCK_DATE)
+
+if (!process.env.DEBUG) {
+  console.log = jest.fn() // console.log are ignored in tests
+}
+
+if (!process.env.CI) {
+  // set a longer timeout in dev for debugging
+  // 100 seconds
+  jest.setTimeout(100000)
+}
 
 testContainerUtils.setupEnv(env)
diff --git a/packages/backend-core/tests/logging.ts b/packages/backend-core/tests/logging.ts
new file mode 100644
index 0000000000..271f4d62ff
--- /dev/null
+++ b/packages/backend-core/tests/logging.ts
@@ -0,0 +1,34 @@
+export enum LogLevel {
+  TRACE = "trace",
+  DEBUG = "debug",
+  INFO = "info",
+  WARN = "warn",
+  ERROR = "error",
+}
+
+const LOG_INDEX: { [key in LogLevel]: number } = {
+  [LogLevel.TRACE]: 1,
+  [LogLevel.DEBUG]: 2,
+  [LogLevel.INFO]: 3,
+  [LogLevel.WARN]: 4,
+  [LogLevel.ERROR]: 5,
+}
+
+const setIndex = LOG_INDEX[process.env.LOG_LEVEL as LogLevel]
+
+if (setIndex > LOG_INDEX.trace) {
+  global.console.trace = jest.fn()
+}
+
+if (setIndex > LOG_INDEX.debug) {
+  global.console.debug = jest.fn()
+}
+
+if (setIndex > LOG_INDEX.info) {
+  global.console.info = jest.fn()
+  global.console.log = jest.fn()
+}
+
+if (setIndex > LOG_INDEX.warn) {
+  global.console.warn = jest.fn()
+}
diff --git a/packages/backend-core/tests/utilities/DBTestConfiguration.ts b/packages/backend-core/tests/utilities/DBTestConfiguration.ts
new file mode 100644
index 0000000000..e5e57a99a3
--- /dev/null
+++ b/packages/backend-core/tests/utilities/DBTestConfiguration.ts
@@ -0,0 +1,36 @@
+import "./mocks"
+import * as structures from "./structures"
+import * as testEnv from "./testEnv"
+import * as context from "../../src/context"
+
+class DBTestConfiguration {
+  tenantId: string
+
+  constructor() {
+    // db tests need to be multi tenant to prevent conflicts
+    testEnv.multiTenant()
+    this.tenantId = structures.tenant.id()
+  }
+
+  newTenant() {
+    this.tenantId = structures.tenant.id()
+  }
+
+  // TENANCY
+
+  doInTenant(task: any) {
+    return context.doInTenant(this.tenantId, () => {
+      return task()
+    })
+  }
+
+  getTenantId() {
+    try {
+      return context.getTenantId()
+    } catch (e) {
+      return this.tenantId!
+    }
+  }
+}
+
+export default DBTestConfiguration
diff --git a/packages/backend-core/tests/utilities/db.ts b/packages/backend-core/tests/utilities/db.ts
deleted file mode 100644
index 84b77bb201..0000000000
--- a/packages/backend-core/tests/utilities/db.ts
+++ /dev/null
@@ -1,9 +0,0 @@
-import * as db from "../../src/db"
-
-const dbConfig = {
-  inMemory: true,
-}
-
-export const init = () => {
-  db.init(dbConfig)
-}
diff --git a/packages/backend-core/tests/utilities/index.ts b/packages/backend-core/tests/utilities/index.ts
index 468d980a7f..efe014908b 100644
--- a/packages/backend-core/tests/utilities/index.ts
+++ b/packages/backend-core/tests/utilities/index.ts
@@ -4,5 +4,4 @@ export { generator } from "./structures"
 export * as testEnv from "./testEnv"
 export * as testContainerUtils from "./testContainerUtils"
 
-import * as dbConfig from "./db"
-dbConfig.init()
+export { default as DBTestConfiguration } from "./DBTestConfiguration"
diff --git a/packages/backend-core/tests/utilities/mocks/accounts.ts b/packages/backend-core/tests/utilities/mocks/accounts.ts
deleted file mode 100644
index e40d32b276..0000000000
--- a/packages/backend-core/tests/utilities/mocks/accounts.ts
+++ /dev/null
@@ -1,13 +0,0 @@
-const mockGetAccount = jest.fn()
-const mockGetAccountByTenantId = jest.fn()
-const mockGetStatus = jest.fn()
-
-jest.mock("../../../src/cloud/accounts", () => ({
-  getAccount: mockGetAccount,
-  getAccountByTenantId: mockGetAccountByTenantId,
-  getStatus: mockGetStatus,
-}))
-
-export const getAccount = mockGetAccount
-export const getAccountByTenantId = mockGetAccountByTenantId
-export const getStatus = mockGetStatus
diff --git a/packages/backend-core/tests/utilities/mocks/index.ts b/packages/backend-core/tests/utilities/mocks/index.ts
index 401fd7d7a7..f5f45c0342 100644
--- a/packages/backend-core/tests/utilities/mocks/index.ts
+++ b/packages/backend-core/tests/utilities/mocks/index.ts
@@ -1,4 +1,7 @@
-export * as accounts from "./accounts"
+jest.mock("../../../src/accounts")
+import * as _accounts from "../../../src/accounts"
+export const accounts = jest.mocked(_accounts)
+
 export * as date from "./date"
 export * as licenses from "./licenses"
 export { default as fetch } from "./fetch"
diff --git a/packages/backend-core/tests/utilities/structures/accounts.ts b/packages/backend-core/tests/utilities/structures/accounts.ts
index f1718aecc0..6bfeedf196 100644
--- a/packages/backend-core/tests/utilities/structures/accounts.ts
+++ b/packages/backend-core/tests/utilities/structures/accounts.ts
@@ -1,6 +1,15 @@
 import { generator, uuid } from "."
 import * as db from "../../../src/db/utils"
-import { Account, AuthType, CloudAccount, Hosting } from "@budibase/types"
+import {
+  Account,
+  AccountSSOProvider,
+  AccountSSOProviderType,
+  AuthType,
+  CloudAccount,
+  Hosting,
+  SSOAccount,
+} from "@budibase/types"
+import _ from "lodash"
 
 export const account = (): Account => {
   return {
@@ -27,3 +36,28 @@ export const cloudAccount = (): CloudAccount => {
     budibaseUserId: db.generateGlobalUserID(),
   }
 }
+
+function providerType(): AccountSSOProviderType {
+  return _.sample(
+    Object.values(AccountSSOProviderType)
+  ) as AccountSSOProviderType
+}
+
+function provider(): AccountSSOProvider {
+  return _.sample(Object.values(AccountSSOProvider)) as AccountSSOProvider
+}
+
+export function ssoAccount(): SSOAccount {
+  return {
+    ...cloudAccount(),
+    authType: AuthType.SSO,
+    oauth2: {
+      accessToken: generator.string(),
+      refreshToken: generator.string(),
+    },
+    pictureUrl: generator.url(),
+    provider: provider(),
+    providerType: providerType(),
+    thirdPartyProfile: {},
+  }
+}
diff --git a/packages/backend-core/tests/utilities/structures/index.ts b/packages/backend-core/tests/utilities/structures/index.ts
index e74751e479..d0073ba851 100644
--- a/packages/backend-core/tests/utilities/structures/index.ts
+++ b/packages/backend-core/tests/utilities/structures/index.ts
@@ -5,8 +5,10 @@ export const generator = new Chance()
 
 export * as accounts from "./accounts"
 export * as apps from "./apps"
+export * as db from "./db"
 export * as koa from "./koa"
 export * as licenses from "./licenses"
 export * as plugins from "./plugins"
+export * as sso from "./sso"
 export * as tenant from "./tenants"
-export * as db from "./db"
+export * as users from "./users"
diff --git a/packages/backend-core/tests/utilities/structures/sso.ts b/packages/backend-core/tests/utilities/structures/sso.ts
new file mode 100644
index 0000000000..ad5e8e87ef
--- /dev/null
+++ b/packages/backend-core/tests/utilities/structures/sso.ts
@@ -0,0 +1,100 @@
+import {
+  GoogleInnerConfig,
+  JwtClaims,
+  OIDCInnerConfig,
+  OIDCWellKnownConfig,
+  SSOAuthDetails,
+  SSOProfile,
+  SSOProviderType,
+  User,
+} from "@budibase/types"
+import { uuid, generator, users, email } from "./index"
+import _ from "lodash"
+
+export function providerType(): SSOProviderType {
+  return _.sample(Object.values(SSOProviderType)) as SSOProviderType
+}
+
+export function ssoProfile(user?: User): SSOProfile {
+  if (!user) {
+    user = users.user()
+  }
+  return {
+    id: user._id!,
+    name: {
+      givenName: user.firstName,
+      familyName: user.lastName,
+    },
+    _json: {
+      email: user.email,
+      picture: "http://test.com",
+    },
+    provider: generator.string(),
+  }
+}
+
+export function authDetails(user?: User): SSOAuthDetails {
+  if (!user) {
+    user = users.user()
+  }
+
+  const userId = user._id || uuid()
+  const provider = generator.string()
+
+  const profile = ssoProfile(user)
+  profile.provider = provider
+  profile.id = userId
+
+  return {
+    email: user.email,
+    oauth2: {
+      refreshToken: generator.string(),
+      accessToken: generator.string(),
+    },
+    profile,
+    provider,
+    providerType: providerType(),
+    userId,
+  }
+}
+
+// OIDC
+
+export function oidcConfig(): OIDCInnerConfig {
+  return {
+    uuid: uuid(),
+    activated: true,
+    logo: "",
+    name: generator.string(),
+    configUrl: "http://someconfigurl",
+    clientID: generator.string(),
+    clientSecret: generator.string(),
+  }
+}
+
+// response from .well-known/openid-configuration
+export function oidcWellKnownConfig(): OIDCWellKnownConfig {
+  return {
+    issuer: generator.string(),
+    authorization_endpoint: generator.url(),
+    token_endpoint: generator.url(),
+    userinfo_endpoint: generator.url(),
+  }
+}
+
+export function jwtClaims(): JwtClaims {
+  return {
+    email: email(),
+    preferred_username: email(),
+  }
+}
+
+// GOOGLE
+
+export function googleConfig(): GoogleInnerConfig {
+  return {
+    activated: true,
+    clientID: generator.string(),
+    clientSecret: generator.string(),
+  }
+}
diff --git a/packages/backend-core/tests/utilities/structures/users.ts b/packages/backend-core/tests/utilities/structures/users.ts
new file mode 100644
index 0000000000..332c27ca12
--- /dev/null
+++ b/packages/backend-core/tests/utilities/structures/users.ts
@@ -0,0 +1,70 @@
+import { generator } from "../"
+import {
+  AdminUser,
+  BuilderUser,
+  SSOAuthDetails,
+  SSOUser,
+  User,
+} from "@budibase/types"
+import { v4 as uuid } from "uuid"
+import * as sso from "./sso"
+
+export const newEmail = () => {
+  return `${uuid()}@test.com`
+}
+
+export const user = (userProps?: any): User => {
+  return {
+    email: newEmail(),
+    password: "test",
+    roles: { app_test: "admin" },
+    firstName: generator.first(),
+    lastName: generator.last(),
+    pictureUrl: "http://test.com",
+    ...userProps,
+  }
+}
+
+export const adminUser = (userProps?: any): AdminUser => {
+  return {
+    ...user(userProps),
+    admin: {
+      global: true,
+    },
+    builder: {
+      global: true,
+    },
+  }
+}
+
+export const builderUser = (userProps?: any): BuilderUser => {
+  return {
+    ...user(userProps),
+    builder: {
+      global: true,
+    },
+  }
+}
+
+export function ssoUser(
+  opts: { user?: any; details?: SSOAuthDetails } = {}
+): SSOUser {
+  const base = user(opts.user)
+  delete base.password
+
+  if (!opts.details) {
+    opts.details = sso.authDetails(base)
+  }
+
+  return {
+    ...base,
+    forceResetPassword: false,
+    oauth2: opts.details?.oauth2,
+    provider: opts.details?.provider!,
+    providerType: opts.details?.providerType!,
+    thirdPartyProfile: {
+      email: base.email,
+      picture: base.pictureUrl,
+    },
+  }
+}
diff --git a/packages/backend-core/tests/utilities/testContainerUtils.ts b/packages/backend-core/tests/utilities/testContainerUtils.ts
index 22198bd496..11c5fca806 100644
--- a/packages/backend-core/tests/utilities/testContainerUtils.ts
+++ b/packages/backend-core/tests/utilities/testContainerUtils.ts
@@ -34,12 +34,17 @@ function getMinioConfig() {
   return getContainerInfo("minio-service", 9000)
 }
 
+function getRedisConfig() {
+  return getContainerInfo("redis-service", 6379)
+}
+
 export function setupEnv(...envs: any[]) {
   const configs = [
     { key: "COUCH_DB_PORT", value: getCouchConfig().port },
     { key: "COUCH_DB_URL", value: getCouchConfig().url },
     { key: "MINIO_PORT", value: getMinioConfig().port },
     { key: "MINIO_URL", value: getMinioConfig().url },
+    { key: "REDIS_URL", value: getRedisConfig().url },
   ]
 
   for (const config of configs.filter(x => !!x.value)) {
diff --git a/packages/backend-core/tests/utilities/testEnv.ts b/packages/backend-core/tests/utilities/testEnv.ts
index b4f06b5153..b138e019fc 100644
--- a/packages/backend-core/tests/utilities/testEnv.ts
+++ b/packages/backend-core/tests/utilities/testEnv.ts
@@ -1,12 +1,12 @@
 import env from "../../src/environment"
-import * as tenancy from "../../src/tenancy"
-import { newid } from "../../src/utils"
+import * as context from "../../src/context"
+import * as structures from "./structures"
 
 // TENANCY
 
 export async function withTenant(task: (tenantId: string) => any) {
-  const tenantId = newid()
-  return tenancy.doInTenant(tenantId, async () => {
+  const tenantId = structures.tenant.id()
+  return context.doInTenant(tenantId, async () => {
     await task(tenantId)
   })
 }
@@ -19,6 +19,14 @@ export function multiTenant() {
   env._set("MULTI_TENANCY", 1)
 }
 
+export function selfHosted() {
+  env._set("SELF_HOSTED", 1)
+}
+
+export function cloudHosted() {
+  env._set("SELF_HOSTED", 0)
+}
+
 // NODE
 
 export function nodeDev() {
diff --git a/packages/backend-core/yarn.lock b/packages/backend-core/yarn.lock
index d88b1058f9..5f8edb3df6 100644
--- a/packages/backend-core/yarn.lock
+++ b/packages/backend-core/yarn.lock
@@ -1197,10 +1197,10 @@
   dependencies:
     "@types/istanbul-lib-report" "*"
 
-"@types/jest@27.5.1":
-  version "27.5.1"
-  resolved "https://registry.yarnpkg.com/@types/jest/-/jest-27.5.1.tgz#2c8b6dc6ff85c33bcd07d0b62cb3d19ddfdb3ab9"
-  integrity sha512-fUy7YRpT+rHXto1YlL+J9rs0uLGyiqVt3ZOTQR+4ROc47yNl8WLdVLgUloBRhOxP1PZvguHl44T3H0wAWxahYQ==
+"@types/jest@28.1.1":
+  version "28.1.1"
+  resolved "https://registry.yarnpkg.com/@types/jest/-/jest-28.1.1.tgz#8c9ba63702a11f8c386ee211280e8b68cb093cd1"
+  integrity sha512-C2p7yqleUKtCkVjlOur9BWVA4HgUQmEj/HWCt5WzZ5mLXrWnyIfl0wGuArc+kBXsy0ZZfLp+7dywB4HtSVYGVA==
   dependencies:
     jest-matcher-utils "^27.0.0"
     pretty-format "^27.0.0"
diff --git a/packages/bbui/package.json b/packages/bbui/package.json
index 07a915a728..9e3aea5fea 100644
--- a/packages/bbui/package.json
+++ b/packages/bbui/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@budibase/bbui",
   "description": "A UI solution used in the different Budibase projects.",
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "license": "MPL-2.0",
   "svelte": "src/index.js",
   "module": "dist/bbui.es.js",
@@ -38,7 +38,7 @@
   ],
   "dependencies": {
     "@adobe/spectrum-css-workflow-icons": "1.2.1",
-    "@budibase/string-templates": "2.3.14-alpha.0",
+    "@budibase/string-templates": "2.3.18-alpha.0",
     "@spectrum-css/accordion": "3.0.24",
     "@spectrum-css/actionbutton": "1.0.1",
     "@spectrum-css/actiongroup": "1.0.1",
diff --git a/packages/builder/package.json b/packages/builder/package.json
index 46d58b5ccd..f8f6ac289d 100644
--- a/packages/builder/package.json
+++ b/packages/builder/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@budibase/builder",
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "license": "GPL-3.0",
   "private": true,
   "scripts": {
@@ -58,10 +58,10 @@
     }
   },
   "dependencies": {
-    "@budibase/bbui": "2.3.14-alpha.0",
-    "@budibase/client": "2.3.14-alpha.0",
-    "@budibase/frontend-core": "2.3.14-alpha.0",
-    "@budibase/string-templates": "2.3.14-alpha.0",
+    "@budibase/bbui": "2.3.18-alpha.0",
+    "@budibase/client": "2.3.18-alpha.0",
+    "@budibase/frontend-core": "2.3.18-alpha.0",
+    "@budibase/string-templates": "2.3.18-alpha.0",
     "@fortawesome/fontawesome-svg-core": "^6.2.1",
     "@fortawesome/free-brands-svg-icons": "^6.2.1",
     "@fortawesome/free-solid-svg-icons": "^6.2.1",
diff --git a/packages/builder/setup.js b/packages/builder/setup.js
index 744c20896a..b3fd96877b 100644
--- a/packages/builder/setup.js
+++ b/packages/builder/setup.js
@@ -19,6 +19,7 @@ process.env.COUCH_DB_USER = "budibase"
 process.env.COUCH_DB_PASSWORD = "budibase"
 process.env.INTERNAL_API_KEY = "budibase"
 process.env.ALLOW_DEV_AUTOMATIONS = 1
+process.env.MOCK_REDIS = 1
 
 // Stop info logs polluting test outputs
 process.env.LOG_LEVEL = "error"
diff --git a/packages/builder/src/builderStore/store/frontend.js b/packages/builder/src/builderStore/store/frontend.js
index 7d19573cce..56b8a599f0 100644
--- a/packages/builder/src/builderStore/store/frontend.js
+++ b/packages/builder/src/builderStore/store/frontend.js
@@ -312,7 +312,7 @@ export const getFrontendStore = () => {
         const screensToDelete = Array.isArray(screens) ? screens : [screens]
 
         // Build array of promises to speed up bulk deletions
-        const promises = []
+        let promises = []
         let deleteUrls = []
         screensToDelete.forEach(screen => {
           // Delete the screen
@@ -326,8 +326,8 @@ export const getFrontendStore = () => {
           deleteUrls.push(screen.routing.route)
         })
 
-        promises.push(store.actions.links.delete(deleteUrls))
         await Promise.all(promises)
+        await store.actions.links.delete(deleteUrls)
         const deletedIds = screensToDelete.map(screen => screen._id)
         const routesResponse = await API.fetchAppRoutes()
         store.update(state => {
diff --git a/packages/builder/src/components/backend/DataTable/modals/CreateEditColumn.svelte b/packages/builder/src/components/backend/DataTable/modals/CreateEditColumn.svelte
index 95e53b4192..d7225a6645 100644
--- a/packages/builder/src/components/backend/DataTable/modals/CreateEditColumn.svelte
+++ b/packages/builder/src/components/backend/DataTable/modals/CreateEditColumn.svelte
@@ -18,7 +18,6 @@
   import { TableNames, UNEDITABLE_USER_FIELDS } from "constants"
   import {
     FIELDS,
-    AUTO_COLUMN_SUB_TYPES,
     RelationshipTypes,
     ALLOWABLE_STRING_OPTIONS,
     ALLOWABLE_NUMBER_OPTIONS,
@@ -132,12 +131,6 @@
     : availableAutoColumns
 
   // used to select what different options can be displayed for column type
-  $: canBeSearched =
-    editableColumn?.type !== LINK_TYPE &&
-    editableColumn?.type !== JSON_TYPE &&
-    editableColumn?.subtype !== AUTO_COLUMN_SUB_TYPES.CREATED_BY &&
-    editableColumn?.subtype !== AUTO_COLUMN_SUB_TYPES.UPDATED_BY &&
-    editableColumn?.type !== FORMULA_TYPE
   $: canBeDisplay =
     editableColumn?.type !== LINK_TYPE &&
     editableColumn?.type !== AUTO_TYPE &&
@@ -254,18 +247,6 @@
     }
   }
 
-  function onChangePrimaryIndex(e) {
-    indexes = e.detail ? [editableColumn.name] : []
-  }
-
-  function onChangeSecondaryIndex(e) {
-    if (e.detail) {
-      indexes[1] = editableColumn.name
-    } else {
-      indexes = indexes.slice(0, 1)
-    }
-  }
-
   function openJsonSchemaEditor() {
     jsonSchemaModal.show()
   }
@@ -460,24 +441,6 @@
     </div>
   {/if}
 
-  {#if canBeSearched && !external}
-    <div>
-      <Label>Search Indexes</Label>
-      <Toggle
-        value={indexes[0] === editableColumn.name}
-        disabled={indexes[1] === editableColumn.name}
-        on:change={onChangePrimaryIndex}
-        text="Primary"
-      />
-      <Toggle
-        value={indexes[1] === editableColumn.name}
-        disabled={!indexes[0] || indexes[0] === editableColumn.name}
-        on:change={onChangeSecondaryIndex}
-        text="Secondary"
-      />
-    </div>
-  {/if}
-
   {#if editableColumn.type === "string"}
     <Input
       type="number"
diff --git a/packages/builder/src/components/common/bindings/BindingPanel.svelte b/packages/builder/src/components/common/bindings/BindingPanel.svelte
index 7daf2173a7..3a1c6c4fee 100644
--- a/packages/builder/src/components/common/bindings/BindingPanel.svelte
+++ b/packages/builder/src/components/common/bindings/BindingPanel.svelte
@@ -183,6 +183,7 @@
     bind:this={popover}
     anchor={popoverAnchor}
     maxWidth={300}
+    dismissible={false}
   >
     <Layout gap="S">
       <div class="helper">
diff --git a/packages/builder/src/components/design/settings/controls/ButtonActionEditor/actions/FetchRow.svelte b/packages/builder/src/components/design/settings/controls/ButtonActionEditor/actions/FetchRow.svelte
new file mode 100644
index 0000000000..fb8b8c3f90
--- /dev/null
+++ b/packages/builder/src/components/design/settings/controls/ButtonActionEditor/actions/FetchRow.svelte
@@ -0,0 +1,40 @@
+<script>
+  import { Select, Label } from "@budibase/bbui"
+  import { tables } from "stores/backend"
+  import DrawerBindableInput from "components/common/bindings/DrawerBindableInput.svelte"
+
+  export let parameters
+  export let bindings = []
+
+  $: tableOptions = $tables.list || []
+</script>
+
+<div class="root">
+  <Label>Table</Label>
+  <Select
+    bind:value={parameters.tableId}
+    options={tableOptions}
+    getOptionLabel={table => table.name}
+    getOptionValue={table => table._id}
+  />
+
+  <Label small>Row ID</Label>
+  <DrawerBindableInput
+    {bindings}
+    title="Row ID to Fetch"
+    value={parameters.rowId}
+    on:change={value => (parameters.rowId = value.detail)}
+  />
+</div>
+
+<style>
+  .root {
+    display: grid;
+    column-gap: var(--spacing-l);
+    row-gap: var(--spacing-s);
+    grid-template-columns: 60px 1fr;
+    align-items: center;
+    max-width: 800px;
+    margin: 0 auto;
+  }
+</style>
diff --git a/packages/builder/src/components/design/settings/controls/ButtonActionEditor/actions/index.js b/packages/builder/src/components/design/settings/controls/ButtonActionEditor/actions/index.js
index 90ce1607e4..eee7f5b757 100644
--- a/packages/builder/src/components/design/settings/controls/ButtonActionEditor/actions/index.js
+++ b/packages/builder/src/components/design/settings/controls/ButtonActionEditor/actions/index.js
@@ -1,3 +1,4 @@
+export { default as FetchRow } from "./FetchRow.svelte"
 export { default as NavigateTo } from "./NavigateTo.svelte"
 export { default as SaveRow } from "./SaveRow.svelte"
 export { default as DeleteRow } from "./DeleteRow.svelte"
diff --git a/packages/builder/src/components/design/settings/controls/ButtonActionEditor/manifest.json b/packages/builder/src/components/design/settings/controls/ButtonActionEditor/manifest.json
index 7497990304..97ac9aa0b6 100644
--- a/packages/builder/src/components/design/settings/controls/ButtonActionEditor/manifest.json
+++ b/packages/builder/src/components/design/settings/controls/ButtonActionEditor/manifest.json
@@ -27,6 +27,17 @@
       "type": "data",
       "component": "DeleteRow"
     },
+    {
+      "name": "Fetch Row",
+      "type": "data",
+      "component": "FetchRow",
+      "context": [
+        {
+          "label": "Fetched row",
+          "value": "row"
+        }
+      ]
+    },
     {
       "name": "Navigate To",
       "type": "application",
@@ -135,4 +146,4 @@
       "dependsOnFeature": "sidePanel"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/packages/builder/src/components/design/settings/controls/FilterEditor/FilterDrawer.svelte b/packages/builder/src/components/design/settings/controls/FilterEditor/FilterDrawer.svelte
index 629e2024e7..f56d7a78d4 100644
--- a/packages/builder/src/components/design/settings/controls/FilterEditor/FilterDrawer.svelte
+++ b/packages/builder/src/components/design/settings/controls/FilterEditor/FilterDrawer.svelte
@@ -101,7 +101,7 @@
   }
 
   const getSchema = filter => {
-    return schemaFields.find(field => field.name === filter.field)
+    return enrichedSchemaFields.find(field => field.name === filter.field)
   }
 
   const santizeTypes = filter => {
@@ -254,8 +254,8 @@
               {:else if filter.type === "datetime"}
                 <DatePicker
                   disabled={filter.noValue}
-                  enableTime={!getSchema(filter).dateOnly}
-                  timeOnly={getSchema(filter).timeOnly}
+                  enableTime={!getSchema(filter)?.dateOnly}
+                  timeOnly={getSchema(filter)?.timeOnly}
                   bind:value={filter.value}
                 />
               {:else}
diff --git a/packages/builder/src/components/start/CreateAppModal.svelte b/packages/builder/src/components/start/CreateAppModal.svelte
index 9ebc046cdc..e3ce048a89 100644
--- a/packages/builder/src/components/start/CreateAppModal.svelte
+++ b/packages/builder/src/components/start/CreateAppModal.svelte
@@ -26,7 +26,15 @@
 
   const values = writable({ name: "", url: null })
   const validation = createValidationStore()
-  $: validation.check($values)
+
+  $: {
+    const { name, url } = $values
+
+    validation.check({
+      name,
+      url: url?.[0] === "/" ? url.substring(1, url.length) : url,
+    })
+  }
 
   onMount(async () => {
     const lastChar = $auth.user?.firstName
@@ -87,7 +95,11 @@
     appValidation.url(validation, { apps: applications })
     appValidation.file(validation, { template })
     // init validation
-    validation.check($values)
+    const { name, url } = $values
+    validation.check({
+      name,
+      url: url?.[0] === "/" ? url.substring(1, url.length) : url,
+    })
   }
 
   async function createNewApp() {
diff --git a/packages/builder/src/components/start/UpdateAppModal.svelte b/packages/builder/src/components/start/UpdateAppModal.svelte
index a41ebccaeb..4385175816 100644
--- a/packages/builder/src/components/start/UpdateAppModal.svelte
+++ b/packages/builder/src/components/start/UpdateAppModal.svelte
@@ -23,14 +23,25 @@
   })
   const validation = createValidationStore()
 
-  $: validation.check($values)
+  $: {
+    const { name, url } = $values
+
+    validation.check({
+      name,
+      url: url?.[0] === "/" ? url.substring(1, url.length) : url,
+    })
+  }
 
   const setupValidation = async () => {
     const applications = svelteGet(apps)
     appValidation.name(validation, { apps: applications, currentApp: app })
     appValidation.url(validation, { apps: applications, currentApp: app })
     // init validation
-    validation.check($values)
+    const { name, url } = $values
+    validation.check({
+      name,
+      url: url?.[0] === "/" ? url.substring(1, url.length) : url,
+    })
   }
 
   async function updateApp() {
diff --git a/packages/builder/src/constants/index.js b/packages/builder/src/constants/index.js
index 803cafcffb..f68202f81e 100644
--- a/packages/builder/src/constants/index.js
+++ b/packages/builder/src/constants/index.js
@@ -46,7 +46,7 @@ export const LAYOUT_NAMES = {
 // one or more word characters and whitespace
 export const APP_NAME_REGEX = /^[\w\s]+$/
 // zero or more non-whitespace characters
-export const APP_URL_REGEX = /^\S*$/
+export const APP_URL_REGEX = /^[0-9a-zA-Z-_]+$/
 
 export const DefaultAppTheme = {
   primaryColor: "var(--spectrum-global-color-blue-600)",
diff --git a/packages/builder/src/helpers/validation/yup/app.js b/packages/builder/src/helpers/validation/yup/app.js
index 4e41576d46..8498255cc9 100644
--- a/packages/builder/src/helpers/validation/yup/app.js
+++ b/packages/builder/src/helpers/validation/yup/app.js
@@ -62,11 +62,9 @@ export const url = (validation, { apps, currentApp } = { apps: [] }) => {
         }
         // make it clear that this is a url path and cannot be a full url
         return (
-          value.startsWith("/") &&
           !value.includes("http") &&
           !value.includes("www") &&
-          !value.includes(".") &&
-          value.length > 1 // just '/' is not valid
+          !value.includes(".")
         )
       })
   )
diff --git a/packages/builder/src/pages/builder/portal/_components/UserDropdown.svelte b/packages/builder/src/pages/builder/portal/_components/UserDropdown.svelte
index d396edd4e2..935d69812f 100644
--- a/packages/builder/src/pages/builder/portal/_components/UserDropdown.svelte
+++ b/packages/builder/src/pages/builder/portal/_components/UserDropdown.svelte
@@ -30,9 +30,11 @@
     My profile
   </MenuItem>
   <MenuItem icon="Moon" on:click={() => themeModal.show()}>Theme</MenuItem>
-  <MenuItem icon="LockClosed" on:click={() => updatePasswordModal.show()}>
-    Update password
-  </MenuItem>
+  {#if !$auth.isSSO}
+    <MenuItem icon="LockClosed" on:click={() => updatePasswordModal.show()}>
+      Update password
+    </MenuItem>
+  {/if}
   <MenuItem icon="Key" on:click={() => apiKeyModal.show()}>
     View API key
   </MenuItem>
diff --git a/packages/builder/src/pages/builder/portal/apps/onboarding/_components/NamePanel.svelte b/packages/builder/src/pages/builder/portal/apps/onboarding/_components/NamePanel.svelte
index 730cfbe4a2..1264b63531 100644
--- a/packages/builder/src/pages/builder/portal/apps/onboarding/_components/NamePanel.svelte
+++ b/packages/builder/src/pages/builder/portal/apps/onboarding/_components/NamePanel.svelte
@@ -1,6 +1,7 @@
 <script>
   import { Button, FancyForm, FancyInput } from "@budibase/bbui"
   import PanelHeader from "./PanelHeader.svelte"
+  import { APP_URL_REGEX } from "constants"
 
   export let name = ""
   export let url = ""
@@ -25,6 +26,10 @@
     if (url.length < 1) {
       return "URL must be provided"
     }
+
+    if (!APP_URL_REGEX.test(url)) {
+      return "Invalid URL"
+    }
   }
 </script>
 
diff --git a/packages/builder/src/pages/builder/portal/plugins/index.svelte b/packages/builder/src/pages/builder/portal/plugins/index.svelte
index e39365710b..d8dd4eae11 100644
--- a/packages/builder/src/pages/builder/portal/plugins/index.svelte
+++ b/packages/builder/src/pages/builder/portal/plugins/index.svelte
@@ -81,6 +81,17 @@
     <div class="controls">
       <div>
         <Button on:click={modal.show} cta>Add plugin</Button>
+        <div class="secondaryButton">
+          <Button
+            on:click={() =>
+              window
+                .open("https://github.com/Budibase/plugins", "_blank")
+                .focus()}
+            secondary
+          >
+            GitHub repo
+          </Button>
+        </div>
       </div>
       {#if $plugins?.length}
         <div class="filters">
@@ -97,15 +108,17 @@
       {/if}
     </div>
 
-    <Table
-      {schema}
-      data={filteredPlugins}
-      allowEditColumns={false}
-      allowEditRows={false}
-      allowSelectRows={false}
-      allowClickRows={false}
-      {customRenderers}
-    />
+    {#if $plugins?.length}
+      <Table
+        {schema}
+        data={filteredPlugins}
+        allowEditColumns={false}
+        allowEditRows={false}
+        allowSelectRows={false}
+        allowClickRows={false}
+        {customRenderers}
+      />
+    {/if}
   </Layout>
 </Page>
 
@@ -137,4 +150,9 @@
       width: auto;
     }
   }
+
+  .secondaryButton {
+    display: inline-block;
+    margin-left: 6px;
+  }
 </style>
diff --git a/packages/builder/src/pages/builder/portal/users/users/[userId].svelte b/packages/builder/src/pages/builder/portal/users/users/[userId].svelte
index b14e3420cc..1c26273a8d 100644
--- a/packages/builder/src/pages/builder/portal/users/users/[userId].svelte
+++ b/packages/builder/src/pages/builder/portal/users/users/[userId].svelte
@@ -81,6 +81,7 @@
   let user
   let loaded = false
 
+  $: isSSO = !!user?.provider
   $: readonly = !$auth.isAdmin
   $: fullName = user?.firstName ? user?.firstName + " " + user?.lastName : ""
   $: privileged = user?.admin?.global || user?.builder?.global
@@ -246,9 +247,11 @@
             <span slot="control">
               <Icon hoverable name="More" />
             </span>
-            <MenuItem on:click={resetPasswordModal.show} icon="Refresh">
-              Force password reset
-            </MenuItem>
+            {#if !isSSO}
+              <MenuItem on:click={resetPasswordModal.show} icon="Refresh">
+                Force password reset
+              </MenuItem>
+            {/if}
             <MenuItem on:click={deleteModal.show} icon="Delete">
               Delete
             </MenuItem>
diff --git a/packages/builder/src/stores/portal/auth.js b/packages/builder/src/stores/portal/auth.js
index b10cd05e00..d039bb6eec 100644
--- a/packages/builder/src/stores/portal/auth.js
+++ b/packages/builder/src/stores/portal/auth.js
@@ -41,6 +41,7 @@ export function createAuthStore() {
       initials,
       isAdmin,
       isBuilder,
+      isSSO: !!$store.user?.provider,
     }
   })
 
diff --git a/packages/cli/package.json b/packages/cli/package.json
index adb3c09ec8..f2044f9c8b 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@budibase/cli",
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "description": "Budibase CLI, for developers, self hosting and migrations.",
   "main": "src/index.js",
   "bin": {
@@ -26,9 +26,9 @@
     "outputPath": "build"
   },
   "dependencies": {
-    "@budibase/backend-core": "2.3.14-alpha.0",
-    "@budibase/string-templates": "2.3.14-alpha.0",
-    "@budibase/types": "2.3.14-alpha.0",
+    "@budibase/backend-core": "2.3.18-alpha.0",
+    "@budibase/string-templates": "2.3.18-alpha.0",
+    "@budibase/types": "2.3.18-alpha.0",
     "axios": "0.21.2",
     "chalk": "4.1.0",
     "cli-progress": "3.11.2",
diff --git a/packages/client/package.json b/packages/client/package.json
index 82e2f97f7f..a784cfa6bc 100644
--- a/packages/client/package.json
+++ b/packages/client/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@budibase/client",
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "license": "MPL-2.0",
   "module": "dist/budibase-client.js",
   "main": "dist/budibase-client.js",
@@ -19,9 +19,9 @@
     "dev:builder": "rollup -cw"
   },
   "dependencies": {
-    "@budibase/bbui": "2.3.14-alpha.0",
-    "@budibase/frontend-core": "2.3.14-alpha.0",
-    "@budibase/string-templates": "2.3.14-alpha.0",
+    "@budibase/bbui": "2.3.18-alpha.0",
+    "@budibase/frontend-core": "2.3.18-alpha.0",
+    "@budibase/string-templates": "2.3.18-alpha.0",
     "@spectrum-css/button": "^3.0.3",
     "@spectrum-css/card": "^3.0.3",
     "@spectrum-css/divider": "^1.0.3",
diff --git a/packages/client/src/components/Component.svelte b/packages/client/src/components/Component.svelte
index f109449f38..a846a315bc 100644
--- a/packages/client/src/components/Component.svelte
+++ b/packages/client/src/components/Component.svelte
@@ -174,11 +174,11 @@
   // Determine whether we should render a skeleton loader for this component
   $: showSkeleton =
     $loading &&
-    definition.name !== "Screenslot" &&
+    definition?.name !== "Screenslot" &&
     children.length === 0 &&
     !instance._blockElementHasChildren &&
-    !definition.block &&
-    definition.skeleton !== false
+    !definition?.block &&
+    definition?.skeleton !== false
 
   // Update component context
   $: store.set({
diff --git a/packages/client/src/utils/buttonActions.js b/packages/client/src/utils/buttonActions.js
index 06bc6f356a..55bd4d987d 100644
--- a/packages/client/src/utils/buttonActions.js
+++ b/packages/client/src/utils/buttonActions.js
@@ -87,6 +87,20 @@ const duplicateRowHandler = async (action, context) => {
   }
 }
 
+const fetchRowHandler = async action => {
+  const { tableId, rowId } = action.parameters
+
+  if (tableId && rowId) {
+    try {
+      const row = await API.fetchRow({ tableId, rowId })
+
+      return { row }
+    } catch (error) {
+      return false
+    }
+  }
+}
+
 const deleteRowHandler = async action => {
   const { tableId, revId, rowId, notificationOverride } = action.parameters
   if (tableId && rowId) {
@@ -341,6 +355,7 @@ const CloseSidePanelHandler = () => {
 }
 
 const handlerMap = {
+  ["Fetch Row"]: fetchRowHandler,
   ["Save Row"]: saveRowHandler,
   ["Duplicate Row"]: duplicateRowHandler,
   ["Delete Row"]: deleteRowHandler,
diff --git a/packages/frontend-core/package.json b/packages/frontend-core/package.json
index 3259b718ee..b0d39ed450 100644
--- a/packages/frontend-core/package.json
+++ b/packages/frontend-core/package.json
@@ -1,12 +1,12 @@
 {
   "name": "@budibase/frontend-core",
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "description": "Budibase frontend core libraries used in builder and client",
   "author": "Budibase",
   "license": "MPL-2.0",
   "svelte": "src/index.js",
   "dependencies": {
-    "@budibase/bbui": "2.3.14-alpha.0",
+    "@budibase/bbui": "2.3.18-alpha.0",
     "lodash": "^4.17.21",
     "svelte": "^3.46.2"
   }
diff --git a/packages/sdk/package.json b/packages/sdk/package.json
index b48ba7dbf1..597c3dff84 100644
--- a/packages/sdk/package.json
+++ b/packages/sdk/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@budibase/sdk",
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "description": "Budibase Public API SDK",
   "author": "Budibase",
   "license": "MPL-2.0",
diff --git a/packages/server/jest.config.ts b/packages/server/jest.config.ts
index 41558d4c8e..331912aa19 100644
--- a/packages/server/jest.config.ts
+++ b/packages/server/jest.config.ts
@@ -11,22 +11,17 @@ const baseConfig: Config.InitialProjectOptions = {
   transform: {
     "^.+\\.ts?$": "@swc/jest",
   },
-}
-
-if (!process.env.CI) {
-  // use sources when not in CI
-  baseConfig.moduleNameMapper = {
+  moduleNameMapper: {
     "@budibase/backend-core/(.*)": "<rootDir>/../backend-core/$1",
     "@budibase/backend-core": "<rootDir>/../backend-core/src",
     "@budibase/types": "<rootDir>/../types/src",
-  }
-  // add pro sources if they exist
-  if (fs.existsSync("../../../budibase-pro")) {
-    baseConfig.moduleNameMapper["@budibase/pro"] =
-      "<rootDir>/../../../budibase-pro/packages/pro/src"
-  }
-} else {
-  console.log("Running tests with compiled dependency sources")
+  },
+}
+
+// add pro sources if they exist
+if (fs.existsSync("../../../budibase-pro")) {
+  baseConfig.moduleNameMapper["@budibase/pro"] =
+    "<rootDir>/../../../budibase-pro/packages/pro/src"
 }
 
 const config: Config.InitialOptions = {
diff --git a/packages/server/package.json b/packages/server/package.json
index 68ed73beed..3eb133e272 100644
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@budibase/server",
   "email": "hi@budibase.com",
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "description": "Budibase Web Server",
   "main": "src/index.ts",
   "repository": {
@@ -14,7 +14,7 @@
     "build:dev": "yarn prebuild && tsc --build --watch --preserveWatchOutput",
     "debug": "yarn build && node --expose-gc --inspect=9222 dist/index.js",
     "postbuild": "copyfiles -u 1 src/**/*.svelte dist/ && copyfiles -u 1 src/**/*.hbs dist/ && copyfiles -u 1 src/**/*.json dist/",
-    "test": "jest --coverage --maxWorkers=2",
+    "test": "jest --coverage --runInBand",
     "test:watch": "jest --watch",
     "predocker": "copyfiles -f ../client/dist/budibase-client.js ../client/manifest.json client",
     "build:docker": "yarn run predocker && docker build . -t app-service --label version=$BUDIBASE_RELEASE_VERSION",
@@ -43,11 +43,11 @@
   "license": "GPL-3.0",
   "dependencies": {
     "@apidevtools/swagger-parser": "10.0.3",
-    "@budibase/backend-core": "2.3.14-alpha.0",
-    "@budibase/client": "2.3.14-alpha.0",
-    "@budibase/pro": "2.3.14-alpha.0",
-    "@budibase/string-templates": "2.3.14-alpha.0",
-    "@budibase/types": "2.3.14-alpha.0",
+    "@budibase/backend-core": "2.3.18-alpha.0",
+    "@budibase/client": "2.3.18-alpha.0",
+    "@budibase/pro": "2.3.18-alpha.0",
+    "@budibase/string-templates": "2.3.18-alpha.0",
+    "@budibase/types": "2.3.18-alpha.0",
     "@bull-board/api": "3.7.0",
     "@bull-board/koa": "3.9.4",
     "@elastic/elasticsearch": "7.10.0",
@@ -64,6 +64,7 @@
     "chokidar": "3.5.3",
     "csvtojson": "2.0.10",
     "curlconverter": "3.21.0",
+    "dd-trace": "3.13.2",
     "dotenv": "8.2.0",
     "download": "8.0.0",
     "elastic-apm-node": "3.38.0",
@@ -141,7 +142,7 @@
     "@types/pouchdb": "6.4.0",
     "@types/redis": "4.0.11",
     "@types/server-destroy": "1.0.1",
-    "@types/supertest": "^2.0.12",
+    "@types/supertest": "2.0.12",
     "@types/tar": "6.1.3",
     "@typescript-eslint/parser": "5.45.0",
     "apidoc": "0.50.4",
@@ -160,7 +161,7 @@
     "path-to-regexp": "6.2.0",
     "prettier": "2.5.1",
     "rimraf": "3.0.2",
-    "supertest": "4.0.2",
+    "supertest": "6.2.2",
     "swagger-jsdoc": "6.1.0",
     "timekeeper": "2.2.0",
     "ts-jest": "28.0.4",
diff --git a/packages/server/specs/openapi.json b/packages/server/specs/openapi.json
index 9a0d69e352..cf4eef75a9 100644
--- a/packages/server/specs/openapi.json
+++ b/packages/server/specs/openapi.json
@@ -817,7 +817,6 @@
                       "type": "string",
                       "enum": [
                         "string",
-                        "barcodeqr",
                         "longform",
                         "options",
                         "number",
@@ -829,7 +828,8 @@
                         "formula",
                         "auto",
                         "json",
-                        "internal"
+                        "internal",
+                        "barcodeqr"
                       ],
                       "description": "Defines the type of the column, most explain themselves, a link column is a relationship."
                     },
@@ -1021,7 +1021,6 @@
                           "type": "string",
                           "enum": [
                             "string",
-                            "barcodeqr",
                             "longform",
                             "options",
                             "number",
@@ -1033,7 +1032,8 @@
                             "formula",
                             "auto",
                             "json",
-                            "internal"
+                            "internal",
+                            "barcodeqr"
                           ],
                           "description": "Defines the type of the column, most explain themselves, a link column is a relationship."
                         },
@@ -1236,7 +1236,6 @@
                             "type": "string",
                             "enum": [
                               "string",
-                              "barcodeqr",
                               "longform",
                               "options",
                               "number",
@@ -1248,7 +1247,8 @@
                               "formula",
                               "auto",
                               "json",
-                              "internal"
+                              "internal",
+                              "barcodeqr"
                             ],
                             "description": "Defines the type of the column, most explain themselves, a link column is a relationship."
                           },
diff --git a/packages/server/specs/openapi.yaml b/packages/server/specs/openapi.yaml
index 69e44d881c..414efe7adb 100644
--- a/packages/server/specs/openapi.yaml
+++ b/packages/server/specs/openapi.yaml
@@ -603,7 +603,6 @@ components:
                     type: string
                     enum:
                       - string
-                      - barcodeqr
                       - longform
                       - options
                       - number
@@ -616,6 +615,7 @@ components:
                       - auto
                       - json
                       - internal
+                      - barcodeqr
                     description: Defines the type of the column, most explain themselves, a link
                       column is a relationship.
                   constraints:
@@ -766,7 +766,6 @@ components:
                         type: string
                         enum:
                           - string
-                          - barcodeqr
                           - longform
                           - options
                           - number
@@ -779,6 +778,7 @@ components:
                           - auto
                           - json
                           - internal
+                          - barcodeqr
                         description: Defines the type of the column, most explain themselves, a link
                           column is a relationship.
                       constraints:
@@ -936,7 +936,6 @@ components:
                           type: string
                           enum:
                             - string
-                            - barcodeqr
                             - longform
                             - options
                             - number
@@ -949,6 +948,7 @@ components:
                             - auto
                             - json
                             - internal
+                            - barcodeqr
                           description: Defines the type of the column, most explain themselves, a link
                             column is a relationship.
                         constraints:
diff --git a/packages/server/specs/resources/query.js b/packages/server/specs/resources/query.js
index 10544ee7eb..1442e46a04 100644
--- a/packages/server/specs/resources/query.js
+++ b/packages/server/specs/resources/query.js
@@ -1,6 +1,6 @@
 const Resource = require("./utils/Resource")
 const { object } = require("./utils")
-const { BaseQueryVerbs } = require("../../dist/constants")
+const { BaseQueryVerbs } = require("../../src/constants")
 
 const query = {
   _id: "query_datasource_plus_4d8be0c506b9465daf4bf84d890fdab6_454854487c574d45bc4029b1e153219e",
diff --git a/packages/server/specs/resources/table.js b/packages/server/specs/resources/table.js
index 9bc57daf42..523a3a9dfd 100644
--- a/packages/server/specs/resources/table.js
+++ b/packages/server/specs/resources/table.js
@@ -2,7 +2,7 @@ const {
   FieldTypes,
   RelationshipTypes,
   FormulaTypes,
-} = require("../../dist/constants")
+} = require("../../src/constants")
 const { object } = require("./utils")
 const Resource = require("./utils/Resource")
 
diff --git a/packages/server/src/api/controllers/row/staticFormula.ts b/packages/server/src/api/controllers/row/staticFormula.ts
index 47a5af8f5a..6ba44dc23a 100644
--- a/packages/server/src/api/controllers/row/staticFormula.ts
+++ b/packages/server/src/api/controllers/row/staticFormula.ts
@@ -38,7 +38,13 @@ export async function updateRelatedFormula(
         if (!relatedRows[relatedTableId]) {
           relatedRows[relatedTableId] = []
         }
-        relatedRows[relatedTableId] = relatedRows[relatedTableId].concat(field)
+        // filter down to the rows which are not already included in related
+        const currentIds = relatedRows[relatedTableId].map(row => row._id)
+        const uniqueRelatedRows = field.filter(
+          (row: Row) => !currentIds.includes(row._id)
+        )
+        relatedRows[relatedTableId] =
+          relatedRows[relatedTableId].concat(uniqueRelatedRows)
       }
     }
     for (let tableId of table.relatedFormula) {
diff --git a/packages/server/src/api/index.ts b/packages/server/src/api/index.ts
index 3375161dd8..78a6056366 100644
--- a/packages/server/src/api/index.ts
+++ b/packages/server/src/api/index.ts
@@ -1,5 +1,5 @@
 import Router from "@koa/router"
-import { errors, auth } from "@budibase/backend-core"
+import { auth, middleware } from "@budibase/backend-core"
 import currentApp from "../middleware/currentapp"
 import zlib from "zlib"
 import { mainRoutes, staticRoutes, publicRoutes } from "./routes"
@@ -14,6 +14,8 @@ export const router: Router = new Router()
 router.get("/health", ctx => (ctx.status = 200))
 router.get("/version", ctx => (ctx.body = pkg.version))
 
+router.use(middleware.errorHandling)
+
 router
   .use(
     compress({
@@ -54,27 +56,6 @@ router
   .use(currentApp)
   .use(auth.auditLog)
 
-// error handling middleware
-router.use(async (ctx, next) => {
-  try {
-    await next()
-  } catch (err: any) {
-    ctx.status = err.status || err.statusCode || 500
-    const error = errors.getPublicError(err)
-    ctx.body = {
-      message: err.message,
-      status: ctx.status,
-      validationErrors: err.validation,
-      error,
-    }
-    ctx.log.error(err)
-    // unauthorised errors don't provide a useful trace
-    if (!env.isTest()) {
-      console.trace(err)
-    }
-  }
-})
-
 // authenticated routes
 for (let route of mainRoutes) {
   router.use(route.routes())
diff --git a/packages/server/src/api/routes/tests/backup.spec.ts b/packages/server/src/api/routes/tests/backup.spec.ts
index 7b325c080d..ef362ef403 100644
--- a/packages/server/src/api/routes/tests/backup.spec.ts
+++ b/packages/server/src/api/routes/tests/backup.spec.ts
@@ -19,7 +19,6 @@ describe("/backups", () => {
         .get(`/api/backups/export?appId=${config.getAppId()}&appname=test`)
         .set(config.defaultHeaders())
         .expect(200)
-      expect(res.text).toBeDefined()
       expect(res.headers["content-type"]).toEqual("application/gzip")
       expect(events.app.exported).toBeCalledTimes(1)
     })
diff --git a/packages/server/src/api/routes/tests/static.spec.js b/packages/server/src/api/routes/tests/static.spec.js
index a0532f12fb..13d963d057 100644
--- a/packages/server/src/api/routes/tests/static.spec.js
+++ b/packages/server/src/api/routes/tests/static.spec.js
@@ -13,18 +13,6 @@ describe("/static", () => {
     app = await config.init()
   })
 
-  describe("/builder", () => {
-    it("should serve the builder", async () => {
-      const res = await request
-        .get("/builder/portal")
-        .set(config.defaultHeaders())
-        .expect("Content-Type", /text\/html/)
-        .expect(200)
-
-      expect(res.text).toContain("<title>Budibase</title>")
-    })
-  })
-
   describe("/app", () => {
     beforeEach(() => {
       jest.clearAllMocks()
diff --git a/packages/server/src/api/routes/tests/user.spec.js b/packages/server/src/api/routes/tests/user.spec.js
index bae784cf3d..6b674a8479 100644
--- a/packages/server/src/api/routes/tests/user.spec.js
+++ b/packages/server/src/api/routes/tests/user.spec.js
@@ -1,4 +1,4 @@
-const { roles, utils } = require("@budibase/backend-core")
+const { roles } = require("@budibase/backend-core")
 const { checkPermissionsEndpoint } = require("./utilities/TestFunctions")
 const setup = require("./utilities")
 const { BUILTIN_ROLE_IDS } = roles
@@ -21,8 +21,7 @@ describe("/users", () => {
 
   afterAll(setup.afterAll)
 
-  // For some reason this cannot be a beforeAll or the test "should be able to update the user" fail
-  beforeEach(async () => {
+  beforeAll(async () => {
     await config.init()
   })
 
diff --git a/packages/server/src/app.ts b/packages/server/src/app.ts
index af67f9c3b3..6779b35457 100644
--- a/packages/server/src/app.ts
+++ b/packages/server/src/app.ts
@@ -1,3 +1,11 @@
+if (process.env.DD_APM_ENABLED) {
+  require("./ddApm")
+}
+
+if (process.env.ELASTIC_APM_ENABLED) {
+  require("./elasticApm")
+}
+
 // need to load environment first
 import env from "./environment"
 
diff --git a/packages/server/src/automations/steps/discord.ts b/packages/server/src/automations/steps/discord.ts
index ae484fa42e..5d7487ed3b 100644
--- a/packages/server/src/automations/steps/discord.ts
+++ b/packages/server/src/automations/steps/discord.ts
@@ -67,17 +67,33 @@ export async function run({ inputs }: AutomationStepInput) {
   if (!avatar_url) {
     avatar_url = DEFAULT_AVATAR_URL
   }
-  const response = await fetch(url, {
-    method: "post",
-    body: JSON.stringify({
-      username,
-      avatar_url,
-      content,
-    }),
-    headers: {
-      "Content-Type": "application/json",
-    },
-  })
+  if (!url?.trim()?.length) {
+    return {
+      httpStatus: 400,
+      response: "Missing Webhook URL",
+      success: false,
+    }
+  }
+  let response
+  try {
+    response = await fetch(url, {
+      method: "post",
+      body: JSON.stringify({
+        username,
+        avatar_url,
+        content,
+      }),
+      headers: {
+        "Content-Type": "application/json",
+      },
+    })
+  } catch (err: any) {
+    return {
+      httpStatus: 400,
+      response: err.message,
+      success: false,
+    }
+  }
 
   const { status, message } = await getFetchResponse(response)
   return {
diff --git a/packages/server/src/automations/steps/integromat.ts b/packages/server/src/automations/steps/integromat.ts
index dd897b5429..811c0a3d91 100644
--- a/packages/server/src/automations/steps/integromat.ts
+++ b/packages/server/src/automations/steps/integromat.ts
@@ -69,19 +69,35 @@ export const definition: AutomationStepSchema = {
 export async function run({ inputs }: AutomationStepInput) {
   const { url, value1, value2, value3, value4, value5 } = inputs
 
-  const response = await fetch(url, {
-    method: "post",
-    body: JSON.stringify({
-      value1,
-      value2,
-      value3,
-      value4,
-      value5,
-    }),
-    headers: {
-      "Content-Type": "application/json",
-    },
-  })
+  if (!url?.trim()?.length) {
+    return {
+      httpStatus: 400,
+      response: "Missing Webhook URL",
+      success: false,
+    }
+  }
+  let response
+  try {
+    response = await fetch(url, {
+      method: "post",
+      body: JSON.stringify({
+        value1,
+        value2,
+        value3,
+        value4,
+        value5,
+      }),
+      headers: {
+        "Content-Type": "application/json",
+      },
+    })
+  } catch (err: any) {
+    return {
+      httpStatus: 400,
+      response: err.message,
+      success: false,
+    }
+  }
 
   const { status, message } = await getFetchResponse(response)
   return {
diff --git a/packages/server/src/automations/steps/slack.ts b/packages/server/src/automations/steps/slack.ts
index 47c66bebf3..0c9320a699 100644
--- a/packages/server/src/automations/steps/slack.ts
+++ b/packages/server/src/automations/steps/slack.ts
@@ -50,15 +50,31 @@ export const definition: AutomationStepSchema = {
 
 export async function run({ inputs }: AutomationStepInput) {
   let { url, text } = inputs
-  const response = await fetch(url, {
-    method: "post",
-    body: JSON.stringify({
-      text,
-    }),
-    headers: {
-      "Content-Type": "application/json",
-    },
-  })
+  if (!url?.trim()?.length) {
+    return {
+      httpStatus: 400,
+      response: "Missing Webhook URL",
+      success: false,
+    }
+  }
+  let response
+  try {
+    response = await fetch(url, {
+      method: "post",
+      body: JSON.stringify({
+        text,
+      }),
+      headers: {
+        "Content-Type": "application/json",
+      },
+    })
+  } catch (err: any) {
+    return {
+      httpStatus: 400,
+      response: err.message,
+      success: false,
+    }
+  }
 
   const { status, message } = await getFetchResponse(response)
   return {
diff --git a/packages/server/src/automations/steps/zapier.ts b/packages/server/src/automations/steps/zapier.ts
index 1a48c1ec92..90068e685d 100644
--- a/packages/server/src/automations/steps/zapier.ts
+++ b/packages/server/src/automations/steps/zapier.ts
@@ -63,22 +63,38 @@ export const definition: AutomationStepSchema = {
 export async function run({ inputs }: AutomationStepInput) {
   const { url, value1, value2, value3, value4, value5 } = inputs
 
+  if (!url?.trim()?.length) {
+    return {
+      httpStatus: 400,
+      response: "Missing Webhook URL",
+      success: false,
+    }
+  }
   // send the platform to make sure zaps always work, even
   // if no values supplied
-  const response = await fetch(url, {
-    method: "post",
-    body: JSON.stringify({
-      platform: "budibase",
-      value1,
-      value2,
-      value3,
-      value4,
-      value5,
-    }),
-    headers: {
-      "Content-Type": "application/json",
-    },
-  })
+  let response
+  try {
+    response = await fetch(url, {
+      method: "post",
+      body: JSON.stringify({
+        platform: "budibase",
+        value1,
+        value2,
+        value3,
+        value4,
+        value5,
+      }),
+      headers: {
+        "Content-Type": "application/json",
+      },
+    })
+  } catch (err: any) {
+    return {
+      httpStatus: 400,
+      response: err.message,
+      success: false,
+    }
+  }
 
   const { status, message } = await getFetchResponse(response)
 
diff --git a/packages/server/src/ddApm.ts b/packages/server/src/ddApm.ts
new file mode 100644
index 0000000000..6c9b8aa289
--- /dev/null
+++ b/packages/server/src/ddApm.ts
@@ -0,0 +1,7 @@
+import apm from "dd-trace"
+
+// enable APM if configured
+if (process.env.DD_APM_ENABLED) {
+  console.log("Starting dd-trace")
+  apm.init()
+}
diff --git a/packages/server/src/elasticApm.ts b/packages/server/src/elasticApm.ts
new file mode 100644
index 0000000000..5581b9dd4b
--- /dev/null
+++ b/packages/server/src/elasticApm.ts
@@ -0,0 +1,10 @@
+import apm from "elastic-apm-node"
+
+// enable APM if configured
+if (process.env.ELASTIC_APM_ENABLED) {
+  console.log("Starting elastic-apm-node")
+  apm.start({
+    serviceName: process.env.SERVICE,
+    environment: process.env.BUDIBASE_ENVIRONMENT,
+  })
+}
diff --git a/packages/server/src/integration-test/postgres.spec.ts b/packages/server/src/integration-test/postgres.spec.ts
index ecfb532e7f..c688600e8d 100644
--- a/packages/server/src/integration-test/postgres.spec.ts
+++ b/packages/server/src/integration-test/postgres.spec.ts
@@ -419,14 +419,16 @@ describe("row api - postgres", () => {
 
     describe("given a row with relation data", () => {
       let row: Row
+      let foreignRow: Row
       beforeEach(async () => {
         let [createdRow] = await populatePrimaryRows(1, {
           createForeignRow: true,
         })
         row = createdRow.row
+        foreignRow = createdRow.foreignRow!
       })
 
-      it("foreign key fields are not retrieved", async () => {
+      it("only foreign keys are retrieved", async () => {
         const res = await getRow(primaryPostgresTable._id, row.id)
 
         expect(res.status).toBe(200)
@@ -436,7 +438,15 @@ describe("row api - postgres", () => {
           _id: expect.any(String),
           _rev: expect.any(String),
         })
+
         expect(res.body.foreignField).toBeUndefined()
+
+        expect(
+          res.body[`fk_${auxPostgresTable.name}_foreignField`]
+        ).toBeDefined()
+        expect(res.body[`fk_${auxPostgresTable.name}_foreignField`]).toBe(
+          foreignRow.id
+        )
       })
     })
   })
diff --git a/packages/server/src/integrations/base/sql.ts b/packages/server/src/integrations/base/sql.ts
index 557fbbedfd..8bebcbd2d6 100644
--- a/packages/server/src/integrations/base/sql.ts
+++ b/packages/server/src/integrations/base/sql.ts
@@ -248,6 +248,19 @@ class InternalBuilder {
     }
     if (filters.range) {
       iterate(filters.range, (key, value) => {
+        const isEmptyObject = (val: any) => {
+          return (
+            val &&
+            Object.keys(val).length === 0 &&
+            Object.getPrototypeOf(val) === Object.prototype
+          )
+        }
+        if (isEmptyObject(value.low)) {
+          value.low = ""
+        }
+        if (isEmptyObject(value.high)) {
+          value.high = ""
+        }
         if (value.low && value.high) {
           // Use a between operator if we have 2 valid range values
           const fnc = allOr ? "orWhereBetween" : "whereBetween"
diff --git a/packages/server/src/integrations/tests/couchdb.spec.ts b/packages/server/src/integrations/tests/couchdb.spec.ts
index 0d744cd343..66735d7b74 100644
--- a/packages/server/src/integrations/tests/couchdb.spec.ts
+++ b/packages/server/src/integrations/tests/couchdb.spec.ts
@@ -1,5 +1,3 @@
-import { DatabaseWithConnection } from "@budibase/backend-core/src/db"
-
 jest.mock("@budibase/backend-core", () => {
   const core = jest.requireActual("@budibase/backend-core")
   return {
diff --git a/packages/server/src/integrations/tests/sql.spec.ts b/packages/server/src/integrations/tests/sql.spec.ts
index b05a761b54..2b9a0f1f10 100644
--- a/packages/server/src/integrations/tests/sql.spec.ts
+++ b/packages/server/src/integrations/tests/sql.spec.ts
@@ -553,4 +553,42 @@ describe("SQL query builder", () => {
       sql: `select * from (select top (@p0) * from [${tableName}] where LOWER([${tableName}].[name]) LIKE @p1) as [${tableName}]`,
     })
   })
+
+  it("should ignore high range value if it is an empty object", () => {
+    const query = sql._query(
+      generateReadJson({
+        filters: {
+          range: {
+            dob: {
+              low: "2000-01-01 00:00:00",
+              high: {},
+            },
+          },
+        },
+      })
+    )
+    expect(query).toEqual({
+      bindings: ["2000-01-01 00:00:00", 500],
+      sql: `select * from (select * from \"${TABLE_NAME}\" where \"${TABLE_NAME}\".\"dob\" > $1 limit $2) as \"${TABLE_NAME}\"`,
+    })
+  })
+
+  it("should ignore low range value if it is an empty object", () => {
+    const query = sql._query(
+      generateReadJson({
+        filters: {
+          range: {
+            dob: {
+              low: {},
+              high: "2010-01-01 00:00:00",
+            },
+          },
+        },
+      })
+    )
+    expect(query).toEqual({
+      bindings: ["2010-01-01 00:00:00", 500],
+      sql: `select * from (select * from \"${TABLE_NAME}\" where \"${TABLE_NAME}\".\"dob\" < $1 limit $2) as \"${TABLE_NAME}\"`,
+    })
+  })
 })
diff --git a/packages/server/src/tests/jestEnv.ts b/packages/server/src/tests/jestEnv.ts
index 9707893bd9..c567b260b3 100644
--- a/packages/server/src/tests/jestEnv.ts
+++ b/packages/server/src/tests/jestEnv.ts
@@ -1,9 +1,10 @@
-import env from "../environment"
 import { tmpdir } from "os"
 
-env._set("SELF_HOSTED", "1")
-env._set("NODE_ENV", "jest")
-env._set("MULTI_TENANCY", "1")
+process.env.SELF_HOSTED = "1"
+process.env.NODE_ENV = "jest"
+process.env.MULTI_TENANCY = "1"
 // @ts-ignore
-env._set("BUDIBASE_DIR", tmpdir("budibase-unittests"))
-env._set("LOG_LEVEL", "silent")
+process.env.BUDIBASE_DIR = tmpdir("budibase-unittests")
+process.env.LOG_LEVEL = process.env.LOG_LEVEL || "error"
+process.env.ENABLE_4XX_HTTP_LOGGING = "0"
+process.env.MOCK_REDIS = "1"
diff --git a/packages/server/src/tests/jestSetup.ts b/packages/server/src/tests/jestSetup.ts
index d87ccbfe7c..b052d9941b 100644
--- a/packages/server/src/tests/jestSetup.ts
+++ b/packages/server/src/tests/jestSetup.ts
@@ -1,3 +1,4 @@
+import "./logging"
 import env from "../environment"
 import { env as coreEnv } from "@budibase/backend-core"
 import { testContainerUtils } from "@budibase/backend-core/tests"
diff --git a/packages/server/src/tests/logging.ts b/packages/server/src/tests/logging.ts
new file mode 100644
index 0000000000..271f4d62ff
--- /dev/null
+++ b/packages/server/src/tests/logging.ts
@@ -0,0 +1,34 @@
+export enum LogLevel {
+  TRACE = "trace",
+  DEBUG = "debug",
+  INFO = "info",
+  WARN = "warn",
+  ERROR = "error",
+}
+
+const LOG_INDEX: { [key in LogLevel]: number } = {
+  [LogLevel.TRACE]: 1,
+  [LogLevel.DEBUG]: 2,
+  [LogLevel.INFO]: 3,
+  [LogLevel.WARN]: 4,
+  [LogLevel.ERROR]: 5,
+}
+
+const setIndex = LOG_INDEX[process.env.LOG_LEVEL as LogLevel]
+
+if (setIndex > LOG_INDEX.trace) {
+  global.console.trace = jest.fn()
+}
+
+if (setIndex > LOG_INDEX.debug) {
+  global.console.debug = jest.fn()
+}
+
+if (setIndex > LOG_INDEX.info) {
+  global.console.info = jest.fn()
+  global.console.log = jest.fn()
+}
+
+if (setIndex > LOG_INDEX.warn) {
+  global.console.warn = jest.fn()
+}
diff --git a/packages/server/src/tests/utilities/TestConfiguration.ts b/packages/server/src/tests/utilities/TestConfiguration.ts
index aa149b092c..88545dbcbb 100644
--- a/packages/server/src/tests/utilities/TestConfiguration.ts
+++ b/packages/server/src/tests/utilities/TestConfiguration.ts
@@ -236,42 +236,41 @@ class TestConfiguration {
     email = this.defaultUserValues.email,
     roles,
   }: any = {}) {
-    return tenancy.doWithGlobalDB(this.getTenantId(), async (db: Database) => {
-      let existing
-      try {
-        existing = await db.get(id)
-      } catch (err) {
-        existing = { email }
-      }
-      const user = {
-        _id: id,
-        ...existing,
-        roles: roles || {},
-        tenantId: this.getTenantId(),
-        firstName,
-        lastName,
-      }
-      await sessions.createASession(id, {
-        sessionId: "sessionid",
-        tenantId: this.getTenantId(),
-        csrfToken: this.defaultUserValues.csrfToken,
-      })
-      if (builder) {
-        user.builder = { global: true }
-      } else {
-        user.builder = { global: false }
-      }
-      if (admin) {
-        user.admin = { global: true }
-      } else {
-        user.admin = { global: false }
-      }
-      const resp = await db.put(user)
-      return {
-        _rev: resp.rev,
-        ...user,
-      }
+    const db = tenancy.getTenantDB(this.getTenantId())
+    let existing
+    try {
+      existing = await db.get(id)
+    } catch (err) {
+      existing = { email }
+    }
+    const user = {
+      _id: id,
+      ...existing,
+      roles: roles || {},
+      tenantId: this.getTenantId(),
+      firstName,
+      lastName,
+    }
+    await sessions.createASession(id, {
+      sessionId: "sessionid",
+      tenantId: this.getTenantId(),
+      csrfToken: this.defaultUserValues.csrfToken,
     })
+    if (builder) {
+      user.builder = { global: true }
+    } else {
+      user.builder = { global: false }
+    }
+    if (admin) {
+      user.admin = { global: true }
+    } else {
+      user.admin = { global: false }
+    }
+    const resp = await db.put(user)
+    return {
+      _rev: resp.rev,
+      ...user,
+    }
   }
 
   async createUser(
@@ -417,20 +416,19 @@ class TestConfiguration {
   // API
 
   async generateApiKey(userId = this.defaultUserValues.globalUserId) {
-    return tenancy.doWithGlobalDB(this.getTenantId(), async (db: any) => {
-      const id = dbCore.generateDevInfoID(userId)
-      let devInfo
-      try {
-        devInfo = await db.get(id)
-      } catch (err) {
-        devInfo = { _id: id, userId }
-      }
-      devInfo.apiKey = encryption.encrypt(
-        `${this.getTenantId()}${dbCore.SEPARATOR}${newid()}`
-      )
-      await db.put(devInfo)
-      return devInfo.apiKey
-    })
+    const db = tenancy.getTenantDB(this.getTenantId())
+    const id = dbCore.generateDevInfoID(userId)
+    let devInfo
+    try {
+      devInfo = await db.get(id)
+    } catch (err) {
+      devInfo = { _id: id, userId }
+    }
+    devInfo.apiKey = encryption.encrypt(
+      `${this.getTenantId()}${dbCore.SEPARATOR}${newid()}`
+    )
+    await db.put(devInfo)
+    return devInfo.apiKey
   }
 
   // APP
diff --git a/packages/server/src/utilities/redis.ts b/packages/server/src/utilities/redis.ts
index 1b7a3ce64c..dc37baae58 100644
--- a/packages/server/src/utilities/redis.ts
+++ b/packages/server/src/utilities/redis.ts
@@ -21,6 +21,8 @@ export async function shutdown() {
   if (devAppClient) await devAppClient.finish()
   if (debounceClient) await debounceClient.finish()
   if (flagClient) await flagClient.finish()
+  // shutdown core clients
+  await redis.clients.shutdown()
   console.log("Redis shutdown")
 }
 
diff --git a/packages/server/tsconfig.build.json b/packages/server/tsconfig.build.json
index 212fc1479d..9289b6f9da 100644
--- a/packages/server/tsconfig.build.json
+++ b/packages/server/tsconfig.build.json
@@ -20,6 +20,7 @@
     "dist",
     "src/tests",
     "src/api/routes/tests/utilities",
+    "src/api/routes/public/tests/utils.ts",
     "src/automations/tests/utilities",
     "**/*.spec.ts",
     "**/*.spec.js"
diff --git a/packages/server/yarn.lock b/packages/server/yarn.lock
index f79b1d80fe..eb0a7c4def 100644
--- a/packages/server/yarn.lock
+++ b/packages/server/yarn.lock
@@ -1278,14 +1278,14 @@
   resolved "https://registry.yarnpkg.com/@bcoe/v8-coverage/-/v8-coverage-0.2.3.tgz#75a2e8b51cb758a7553d6804a5932d7aace75c39"
   integrity sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==
 
-"@budibase/backend-core@2.3.14-alpha.0":
-  version "2.3.14-alpha.0"
-  resolved "https://registry.yarnpkg.com/@budibase/backend-core/-/backend-core-2.3.14-alpha.0.tgz#8d60c93e9861301296907f61e770bdf1881b560c"
-  integrity sha512-lvRl6o9CCUx1VQ6ftu4FYuTp5mGgvbshNYoeaH0DbWFfhLNbibEHxx+pR+6M1ufhbu/EO6jKEr7DDeNiRBBMTw==
+"@budibase/backend-core@2.3.18-alpha.0":
+  version "2.3.18-alpha.0"
+  resolved "https://registry.yarnpkg.com/@budibase/backend-core/-/backend-core-2.3.18-alpha.0.tgz#c0a64a150c1fef9cc69f95f0aece4e857d64438d"
+  integrity sha512-ugD+WMoFwpXm+moSLHUgaBOu4XpX0+5UhmMWcNeRtH0Yd9GpDh2QzwtoN8BtXq8k5gkVEyoNSz+6oxKfNkNVdQ==
   dependencies:
     "@budibase/nano" "10.1.1"
     "@budibase/pouchdb-replication-stream" "1.2.10"
-    "@budibase/types" "2.3.14-alpha.0"
+    "@budibase/types" "2.3.18-alpha.0"
     "@shopify/jest-koa-mocks" "5.0.1"
     "@techpass/passport-openidconnect" "0.3.2"
     aws-cloudfront-sign "2.2.0"
@@ -1392,13 +1392,13 @@
     pouchdb-promise "^6.0.4"
     through2 "^2.0.0"
 
-"@budibase/pro@2.3.14-alpha.0":
-  version "2.3.14-alpha.0"
-  resolved "https://registry.yarnpkg.com/@budibase/pro/-/pro-2.3.14-alpha.0.tgz#db8ac1d0cacea21240c59458c4143e3e55663a4d"
-  integrity sha512-RJqXlvZmYrKCLxe7uVnc2KmDwE5OmoUZCA9M6b5Ne7ZHqrhtaNB/4Xlr1ESG79///epEWLv+Fde7mpHPzCvsZw==
+"@budibase/pro@2.3.18-alpha.0":
+  version "2.3.18-alpha.0"
+  resolved "https://registry.yarnpkg.com/@budibase/pro/-/pro-2.3.18-alpha.0.tgz#e87a2449d9e2453766c0ea77539af359bf5a81ff"
+  integrity sha512-nKLhCdLxmBX+VY7LF6daH0/AItcHoQTmBB3tc0SP7y4OLcJZfBEYidoWqWJKCgdz6LScWWogLgbDIAC8t+LNzg==
   dependencies:
-    "@budibase/backend-core" "2.3.14-alpha.0"
-    "@budibase/types" "2.3.14-alpha.0"
+    "@budibase/backend-core" "2.3.18-alpha.0"
+    "@budibase/types" "2.3.18-alpha.0"
     "@koa/router" "8.0.8"
     bull "4.10.1"
     joi "17.6.0"
@@ -1424,10 +1424,10 @@
     svelte-apexcharts "^1.0.2"
     svelte-flatpickr "^3.1.0"
 
-"@budibase/types@2.3.14-alpha.0":
-  version "2.3.14-alpha.0"
-  resolved "https://registry.yarnpkg.com/@budibase/types/-/types-2.3.14-alpha.0.tgz#03072a669c016c616278dc01c577119dd710e4fe"
-  integrity sha512-D5qOD7YJhHUrPy81C9OpTlVzsXBmZwbF9WdoxYo/M8JYmhTJfj7Fu5dGTyDpipPQVqknFpTsig5kQqG3r08ZZw==
+"@budibase/types@2.3.18-alpha.0":
+  version "2.3.18-alpha.0"
+  resolved "https://registry.yarnpkg.com/@budibase/types/-/types-2.3.18-alpha.0.tgz#14480e760c9e7931e884e9e0f8b1d5dd7e5d91c9"
+  integrity sha512-d+OcW2sNYw7VthMGrOBRY2Bz6iPQVWOnJ94XfYlBRJVIoYwBgudbYkOXPz/vQmHyjSUQFobrvs6UDeZ/3VJTaA==
 
 "@bull-board/api@3.7.0":
   version "3.7.0"
@@ -1511,6 +1511,53 @@
     enabled "2.0.x"
     kuler "^2.0.0"
 
+"@datadog/native-appsec@2.0.0":
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/@datadog/native-appsec/-/native-appsec-2.0.0.tgz#ad65ba19bfd68e6b6c6cf64bb8ef55d099af8edc"
+  integrity sha512-XHARZ6MVgbnfOUO6/F3ZoZ7poXHJCNYFlgcyS2Xetuk9ITA5bfcooX2B2F7tReVB+RLJ+j8bsm0t55SyF04KDw==
+  dependencies:
+    node-gyp-build "^3.9.0"
+
+"@datadog/native-iast-rewriter@1.1.2":
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/@datadog/native-iast-rewriter/-/native-iast-rewriter-1.1.2.tgz#793cbf92d218ec80d645be0830023656b81018ea"
+  integrity sha512-pigRfRtAjZjMjqIXyXb98S4aDnuHz/EmqpoxAajFZsNjBLM87YonwSY5zoBdCsOyA46ddKOJRoCQd5ZalpOFMQ==
+  dependencies:
+    node-gyp-build "^4.5.0"
+
+"@datadog/native-iast-taint-tracking@1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@datadog/native-iast-taint-tracking/-/native-iast-taint-tracking-1.1.0.tgz#8f7d0016157b32dbf5c01b15b8afb1c4286b4a18"
+  integrity sha512-TOrngpt6Qh52zWFOz1CkFXw0g43rnuUziFBtIMUsOLGzSHr9wdnTnE6HAyuvKy3f3ecAoZESlMfilGRKP93hXQ==
+  dependencies:
+    node-gyp-build "^3.9.0"
+
+"@datadog/native-metrics@^1.5.0":
+  version "1.5.0"
+  resolved "https://registry.yarnpkg.com/@datadog/native-metrics/-/native-metrics-1.5.0.tgz#e71b6b6d65f4bd58dfdffab2737890e8eef34584"
+  integrity sha512-K63XMDx74RLhOpM8I9GGZR9ft0CNNB/RkjYPLHcVGvVnBR47zmWE2KFa7Yrtzjbk73+88PXI4nzqLyR3PJsaIQ==
+  dependencies:
+    node-gyp-build "^3.9.0"
+
+"@datadog/pprof@^1.1.1":
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/@datadog/pprof/-/pprof-1.1.1.tgz#17e86035140523ac3a96f3662e5dd29822042d61"
+  integrity sha512-5lYXUpikQhrJwzODtJ7aFM0oKmPccISnTCecuWhjxIj4/7UJv0DamkLak634bgEW+kiChgkKFDapHSesuXRDXQ==
+  dependencies:
+    delay "^5.0.0"
+    findit2 "^2.2.3"
+    node-gyp-build "^3.9.0"
+    p-limit "^3.1.0"
+    pify "^5.0.0"
+    protobufjs "^7.0.0"
+    source-map "^0.7.3"
+    split "^1.0.1"
+
+"@datadog/sketches-js@^2.1.0":
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/@datadog/sketches-js/-/sketches-js-2.1.0.tgz#8c7e8028a5fc22ad102fa542b0a446c956830455"
+  integrity sha512-smLocSfrt3s53H/XSVP3/1kP42oqvrkjUPtyaFd1F79ux24oE31BKt+q0c6lsa6hOYrFzsIwyc5GXAI5JmfOew==
+
 "@discoveryjs/json-ext@^0.5.0":
   version "0.5.7"
   resolved "https://registry.yarnpkg.com/@discoveryjs/json-ext/-/json-ext-0.5.7.tgz#1d572bfbbe14b7704e0ba0f39b74815b84870d70"
@@ -3563,7 +3610,7 @@
     "@types/cookiejar" "*"
     "@types/node" "*"
 
-"@types/supertest@^2.0.12":
+"@types/supertest@2.0.12":
   version "2.0.12"
   resolved "https://registry.yarnpkg.com/@types/supertest/-/supertest-2.0.12.tgz#ddb4a0568597c9aadff8dbec5b2e8fddbe8692fc"
   integrity sha512-X3HPWTwXRerBZS7Mo1k6vMVR1Z6zmJcDVn5O/31whe0tnjE4te6ZJSJGq1RiqHPjzPdMTfjCFogDJmwng9xHaQ==
@@ -4256,7 +4303,7 @@ arrify@^2.0.0:
   resolved "https://registry.yarnpkg.com/arrify/-/arrify-2.0.1.tgz#c9655e9331e0abcd588d2a7cad7e9956f66701fa"
   integrity sha512-3duEwti880xqi4eAMN8AyR4a0ByT90zoYdLlevfrvU43vb0YZwZVfxOgxWrLXXXpyugL0hNZc9G6BiB5B3nUug==
 
-asap@^2.0.3:
+asap@^2.0.0, asap@^2.0.3:
   version "2.0.6"
   resolved "https://registry.yarnpkg.com/asap/-/asap-2.0.6.tgz#e50347611d7e690943208bbdafebcbc2fb866d46"
   integrity sha512-BSHWgDSAiKs50o2Re8ppvp3seVHXSRM44cdSsT9FfNEUUZLOGWVCsiWaRPWM1Znn+mqZ1OfVZ3z3DWEzSp7hRA==
@@ -5431,7 +5478,7 @@ commoner@^0.10.1:
     q "^1.1.2"
     recast "^0.11.17"
 
-component-emitter@^1.2.0, component-emitter@^1.2.1:
+component-emitter@^1.2.1, component-emitter@^1.3.0:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/component-emitter/-/component-emitter-1.3.0.tgz#16e4070fba8ae29b679f2215853ee181ab2eabc0"
   integrity sha512-Rd3se6QB+sO1TwqZjscQrurpEPIfO0/yYnSin6Q/rD3mOutHvUrCAhJub3r90uNb+SESBuE0QYoB90YdfatsRg==
@@ -5533,7 +5580,7 @@ cookie@^0.5.0:
   resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.5.0.tgz#d1f5d71adec6558c58f389987c366aa47e994f8b"
   integrity sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw==
 
-cookiejar@^2.1.0:
+cookiejar@^2.1.3:
   version "2.1.4"
   resolved "https://registry.yarnpkg.com/cookiejar/-/cookiejar-2.1.4.tgz#ee669c1fea2cf42dc31585469d193fef0d65771b"
   integrity sha512-LDx6oHrK+PhzLKJU9j5S7/Y3jM/mUHvD/DeI1WQmJn652iPC5Y4TBzC9l+5OMOXlyTTA+SmVUPm0HQUwpD5Jqw==
@@ -5662,6 +5709,11 @@ crypto-random-string@^2.0.0:
   resolved "https://registry.yarnpkg.com/crypto-random-string/-/crypto-random-string-2.0.0.tgz#ef2a7a966ec11083388369baa02ebead229b30d5"
   integrity sha512-v1plID3y9r/lPhviJ1wrXpLeyUIGAZ2SHNYTEapm7/8A9nLPoyvVp3RK/EPFqn5kEznyWgYZNsRtYYIWbuG8KA==
 
+crypto-randomuuid@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/crypto-randomuuid/-/crypto-randomuuid-1.0.0.tgz#acf583e5e085e867ae23e107ff70279024f9e9e7"
+  integrity sha512-/RC5F4l1SCqD/jazwUF6+t34Cd8zTSAGZ7rvvZu1whZUhD2a5MOGKjSGowoGcpj/cbVZk1ZODIooJEQQq3nNAA==
+
 cssom@0.3.x, "cssom@>= 0.3.2 < 0.4.0":
   version "0.3.8"
   resolved "https://registry.yarnpkg.com/cssom/-/cssom-0.3.8.tgz#9f1276f5b2b463f2114d3f2c75250af8c1a36f4a"
@@ -5735,6 +5787,39 @@ dayjs@^1.10.4, dayjs@^1.10.5:
   resolved "https://registry.yarnpkg.com/dayjs/-/dayjs-1.11.3.tgz#4754eb694a624057b9ad2224b67b15d552589258"
   integrity sha512-xxwlswWOlGhzgQ4TKzASQkUhqERI3egRNqgV4ScR8wlANA/A9tZ7miXa44vTTKEq5l7vWoL5G57bG3zA+Kow0A==
 
+dd-trace@3.13.2:
+  version "3.13.2"
+  resolved "https://registry.yarnpkg.com/dd-trace/-/dd-trace-3.13.2.tgz#95b1ec480ab9ac406e1da7591a8c6f678d3799fd"
+  integrity sha512-POO9nEcAufe5pgp2xV1X3PfWip6wh+6TpEcRSlSgZJCIIMvWVCkcIVL/J2a6KAZq6V3Yjbkl8Ktfe+MOzQf5kw==
+  dependencies:
+    "@datadog/native-appsec" "2.0.0"
+    "@datadog/native-iast-rewriter" "1.1.2"
+    "@datadog/native-iast-taint-tracking" "1.1.0"
+    "@datadog/native-metrics" "^1.5.0"
+    "@datadog/pprof" "^1.1.1"
+    "@datadog/sketches-js" "^2.1.0"
+    crypto-randomuuid "^1.0.0"
+    diagnostics_channel "^1.1.0"
+    ignore "^5.2.0"
+    import-in-the-middle "^1.3.4"
+    ipaddr.js "^2.0.1"
+    istanbul-lib-coverage "3.2.0"
+    koalas "^1.0.2"
+    limiter "^1.1.4"
+    lodash.kebabcase "^4.1.1"
+    lodash.pick "^4.4.0"
+    lodash.sortby "^4.7.0"
+    lodash.uniq "^4.5.0"
+    lru-cache "^7.14.0"
+    methods "^1.1.2"
+    module-details-from-path "^1.0.3"
+    node-abort-controller "^3.0.1"
+    opentracing ">=0.12.1"
+    path-to-regexp "^0.1.2"
+    protobufjs "^7.1.2"
+    retry "^0.10.1"
+    semver "^5.5.0"
+
 debug@4, debug@4.3.4, debug@^4, debug@^4.0.1, debug@^4.1.0, debug@^4.1.1, debug@^4.3.1, debug@^4.3.2, debug@^4.3.4, debug@~4.3.1, debug@~4.3.2:
   version "4.3.4"
   resolved "https://registry.yarnpkg.com/debug/-/debug-4.3.4.tgz#1319f6579357f2338d3337d2cdd4914bb5dcc865"
@@ -5914,6 +5999,11 @@ defined@^1.0.0:
   resolved "https://registry.yarnpkg.com/defined/-/defined-1.0.0.tgz#c98d9bcef75674188e110969151199e39b1fa693"
   integrity sha512-Y2caI5+ZwS5c3RiNDJ6u53VhQHv+hHKwhkI1iHvceKUHw9Df6EK2zRLfjejRgMuCuxK7PfSWIMwWecceVvThjQ==
 
+delay@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/delay/-/delay-5.0.0.tgz#137045ef1b96e5071060dd5be60bf9334436bd1d"
+  integrity sha512-ReEBKkIfe4ya47wlPYf/gu5ib6yUG0/Aez0JQZQz94kiWtRQvZIQbTiehsnwHvLSWJnQdhVeqYue7Id1dKr0qw==
+
 delayed-stream@~1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/delayed-stream/-/delayed-stream-1.0.0.tgz#df3ae199acadfb7d440aaae0b29e2272b24ec619"
@@ -5982,6 +6072,19 @@ detective@^4.3.1:
     acorn "^5.2.1"
     defined "^1.0.0"
 
+dezalgo@^1.0.4:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/dezalgo/-/dezalgo-1.0.4.tgz#751235260469084c132157dfa857f386d4c33d81"
+  integrity sha512-rXSP0bf+5n0Qonsb+SVVfNfIsimO4HEtmnIpPHY8Q1UCzKlQrDMfdobr8nJOOsRgWCyMRqeSBQzmWUMq7zvVig==
+  dependencies:
+    asap "^2.0.0"
+    wrappy "1"
+
+diagnostics_channel@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/diagnostics_channel/-/diagnostics_channel-1.1.0.tgz#bd66c49124ce3bac697dff57466464487f57cea5"
+  integrity sha512-OE1ngLDjSBPG6Tx0YATELzYzy3RKHC+7veQ8gLa8yS7AAgw65mFbVdcsu3501abqOZCEZqZyAIemB0zXlqDSuw==
+
 diff-match-patch@^1.0.5:
   version "1.0.5"
   resolved "https://registry.yarnpkg.com/diff-match-patch/-/diff-match-patch-1.0.5.tgz#abb584d5f10cd1196dfc55aa03701592ae3f7b37"
@@ -6903,7 +7006,7 @@ extend-shallow@^3.0.0, extend-shallow@^3.0.2:
     assign-symbols "^1.0.0"
     is-extendable "^1.0.1"
 
-extend@^3.0.0, extend@^3.0.2, extend@~3.0.2:
+extend@^3.0.2, extend@~3.0.2:
   version "3.0.2"
   resolved "https://registry.yarnpkg.com/extend/-/extend-3.0.2.tgz#f8b1136b4071fbd8eb140aff858b1019ec2915fa"
   integrity sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==
@@ -6992,7 +7095,7 @@ fast-redact@^3.0.0:
   resolved "https://registry.yarnpkg.com/fast-redact/-/fast-redact-3.1.1.tgz#790fcff8f808c2e12fabbfb2be5cb2deda448fa0"
   integrity sha512-odVmjC8x8jNeMZ3C+rPMESzXVSEU8tSWSHv9HFxP2mm89G/1WwqhrerJDQm9Zus8X6aoRgQDThKqptdNA6bt+A==
 
-fast-safe-stringify@^2.0.7, fast-safe-stringify@^2.0.8:
+fast-safe-stringify@^2.0.7, fast-safe-stringify@^2.0.8, fast-safe-stringify@^2.1.1:
   version "2.1.1"
   resolved "https://registry.yarnpkg.com/fast-safe-stringify/-/fast-safe-stringify-2.1.1.tgz#c406a83b6e70d9e35ce3b30a81141df30aeba884"
   integrity sha512-W+KJc2dmILlPplD/H4K9l9LcAHAfPtP6BY84uVLXQ6Evcz9Lcg33Y2z1IVblT6xdY54PXYVHEv+0Wpq8Io6zkA==
@@ -7202,6 +7305,11 @@ find-up@^4.0.0, find-up@^4.1.0:
     locate-path "^5.0.0"
     path-exists "^4.0.0"
 
+findit2@^2.2.3:
+  version "2.2.3"
+  resolved "https://registry.yarnpkg.com/findit2/-/findit2-2.2.3.tgz#58a466697df8a6205cdfdbf395536b8bd777a5f6"
+  integrity sha512-lg/Moejf4qXovVutL0Lz4IsaPoNYMuxt4PA0nGqFxnJ1CTTGGlEO2wKgoDpwknhvZ8k4Q2F+eesgkLbG2Mxfog==
+
 fix-path@3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/fix-path/-/fix-path-3.0.0.tgz#c6b82fd5f5928e520b392a63565ebfef0ddf037e"
@@ -7279,7 +7387,7 @@ form-data@4.0.0, form-data@^4.0.0:
     combined-stream "^1.0.8"
     mime-types "^2.1.12"
 
-form-data@^2.3.1, form-data@^2.5.0:
+form-data@^2.5.0:
   version "2.5.1"
   resolved "https://registry.yarnpkg.com/form-data/-/form-data-2.5.1.tgz#f2cbec57b5e59e23716e128fe44d4e5dd23895f4"
   integrity sha512-m21N3WOmEEURgk6B9GLOE4RuWOFf28Lhh9qGYeNlGq4VDXUlJy2th2slBNU8Gp8EzloYZOibZJ7t5ecIrFSjVA==
@@ -7306,11 +7414,21 @@ form-data@~2.3.2:
     combined-stream "^1.0.6"
     mime-types "^2.1.12"
 
-formidable@^1.1.1, formidable@^1.2.0:
+formidable@^1.1.1:
   version "1.2.6"
   resolved "https://registry.yarnpkg.com/formidable/-/formidable-1.2.6.tgz#d2a51d60162bbc9b4a055d8457a7c75315d1a168"
   integrity sha512-KcpbcpuLNOwrEjnbpMC0gS+X8ciDoZE1kkqzat4a8vrprf+s9pKNQ/QIwWfbfs4ltgmFl3MD177SNTkve3BwGQ==
 
+formidable@^2.0.1:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/formidable/-/formidable-2.1.1.tgz#81269cbea1a613240049f5f61a9d97731517414f"
+  integrity sha512-0EcS9wCFEzLvfiks7omJ+SiYJAiD+TzK4Pcw1UlUoGnhUxDcMKjt0P7x8wEb0u6OHu8Nb98WG3nxtlF5C7bvUQ==
+  dependencies:
+    dezalgo "^1.0.4"
+    hexoid "^1.0.0"
+    once "^1.4.0"
+    qs "^6.11.0"
+
 forwarded-parse@^2.1.0:
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/forwarded-parse/-/forwarded-parse-2.1.2.tgz#08511eddaaa2ddfd56ba11138eee7df117a09325"
@@ -7962,6 +8080,11 @@ has@^1.0.3:
   dependencies:
     function-bind "^1.1.1"
 
+hexoid@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/hexoid/-/hexoid-1.0.0.tgz#ad10c6573fb907de23d9ec63a711267d9dc9bc18"
+  integrity sha512-QFLV0taWQOZtvIRIAdBChesmogZrtuXvVWsFHZTk2SU+anspqZ2vMnoLg7IE1+Uk16N19APic1BuF8bC8c2m5g==
+
 homedir-polyfill@^1.0.0, homedir-polyfill@^1.0.1:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/homedir-polyfill/-/homedir-polyfill-1.0.3.tgz#743298cef4e5af3e194161fbadcc2151d3a058e8"
@@ -8155,6 +8278,13 @@ import-fresh@^3.0.0:
     parent-module "^1.0.0"
     resolve-from "^4.0.0"
 
+import-in-the-middle@^1.3.4:
+  version "1.3.4"
+  resolved "https://registry.yarnpkg.com/import-in-the-middle/-/import-in-the-middle-1.3.4.tgz#7074bbd4e84e8cdafd1eae400b04e6fe252a0768"
+  integrity sha512-TUXqqEFacJ2DWAeYOhHwGZTMJtFxFVw0C1pYA+AXmuWXZGnBqUhHdtVrSkSbW5D7k2yriBG45j23iH9TRtI+bQ==
+  dependencies:
+    module-details-from-path "^1.0.3"
+
 import-lazy@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/import-lazy/-/import-lazy-2.1.0.tgz#05698e3d45c88e8d7e9d92cb0584e77f096f3e43"
@@ -8321,6 +8451,11 @@ ip@^2.0.0:
   resolved "https://registry.yarnpkg.com/ip/-/ip-2.0.0.tgz#4cf4ab182fee2314c75ede1276f8c80b479936da"
   integrity sha512-WKa+XuLG1A1R0UWhl2+1XQSi+fZWMsYKffMZTTYsiZaUD8k2yDAj5atimTUD2TZkyCkNEeYE5NhFZmupOGtjYQ==
 
+ipaddr.js@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/ipaddr.js/-/ipaddr.js-2.0.1.tgz#eca256a7a877e917aeb368b0a7497ddf42ef81c0"
+  integrity sha512-1qTgH9NG+IIJ4yfKs2e6Pp1bZg8wbDbKHT21HrLIeYBTRLgMYKnMTPAuI3Lcs61nfx5h1xlXnbJtH1kX5/d/ng==
+
 is-accessor-descriptor@^0.1.6:
   version "0.1.6"
   resolved "https://registry.yarnpkg.com/is-accessor-descriptor/-/is-accessor-descriptor-0.1.6.tgz#a9e12cb3ae8d876727eeef3843f8a0897b5c98d6"
@@ -8755,16 +8890,16 @@ isstream@~0.1.2:
   resolved "https://registry.yarnpkg.com/isstream/-/isstream-0.1.2.tgz#47e63f7af55afa6f92e1500e690eb8b8529c099a"
   integrity sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==
 
+istanbul-lib-coverage@3.2.0, istanbul-lib-coverage@^3.0.0, istanbul-lib-coverage@^3.2.0:
+  version "3.2.0"
+  resolved "https://registry.yarnpkg.com/istanbul-lib-coverage/-/istanbul-lib-coverage-3.2.0.tgz#189e7909d0a39fa5a3dfad5b03f71947770191d3"
+  integrity sha512-eOeJ5BHCmHYvQK7xt9GkdHuzuCGS1Y6g9Gvnx3Ym33fz/HpLRYxiS0wHNr+m/MBC8B647Xt608vCDEvhl9c6Mw==
+
 istanbul-lib-coverage@^2.0.5:
   version "2.0.5"
   resolved "https://registry.yarnpkg.com/istanbul-lib-coverage/-/istanbul-lib-coverage-2.0.5.tgz#675f0ab69503fad4b1d849f736baaca803344f49"
   integrity sha512-8aXznuEPCJvGnMSRft4udDRDtb1V3pkQkMMI5LI+6HuQz5oQ4J2UFn1H82raA3qJtyOLkkwVqICBQkjnGtn5mA==
 
-istanbul-lib-coverage@^3.0.0, istanbul-lib-coverage@^3.2.0:
-  version "3.2.0"
-  resolved "https://registry.yarnpkg.com/istanbul-lib-coverage/-/istanbul-lib-coverage-3.2.0.tgz#189e7909d0a39fa5a3dfad5b03f71947770191d3"
-  integrity sha512-eOeJ5BHCmHYvQK7xt9GkdHuzuCGS1Y6g9Gvnx3Ym33fz/HpLRYxiS0wHNr+m/MBC8B647Xt608vCDEvhl9c6Mw==
-
 istanbul-lib-instrument@^3.3.0:
   version "3.3.0"
   resolved "https://registry.yarnpkg.com/istanbul-lib-instrument/-/istanbul-lib-instrument-3.3.0.tgz#a5f63d91f0bbc0c3e479ef4c5de027335ec6d630"
@@ -10148,6 +10283,11 @@ koa@2.13.4, koa@^2.13.1, koa@^2.13.4:
     type-is "^1.6.16"
     vary "^1.1.2"
 
+koalas@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/koalas/-/koalas-1.0.2.tgz#318433f074235db78fae5661a02a8ca53ee295cd"
+  integrity sha512-RYhBbYaTTTHId3l6fnMZc3eGQNW6FVCqMG6AMwA5I1Mafr6AflaXeoi6x3xQuATRotGYRLk6+1ELZH4dstFNOA==
+
 kuler@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/kuler/-/kuler-2.0.0.tgz#e2c570a3800388fb44407e851531c1d670b061b3"
@@ -10296,6 +10436,11 @@ lie@3.1.1:
   dependencies:
     immediate "~3.0.5"
 
+limiter@^1.1.4:
+  version "1.1.5"
+  resolved "https://registry.yarnpkg.com/limiter/-/limiter-1.1.5.tgz#8f92a25b3b16c6131293a0cc834b4a838a2aa7c2"
+  integrity sha512-FWWMIEOxz3GwUI4Ts/IvgVy6LPvoMPgjMdQ185nN6psJyBJ4yOpzqm695/h5umdLJg2vW3GR5iG11MAkR2AzJA==
+
 lines-and-columns@^1.1.6:
   version "1.2.4"
   resolved "https://registry.yarnpkg.com/lines-and-columns/-/lines-and-columns-1.2.4.tgz#eca284f75d2965079309dc0ad9255abb2ebc1632"
@@ -10426,6 +10571,11 @@ lodash.isstring@^4.0.1:
   resolved "https://registry.yarnpkg.com/lodash.isstring/-/lodash.isstring-4.0.1.tgz#d527dfb5456eca7cc9bb95d5daeaf88ba54a5451"
   integrity sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==
 
+lodash.kebabcase@^4.1.1:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/lodash.kebabcase/-/lodash.kebabcase-4.1.1.tgz#8489b1cb0d29ff88195cceca448ff6d6cc295c36"
+  integrity sha512-N8XRTIMMqqDgSy4VLKPnJ/+hpGZN+PHQiJnSenYqPaVV/NCqEogTnAdZLQiGKhxX+JCs8waWq2t1XHWKOmlY8g==
+
 lodash.keys@^4.2.0:
   version "4.2.0"
   resolved "https://registry.yarnpkg.com/lodash.keys/-/lodash.keys-4.2.0.tgz#a08602ac12e4fb83f91fc1fb7a360a4d9ba35205"
@@ -10456,7 +10606,7 @@ lodash.once@^4.0.0:
   resolved "https://registry.yarnpkg.com/lodash.once/-/lodash.once-4.1.1.tgz#0dd3971213c7c56df880977d504c88fb471a97ac"
   integrity sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==
 
-lodash.pick@^4.0.0:
+lodash.pick@^4.0.0, lodash.pick@^4.4.0:
   version "4.4.0"
   resolved "https://registry.yarnpkg.com/lodash.pick/-/lodash.pick-4.4.0.tgz#52f05610fff9ded422611441ed1fc123a03001b3"
   integrity sha512-hXt6Ul/5yWjfklSGvLQl8vM//l3FtyHZeuelpzK6mm99pNvN9yTDruNZPEJZD1oWrqo+izBmB7oUfWgcCX7s4Q==
@@ -10466,6 +10616,11 @@ lodash.sortby@^4.7.0:
   resolved "https://registry.yarnpkg.com/lodash.sortby/-/lodash.sortby-4.7.0.tgz#edd14c824e2cc9c1e0b0a1b42bb5210516a42438"
   integrity sha512-HDWXG8isMntAyRF5vZ7xKuEvOhT4AhlRt/3czTSjvGUxjYCBVRQY48ViDHyfYz9VIoBkW4TMGQNapx+l3RUwdA==
 
+lodash.uniq@^4.5.0:
+  version "4.5.0"
+  resolved "https://registry.yarnpkg.com/lodash.uniq/-/lodash.uniq-4.5.0.tgz#d0225373aeb652adc1bc82e4945339a842754773"
+  integrity sha512-xfBaXQd9ryd9dlSDvnvI0lvxfLJlYAZzXomUYzLKtUeOQvOP5piqAWuGtrhWeqaXK9hhoM/iyJc5AV+XfsX3HQ==
+
 lodash.without@^4.4.0:
   version "4.4.0"
   resolved "https://registry.yarnpkg.com/lodash.without/-/lodash.without-4.4.0.tgz#3cd4574a00b67bae373a94b748772640507b7aac"
@@ -10502,6 +10657,11 @@ long@^4.0.0:
   resolved "https://registry.yarnpkg.com/long/-/long-4.0.0.tgz#9a7b71cfb7d361a194ea555241c92f7468d5bf28"
   integrity sha512-XsP+KhQif4bjX1kbuSiySJFNAehNxgLb6hPRGJ9QsUr8ajHkuXGdrHmFUTUUXhDwVX2R5bY4JNZEwbUiMhV+MA==
 
+long@^5.0.0:
+  version "5.2.1"
+  resolved "https://registry.yarnpkg.com/long/-/long-5.2.1.tgz#e27595d0083d103d2fa2c20c7699f8e0c92b897f"
+  integrity sha512-GKSNGeNAtw8IryjjkhZxuKB3JzlcLTwjtiQCHKvqQet81I93kXslhDQruGI/QsddO83mcDToBVy7GqGS/zYf/A==
+
 loose-envify@^1.0.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/loose-envify/-/loose-envify-1.4.0.tgz#71ee51fa7be4caec1a63839f7e682d8132d30caf"
@@ -10539,6 +10699,11 @@ lru-cache@^6.0.0:
   dependencies:
     yallist "^4.0.0"
 
+lru-cache@^7.14.0:
+  version "7.16.1"
+  resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-7.16.1.tgz#7acea16fecd9ed11430e78443c2bb81a06d3dea9"
+  integrity sha512-9kkuMZHnLH/8qXARvYSjNvq8S1GYFFzynQTAfKeaJ0sIrR3PUPuu37Z+EiIANiZBvpfTf2B5y8ecDLSMWlLv+w==
+
 lru-cache@^7.14.1:
   version "7.14.1"
   resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-7.14.1.tgz#8da8d2f5f59827edb388e63e459ac23d6d408fea"
@@ -10718,7 +10883,7 @@ merge2@^1.3.0, merge2@^1.4.1:
   resolved "https://registry.yarnpkg.com/merge2/-/merge2-1.4.1.tgz#4368892f885e907455a6fd7dc55c0c9d404990ae"
   integrity sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==
 
-methods@^1.1.1, methods@^1.1.2:
+methods@^1.1.2:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/methods/-/methods-1.1.2.tgz#5529a4d67654134edcc5266656835b0f851afcee"
   integrity sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==
@@ -10770,7 +10935,12 @@ mime-types@^2.1.12, mime-types@^2.1.18, mime-types@^2.1.24, mime-types@^2.1.27,
   dependencies:
     mime-db "1.52.0"
 
-mime@^1.3.4, mime@^1.4.1:
+mime@2.6.0:
+  version "2.6.0"
+  resolved "https://registry.yarnpkg.com/mime/-/mime-2.6.0.tgz#a2a682a95cd4d0cb1d6257e28f83da7e35800367"
+  integrity sha512-USPkMeET31rOMiarsBNIHZKLGgvKc/LrjofAnBlOttf5ajRvqiRA8QsenbcooctK6d6Ts6aqZXBA+XbkKthiQg==
+
+mime@^1.3.4:
   version "1.6.0"
   resolved "https://registry.yarnpkg.com/mime/-/mime-1.6.0.tgz#32cd9e5c64553bd58d19a568af452acff04981b1"
   integrity sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==
@@ -11125,6 +11295,16 @@ node-gyp-build-optional-packages@5.0.3:
   resolved "https://registry.yarnpkg.com/node-gyp-build-optional-packages/-/node-gyp-build-optional-packages-5.0.3.tgz#92a89d400352c44ad3975010368072b41ad66c17"
   integrity sha512-k75jcVzk5wnnc/FMxsf4udAoTEUv2jY3ycfdSd3yWu6Cnd1oee6/CfZJApyscA4FJOmdoixWwiwOyf16RzD5JA==
 
+node-gyp-build@^3.9.0:
+  version "3.9.0"
+  resolved "https://registry.yarnpkg.com/node-gyp-build/-/node-gyp-build-3.9.0.tgz#53a350187dd4d5276750da21605d1cb681d09e25"
+  integrity sha512-zLcTg6P4AbcHPq465ZMFNXx7XpKKJh+7kkN699NiQWisR2uWYOWNWqRHAmbnmKiL4e9aLSlmy5U7rEMUXV59+A==
+
+node-gyp-build@^4.5.0:
+  version "4.6.0"
+  resolved "https://registry.yarnpkg.com/node-gyp-build/-/node-gyp-build-4.6.0.tgz#0c52e4cbf54bbd28b709820ef7b6a3c2d6209055"
+  integrity sha512-NTZVKn9IylLwUzaKjkas1e4u2DLNcV4rdYagA4PWdPwW87Bi7z+BznyKSRwS/761tV/lzCGXplWsiaMjLqP2zQ==
+
 node-gyp-build@~4.1.0:
   version "4.1.1"
   resolved "https://registry.yarnpkg.com/node-gyp-build/-/node-gyp-build-4.1.1.tgz#d7270b5d86717068d114cc57fff352f96d745feb"
@@ -11494,6 +11674,11 @@ openapi-validator@^0.14.2:
     path-parser "^6.1.0"
     typeof "^1.0.0"
 
+opentracing@>=0.12.1:
+  version "0.14.7"
+  resolved "https://registry.yarnpkg.com/opentracing/-/opentracing-0.14.7.tgz#25d472bd0296dc0b64d7b94cbc995219031428f5"
+  integrity sha512-vz9iS7MJ5+Bp1URw8Khvdyw1H/hGvzHWlKQ7eRrQojSCDL1/SrWfrY9QebLw97n2deyRtzHRC3MkQfVNUCo91Q==
+
 optional-js@^2.0.0:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/optional-js/-/optional-js-2.3.0.tgz#81d54c4719afa8845b988143643a5148f9d89490"
@@ -11844,6 +12029,11 @@ path-to-regexp@6.2.0:
   resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-6.2.0.tgz#f7b3803336104c346889adece614669230645f38"
   integrity sha512-f66KywYG6+43afgE/8j/GoiNyygk/bnoCbps++3ErRKsIYkGGupyv07R2Ok5m9i67Iqc+T2g1eAUGUPzWhYTyg==
 
+path-to-regexp@^0.1.2:
+  version "0.1.7"
+  resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-0.1.7.tgz#df604178005f522f15eb4490e7247a1bfaa67f8c"
+  integrity sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ==
+
 path-to-regexp@^6.1.0, path-to-regexp@^6.2.0:
   version "6.2.1"
   resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-6.2.1.tgz#d54934d6798eb9e5ef14e7af7962c945906918e5"
@@ -11957,6 +12147,11 @@ pify@^4.0.1:
   resolved "https://registry.yarnpkg.com/pify/-/pify-4.0.1.tgz#4b2cd25c50d598735c50292224fd8c6df41e3231"
   integrity sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g==
 
+pify@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/pify/-/pify-5.0.0.tgz#1f5eca3f5e87ebec28cc6d54a0e4aaf00acc127f"
+  integrity sha512-eW/gHNMlxdSP6dmG6uJip6FXN0EQBwm2clYYd8Wul42Cwu/DK8HEftzsapcNdYe2MfLiIwZqsDk2RDEsTE79hA==
+
 pinkie-promise@^2.0.0:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/pinkie-promise/-/pinkie-promise-2.0.1.tgz#2135d6dfa7a358c069ac9b178776288228450ffa"
@@ -12450,6 +12645,24 @@ protobufjs@6.11.3, protobufjs@^6.11.2, protobufjs@^6.11.3, protobufjs@^6.8.6:
     "@types/node" ">=13.7.0"
     long "^4.0.0"
 
+protobufjs@^7.0.0, protobufjs@^7.1.2:
+  version "7.2.2"
+  resolved "https://registry.yarnpkg.com/protobufjs/-/protobufjs-7.2.2.tgz#2af401d8c547b9476fb37ffc65782cf302342ca3"
+  integrity sha512-++PrQIjrom+bFDPpfmqXfAGSQs40116JRrqqyf53dymUMvvb5d/LMRyicRoF1AUKoXVS1/IgJXlEgcpr4gTF3Q==
+  dependencies:
+    "@protobufjs/aspromise" "^1.1.2"
+    "@protobufjs/base64" "^1.1.2"
+    "@protobufjs/codegen" "^2.0.4"
+    "@protobufjs/eventemitter" "^1.1.0"
+    "@protobufjs/fetch" "^1.1.0"
+    "@protobufjs/float" "^1.0.2"
+    "@protobufjs/inquire" "^1.1.0"
+    "@protobufjs/path" "^1.1.2"
+    "@protobufjs/pool" "^1.1.0"
+    "@protobufjs/utf8" "^1.1.0"
+    "@types/node" ">=13.7.0"
+    long "^5.0.0"
+
 proxy-from-env@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz#e102f16ca355424865755d2c9e8ea4f24d58c3e2"
@@ -12517,14 +12730,14 @@ q@^1.1.2:
   resolved "https://registry.yarnpkg.com/q/-/q-1.5.1.tgz#7e32f75b41381291d04611f1bf14109ac00651d7"
   integrity sha512-kV/CThkXo6xyFEZUugw/+pIOywXcDbFYgSct5cT3gqlbkBE1SJdwy6UQoZvodiWF/ckQLZyDE/Bu1M6gVu5lVw==
 
-qs@^6.11.0:
+qs@^6.10.3, qs@^6.11.0:
   version "6.11.0"
   resolved "https://registry.yarnpkg.com/qs/-/qs-6.11.0.tgz#fd0d963446f7a65e1367e01abd85429453f0c37a"
   integrity sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==
   dependencies:
     side-channel "^1.0.4"
 
-qs@^6.4.0, qs@^6.5.1:
+qs@^6.4.0:
   version "6.10.5"
   resolved "https://registry.yarnpkg.com/qs/-/qs-6.10.5.tgz#974715920a80ff6a262264acd2c7e6c2a53282b4"
   integrity sha512-O5RlPh0VFtR78y79rgcgKK4wbAI0C5zGVLztOIdpWX6ep368q5Hv6XRxDvXuZ9q3C6v+e3n8UfZZJw7IIG27eQ==
@@ -13064,6 +13277,11 @@ retry-request@^4.0.0:
     debug "^4.1.1"
     extend "^3.0.2"
 
+retry@^0.10.1:
+  version "0.10.1"
+  resolved "https://registry.yarnpkg.com/retry/-/retry-0.10.1.tgz#e76388d217992c252750241d3d3956fed98d8ff4"
+  integrity sha512-ZXUSQYTHdl3uS7IuCehYfMzKyIDBNoAuUblvy5oGO5UJSUTmStUUVPXbA9Qxd173Bgre53yCQczQuHgRWAdvJQ==
+
 reusify@^1.0.4:
   version "1.0.4"
   resolved "https://registry.yarnpkg.com/reusify/-/reusify-1.0.4.tgz#90da382b1e126efc02146e90845a88db12925d76"
@@ -13624,6 +13842,11 @@ source-map@^0.6.0, source-map@^0.6.1, source-map@~0.6.1:
   resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.6.1.tgz#74722af32e9614e9c287a8d0bbde48b5e2f1a263"
   integrity sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==
 
+source-map@^0.7.3:
+  version "0.7.4"
+  resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.7.4.tgz#a9bbe705c9d8846f4e08ff6765acf0f1b0898656"
+  integrity sha512-l3BikUxvPOcn5E74dZiq5BGsTb5yEwhaTSzccU6t4sDOH8NWJCstKO5QT2CvtFoK6F0saL7p9xHAqHOlCPJygA==
+
 source-map@^0.8.0-beta.0:
   version "0.8.0-beta.0"
   resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.8.0-beta.0.tgz#d4c1bb42c3f7ee925f005927ba10709e0d1d1f11"
@@ -13710,6 +13933,13 @@ split2@^4.1.0:
   resolved "https://registry.yarnpkg.com/split2/-/split2-4.1.0.tgz#101907a24370f85bb782f08adaabe4e281ecf809"
   integrity sha512-VBiJxFkxiXRlUIeyMQi8s4hgvKCSjtknJv/LVYbrgALPwf5zSKmEwV9Lst25AkvMDnvxODugjdl6KZgwKM1WYQ==
 
+split@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/split/-/split-1.0.1.tgz#605bd9be303aa59fb35f9229fbea0ddec9ea07d9"
+  integrity sha512-mTyOoPbrivtXnwnIxZRFYRrPNtEFKlpB2fvjSnCQUiAA6qAZzqwna5envK4uk6OIeP17CsdF3rSBGYVBsU0Tkg==
+  dependencies:
+    through "2"
+
 sprintf-js@^1.1.1, sprintf-js@^1.1.2:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/sprintf-js/-/sprintf-js-1.1.2.tgz#da1765262bf8c0f571749f2ad6c26300207ae673"
@@ -14005,29 +14235,30 @@ sublevel-pouchdb@7.2.2:
     ltgt "2.2.1"
     readable-stream "1.1.14"
 
-superagent@^3.8.3:
-  version "3.8.3"
-  resolved "https://registry.yarnpkg.com/superagent/-/superagent-3.8.3.tgz#460ea0dbdb7d5b11bc4f78deba565f86a178e128"
-  integrity sha512-GLQtLMCoEIK4eDv6OGtkOoSMt3D+oq0y3dsxMuYuDvaNUvuT8eFBuLmfR0iYYzHC1e8hpzC6ZsxbuP6DIalMFA==
+superagent@^7.1.0:
+  version "7.1.6"
+  resolved "https://registry.yarnpkg.com/superagent/-/superagent-7.1.6.tgz#64f303ed4e4aba1e9da319f134107a54cacdc9c6"
+  integrity sha512-gZkVCQR1gy/oUXr+kxJMLDjla434KmSOKbx5iGD30Ql+AkJQ/YlPKECJy2nhqOsHLjGHzoDTXNSjhnvWhzKk7g==
   dependencies:
-    component-emitter "^1.2.0"
-    cookiejar "^2.1.0"
-    debug "^3.1.0"
-    extend "^3.0.0"
-    form-data "^2.3.1"
-    formidable "^1.2.0"
-    methods "^1.1.1"
-    mime "^1.4.1"
-    qs "^6.5.1"
-    readable-stream "^2.3.5"
+    component-emitter "^1.3.0"
+    cookiejar "^2.1.3"
+    debug "^4.3.4"
+    fast-safe-stringify "^2.1.1"
+    form-data "^4.0.0"
+    formidable "^2.0.1"
+    methods "^1.1.2"
+    mime "2.6.0"
+    qs "^6.10.3"
+    readable-stream "^3.6.0"
+    semver "^7.3.7"
 
-supertest@4.0.2:
-  version "4.0.2"
-  resolved "https://registry.yarnpkg.com/supertest/-/supertest-4.0.2.tgz#c2234dbdd6dc79b6f15b99c8d6577b90e4ce3f36"
-  integrity sha512-1BAbvrOZsGA3YTCWqbmh14L0YEq0EGICX/nBnfkfVJn7SrxQV1I3pMYjSzG9y/7ZU2V9dWqyqk2POwxlb09duQ==
+supertest@6.2.2:
+  version "6.2.2"
+  resolved "https://registry.yarnpkg.com/supertest/-/supertest-6.2.2.tgz#04a5998fd3efaff187cb69f07a169755d655b001"
+  integrity sha512-wCw9WhAtKJsBvh07RaS+/By91NNE0Wh0DN19/hWPlBOU8tAfOtbZoVSV4xXeoKoxgPx0rx2y+y+8660XtE7jzg==
   dependencies:
     methods "^1.1.2"
-    superagent "^3.8.3"
+    superagent "^7.1.0"
 
 supports-color@^5.3.0, supports-color@^5.5.0:
   version "5.5.0"
@@ -14401,10 +14632,10 @@ through2@^2.0.0, through2@^2.0.1, through2@^2.0.2, through2@^2.0.3:
     readable-stream "~2.3.6"
     xtend "~4.0.1"
 
-through@^2.3.6, through@^2.3.8, through@~2.3.4:
+through@2, through@^2.3.6, through@^2.3.8, through@~2.3.4:
   version "2.3.8"
   resolved "https://registry.yarnpkg.com/through/-/through-2.3.8.tgz#0dd4c9ffaabc357960b1b724115d7e0e86a2e1f5"
-  integrity sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU=
+  integrity sha512-w89qg7PI8wAdvX60bMDP+bFoD5Dvhm9oLheFp5O4a2QF0cSBGsBX4qZmadPMvVqlLJBBci+WqGGOAPvcDeNSVg==
 
 tildify@2.0.0:
   version "2.0.0"
diff --git a/packages/string-templates/package.json b/packages/string-templates/package.json
index b04876e19b..edae9518ca 100644
--- a/packages/string-templates/package.json
+++ b/packages/string-templates/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@budibase/string-templates",
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "description": "Handlebars wrapper for Budibase templating.",
   "main": "src/index.cjs",
   "module": "dist/bundle.mjs",
diff --git a/packages/types/package.json b/packages/types/package.json
index 26d6c53a3a..3153bad674 100644
--- a/packages/types/package.json
+++ b/packages/types/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@budibase/types",
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "description": "Budibase types",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
diff --git a/packages/types/src/api/account/index.ts b/packages/types/src/api/account/index.ts
index 0cbc487bcc..4be610d1b3 100644
--- a/packages/types/src/api/account/index.ts
+++ b/packages/types/src/api/account/index.ts
@@ -1,2 +1,3 @@
 export * from "./user"
 export * from "./license"
+export * from "./status"
diff --git a/packages/types/src/api/account/status.ts b/packages/types/src/api/account/status.ts
new file mode 100644
index 0000000000..f6a0db7a5e
--- /dev/null
+++ b/packages/types/src/api/account/status.ts
@@ -0,0 +1,7 @@
+export interface HealthStatusResponse {
+  passing: boolean
+  checks: {
+    login: boolean
+    search: boolean
+  }
+}
diff --git a/packages/types/src/api/web/auth.ts b/packages/types/src/api/web/auth.ts
new file mode 100644
index 0000000000..e31a151c48
--- /dev/null
+++ b/packages/types/src/api/web/auth.ts
@@ -0,0 +1,25 @@
+export interface LoginRequest {
+  username: string
+  password: string
+}
+
+export interface PasswordResetRequest {
+  email: string
+}
+
+export interface PasswordResetUpdateRequest {
+  resetCode: string
+  password: string
+}
+
+export interface UpdateSelfRequest {
+  firstName?: string
+  lastName?: string
+  password?: string
+  forceResetPassword?: boolean
+}
+
+export interface UpdateSelfResponse {
+  _id: string
+  _rev: string
+}
diff --git a/packages/types/src/api/web/errors.ts b/packages/types/src/api/web/errors.ts
index 65870d6a29..996c0ba34c 100644
--- a/packages/types/src/api/web/errors.ts
+++ b/packages/types/src/api/web/errors.ts
@@ -2,4 +2,5 @@ export interface APIError {
   message: string
   status: number
   error?: any
+  validationErrors?: any
 }
diff --git a/packages/types/src/api/web/index.ts b/packages/types/src/api/web/index.ts
index 3d209f22bb..141119c837 100644
--- a/packages/types/src/api/web/index.ts
+++ b/packages/types/src/api/web/index.ts
@@ -1,4 +1,5 @@
 export * from "./analytics"
+export * from "./auth"
 export * from "./user"
 export * from "./errors"
 export * from "./schedule"
diff --git a/packages/types/src/api/web/user.ts b/packages/types/src/api/web/user.ts
index 6acaf6912d..a435808f7e 100644
--- a/packages/types/src/api/web/user.ts
+++ b/packages/types/src/api/web/user.ts
@@ -1,6 +1,6 @@
 import { User } from "../../documents"
 
-export interface CreateUserResponse {
+export interface SaveUserResponse {
   _id: string
   _rev: string
   email: string
@@ -58,6 +58,25 @@ export interface CreateAdminUserRequest {
   tenantId: string
 }
 
+export interface CreateAdminUserResponse {
+  _id: string
+  _rev: string
+  email: string
+}
+
+export interface AcceptUserInviteRequest {
+  inviteCode: string
+  password: string
+  firstName: string
+  lastName: string
+}
+
+export interface AcceptUserInviteResponse {
+  _id: string
+  _rev: string
+  email: string
+}
+
 export interface SyncUserRequest {
   previousUser?: User
 }
diff --git a/packages/types/src/documents/account/account.ts b/packages/types/src/documents/account/account.ts
index a8684f8427..cacdc4e9a2 100644
--- a/packages/types/src/documents/account/account.ts
+++ b/packages/types/src/documents/account/account.ts
@@ -79,14 +79,24 @@ export const isSelfHostAccount = (account: Account) =>
 export const isSSOAccount = (account: Account): account is SSOAccount =>
   account.authType === AuthType.SSO
 
-export interface SSOAccount extends Account {
-  pictureUrl?: string
-  provider?: string
-  providerType?: string
+export enum AccountSSOProviderType {
+  GOOGLE = "google",
+}
+
+export enum AccountSSOProvider {
+  GOOGLE = "google",
+}
+
+export interface AccountSSO {
+  provider: AccountSSOProvider
+  providerType: AccountSSOProviderType
   oauth2?: OAuthTokens
+  pictureUrl?: string
   thirdPartyProfile: any // TODO: define what the google profile looks like
 }
 
+export type SSOAccount = (Account | CloudAccount) & AccountSSO
+
 export enum AuthType {
   SSO = "sso",
   PASSWORD = "password",
diff --git a/packages/types/src/documents/global/config.ts b/packages/types/src/documents/global/config.ts
index 9b05069c9a..99dec534b6 100644
--- a/packages/types/src/documents/global/config.ts
+++ b/packages/types/src/documents/global/config.ts
@@ -27,15 +27,17 @@ export interface SettingsConfig extends Config {
   }
 }
 
-export interface GoogleConfig extends Config {
-  config: {
-    clientID: string
-    clientSecret: string
-    activated: boolean
-  }
+export interface GoogleInnerConfig {
+  clientID: string
+  clientSecret: string
+  activated: boolean
 }
 
-export interface OIDCConfiguration {
+export interface GoogleConfig extends Config {
+  config: GoogleInnerConfig
+}
+
+export interface OIDCStrategyConfiguration {
   issuer: string
   authorizationURL: string
   tokenURL: string
@@ -45,7 +47,7 @@ export interface OIDCConfiguration {
   callbackURL: string
 }
 
-export interface OIDCInnerCfg {
+export interface OIDCInnerConfig {
   configUrl: string
   clientID: string
   clientSecret: string
@@ -57,10 +59,17 @@ export interface OIDCInnerCfg {
 
 export interface OIDCConfig extends Config {
   config: {
-    configs: OIDCInnerCfg[]
+    configs: OIDCInnerConfig[]
   }
 }
 
+export interface OIDCWellKnownConfig {
+  issuer: string
+  authorization_endpoint: string
+  token_endpoint: string
+  userinfo_endpoint: string
+}
+
 export const isSettingsConfig = (config: Config): config is SettingsConfig =>
   config.type === ConfigType.SETTINGS
 
diff --git a/packages/types/src/documents/global/user.ts b/packages/types/src/documents/global/user.ts
index aef36c3469..2ef13a7412 100644
--- a/packages/types/src/documents/global/user.ts
+++ b/packages/types/src/documents/global/user.ts
@@ -1,37 +1,44 @@
 import { Document } from "../document"
 
-export interface SSOProfile {
-  id: string
-  name?: {
-    givenName?: string
-    familyName?: string
-  }
-  _json: {
-    email: string
-    picture: string
-  }
-  provider?: string
+// SSO
+
+export interface SSOProfileJson {
+  email?: string
+  picture?: string
 }
 
-export interface ThirdPartyUser extends Document {
-  thirdPartyProfile?: SSOProfile["_json"]
-  firstName?: string
-  lastName?: string
-  pictureUrl?: string
-  profile?: SSOProfile
-  oauth2?: any
-  provider?: string
-  providerType?: string
-  email: string
-  userId?: string
-  forceResetPassword?: boolean
-  userGroups?: string[]
+export interface OAuth2 {
+  accessToken: string
+  refreshToken?: string
 }
 
-export interface User extends ThirdPartyUser {
+export enum SSOProviderType {
+  OIDC = "oidc",
+  GOOGLE = "google",
+}
+
+export interface UserSSO {
+  provider: string // the individual provider e.g. Okta, Auth0, Google
+  providerType: SSOProviderType
+  oauth2?: OAuth2
+  thirdPartyProfile?: SSOProfileJson
+}
+
+export type SSOUser = User & UserSSO
+
+export function isSSOUser(user: User): user is SSOUser {
+  return !!(user as SSOUser).providerType
+}
+
+// USER
+
+export interface User extends Document {
   tenantId: string
   email: string
   userId?: string
+  firstName?: string
+  lastName?: string
+  pictureUrl?: string
   forceResetPassword?: boolean
   roles: UserRoles
   builder?: {
@@ -44,9 +51,7 @@ export interface User extends ThirdPartyUser {
   status?: string
   createdAt?: number // override the default createdAt behaviour - users sdk historically set this to Date.now()
   dayPassRecordedAt?: string
-  account?: {
-    authType: string
-  }
+  userGroups?: string[]
   onboardedAt?: string
 }
 
@@ -54,7 +59,7 @@ export interface UserRoles {
   [key: string]: string
 }
 
-// utility types
+// UTILITY TYPES
 
 export interface BuilderUser extends User {
   builder: {
diff --git a/packages/types/src/sdk/index.ts b/packages/types/src/sdk/index.ts
index 1b0fdb193b..ccd59bf720 100644
--- a/packages/types/src/sdk/index.ts
+++ b/packages/types/src/sdk/index.ts
@@ -13,3 +13,5 @@ export * from "./middleware"
 export * from "./featureFlag"
 export * from "./environmentVariables"
 export * from "./auditLogs"
+export * from "./sso"
+export * from "./user"
diff --git a/packages/types/src/sdk/locks.ts b/packages/types/src/sdk/locks.ts
index e6809319b1..d868691891 100644
--- a/packages/types/src/sdk/locks.ts
+++ b/packages/types/src/sdk/locks.ts
@@ -12,6 +12,7 @@ export enum LockName {
   MIGRATIONS = "migrations",
   TRIGGER_QUOTA = "trigger_quota",
   SYNC_ACCOUNT_LICENSE = "sync_account_license",
+  UPDATE_TENANTS_DOC = "update_tenants_doc",
 }
 
 export interface LockOptions {
diff --git a/packages/types/src/sdk/sso.ts b/packages/types/src/sdk/sso.ts
new file mode 100644
index 0000000000..2141204ccb
--- /dev/null
+++ b/packages/types/src/sdk/sso.ts
@@ -0,0 +1,37 @@
+import {
+  OAuth2,
+  SSOProfileJson,
+  SSOProviderType,
+  SSOUser,
+  User,
+} from "../documents"
+import { SaveUserOpts } from "./user"
+
+export interface JwtClaims {
+  preferred_username?: string
+  email?: string
+}
+
+export interface SSOAuthDetails {
+  oauth2: OAuth2
+  provider: string
+  providerType: SSOProviderType
+  userId: string
+  email?: string
+  profile?: SSOProfile
+}
+
+export interface SSOProfile {
+  id: string
+  name?: {
+    givenName?: string
+    familyName?: string
+  }
+  _json: SSOProfileJson
+  provider?: string
+}
+
+export type SaveSSOUserFunction = (
+  user: SSOUser,
+  opts: SaveUserOpts
+) => Promise<User>
diff --git a/packages/types/src/sdk/user.ts b/packages/types/src/sdk/user.ts
new file mode 100644
index 0000000000..1602eeb6c8
--- /dev/null
+++ b/packages/types/src/sdk/user.ts
@@ -0,0 +1,12 @@
+export interface UpdateSelf {
+  firstName?: string
+  lastName?: string
+  password?: string
+  forceResetPassword?: boolean
+}
+
+export interface SaveUserOpts {
+  hashPassword?: boolean
+  requirePassword?: boolean
+  currentUserId?: string
+}
diff --git a/packages/worker/jest.config.ts b/packages/worker/jest.config.ts
index 8b0514211b..cdacfa411a 100644
--- a/packages/worker/jest.config.ts
+++ b/packages/worker/jest.config.ts
@@ -12,24 +12,19 @@ const config: Config.InitialOptions = {
   transform: {
     "^.+\\.ts?$": "@swc/jest",
   },
-}
-
-if (!process.env.CI) {
-  // use sources when not in CI
-  config.moduleNameMapper = {
+  moduleNameMapper: {
     "@budibase/backend-core/(.*)": "<rootDir>/../backend-core/$1",
     "@budibase/backend-core": "<rootDir>/../backend-core/src",
     "@budibase/types": "<rootDir>/../types/src",
-  }
-  // add pro sources if they exist
-  if (fs.existsSync("../../../budibase-pro")) {
-    config.moduleNameMapper["@budibase/pro/(.*)"] =
-      "<rootDir>/../../../budibase-pro/packages/pro/$1"
-    config.moduleNameMapper["@budibase/pro"] =
-      "<rootDir>/../../../budibase-pro/packages/pro/src"
-  }
-} else {
-  console.log("Running tests with compiled dependency sources")
+  },
+}
+
+// add pro sources if they exist
+if (fs.existsSync("../../../budibase-pro")) {
+  config.moduleNameMapper["@budibase/pro/(.*)"] =
+    "<rootDir>/../../../budibase-pro/packages/pro/$1"
+  config.moduleNameMapper["@budibase/pro"] =
+    "<rootDir>/../../../budibase-pro/packages/pro/src"
 }
 
 export default config
diff --git a/packages/worker/package.json b/packages/worker/package.json
index d8b6919b4b..0fb3abe53b 100644
--- a/packages/worker/package.json
+++ b/packages/worker/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@budibase/worker",
   "email": "hi@budibase.com",
-  "version": "2.3.14-alpha.0",
+  "version": "2.3.18-alpha.0",
   "description": "Budibase background service",
   "main": "src/index.ts",
   "repository": {
@@ -22,7 +22,7 @@
     "build:docker": "docker build . -t worker-service --label version=$BUDIBASE_RELEASE_VERSION",
     "dev:stack:init": "node ./scripts/dev/manage.js init",
     "dev:builder": "npm run dev:stack:init && nodemon",
-    "test": "jest --coverage --maxWorkers=2",
+    "test": "jest --coverage --runInBand",
     "test:watch": "jest --watch",
     "env:multi:enable": "node scripts/multiTenancy.js enable",
     "env:multi:disable": "node scripts/multiTenancy.js disable",
@@ -36,16 +36,17 @@
   "author": "Budibase",
   "license": "GPL-3.0",
   "dependencies": {
-    "@budibase/backend-core": "2.3.14-alpha.0",
-    "@budibase/pro": "2.3.14-alpha.0",
-    "@budibase/string-templates": "2.3.14-alpha.0",
-    "@budibase/types": "2.3.14-alpha.0",
+    "@budibase/backend-core": "2.3.18-alpha.0",
+    "@budibase/pro": "2.3.18-alpha.0",
+    "@budibase/string-templates": "2.3.18-alpha.0",
+    "@budibase/types": "2.3.18-alpha.0",
     "@koa/router": "8.0.8",
     "@sentry/node": "6.17.7",
     "@techpass/passport-openidconnect": "0.3.2",
     "@types/global-agent": "2.1.1",
     "aws-sdk": "2.1030.0",
     "bcryptjs": "2.4.3",
+    "dd-trace": "3.13.2",
     "dotenv": "8.6.0",
     "elastic-apm-node": "3.38.0",
     "global-agent": "3.0.0",
@@ -73,7 +74,7 @@
     "@swc/core": "^1.3.25",
     "@swc/jest": "^0.2.24",
     "@trendyol/jest-testcontainers": "^2.1.1",
-    "@types/jest": "26.0.23",
+    "@types/jest": "28.1.1",
     "@types/jsonwebtoken": "8.5.1",
     "@types/koa": "2.13.4",
     "@types/koa__router": "8.0.8",
@@ -81,6 +82,7 @@
     "@types/node-fetch": "2.6.1",
     "@types/pouchdb": "6.4.0",
     "@types/server-destroy": "1.0.1",
+    "@types/supertest": "2.0.12",
     "@types/uuid": "8.3.4",
     "@typescript-eslint/parser": "5.45.0",
     "copyfiles": "2.4.1",
diff --git a/packages/worker/scripts/dev/manage.js b/packages/worker/scripts/dev/manage.js
index 01cdef08ff..21a9eab9c6 100644
--- a/packages/worker/scripts/dev/manage.js
+++ b/packages/worker/scripts/dev/manage.js
@@ -29,6 +29,7 @@ async function init() {
       SERVICE: "worker-service",
       DEPLOYMENT_ENVIRONMENT: "development",
       TENANT_FEATURE_FLAGS: "*:LICENSING,*:USER_GROUPS,*:ONBOARDING_TOUR",
+      ENABLE_EMAIL_TEST_MODE: 1,
     }
     let envFile = ""
     Object.keys(envFileJson).forEach(key => {
diff --git a/packages/worker/src/api/controllers/global/auth.ts b/packages/worker/src/api/controllers/global/auth.ts
index 7491a47bb3..1e55d4de0d 100644
--- a/packages/worker/src/api/controllers/global/auth.ts
+++ b/packages/worker/src/api/controllers/global/auth.ts
@@ -1,46 +1,55 @@
 import {
-  auth,
+  auth as authCore,
   constants,
   context,
   db as dbCore,
   events,
   tenancy,
-  users as usersCore,
-  utils,
+  utils as utilsCore,
 } from "@budibase/backend-core"
-import { EmailTemplatePurpose } from "../../../constants"
-import { isEmailConfigured, sendEmail } from "../../../utilities/email"
-import { checkResetPasswordCode } from "../../../utilities/redis"
+import {
+  ConfigType,
+  User,
+  Ctx,
+  LoginRequest,
+  SSOUser,
+  PasswordResetRequest,
+  PasswordResetUpdateRequest,
+} from "@budibase/types"
 import env from "../../../environment"
-import sdk from "../../../sdk"
-import { ConfigType, User } from "@budibase/types"
 
-const { setCookie, getCookie, clearCookie, hash, platformLogout } = utils
+import * as authSdk from "../../../sdk/auth"
+import * as userSdk from "../../../sdk/users"
+
 const { Cookie, Header } = constants
-const { passport, ssoCallbackUrl, google, oidc } = auth
+const { passport, ssoCallbackUrl, google, oidc } = authCore
+const { setCookie, getCookie, clearCookie } = utilsCore
 
-export async function googleCallbackUrl(config?: { callbackURL?: string }) {
-  return ssoCallbackUrl(tenancy.getGlobalDB(), config, ConfigType.GOOGLE)
-}
+// LOGIN / LOGOUT
 
-export async function oidcCallbackUrl(config?: { callbackURL?: string }) {
-  return ssoCallbackUrl(tenancy.getGlobalDB(), config, ConfigType.OIDC)
-}
-
-async function authInternal(ctx: any, user: any, err = null, info = null) {
+async function passportCallback(
+  ctx: Ctx,
+  user: User,
+  err: any = null,
+  info: { message: string } | null = null
+) {
   if (err) {
-    console.error("Authentication error", err)
+    console.error("Authentication error")
+    console.error(err)
+    console.trace(err)
+    return ctx.throw(403, info ? info : "Unauthorized")
+  }
+  if (!user) {
+    console.error("Authentication error - no user provided")
     return ctx.throw(403, info ? info : "Unauthorized")
   }
 
-  if (!user) {
-    return ctx.throw(403, info ? info : "Unauthorized")
-  }
+  const token = await authSdk.loginUser(user)
 
   // set a cookie for browser access
-  setCookie(ctx, user.token, Cookie.Auth, { sign: false })
+  setCookie(ctx, token, Cookie.Auth, { sign: false })
   // set the token in a header as well for APIs
-  ctx.set(Header.TOKEN, user.token)
+  ctx.set(Header.TOKEN, token)
   // get rid of any app cookies on login
   // have to check test because this breaks cypress
   if (!env.isTest()) {
@@ -48,11 +57,18 @@ async function authInternal(ctx: any, user: any, err = null, info = null) {
   }
 }
 
-export const authenticate = async (ctx: any, next: any) => {
+export const login = async (ctx: Ctx<LoginRequest>, next: any) => {
+  const email = ctx.request.body.username
+
+  const user = await userSdk.getUserByEmail(email)
+  if (user && (await userSdk.isPreventSSOPasswords(user))) {
+    ctx.throw(400, "SSO user cannot login using password")
+  }
+
   return passport.authenticate(
     "local",
     async (err: any, user: User, info: any) => {
-      await authInternal(ctx, user, err, info)
+      await passportCallback(ctx, user, err, info)
       await context.identity.doInUserContext(user, async () => {
         await events.auth.login("local", user.email)
       })
@@ -61,6 +77,15 @@ export const authenticate = async (ctx: any, next: any) => {
   )(ctx, next)
 }
 
+export const logout = async (ctx: any) => {
+  if (ctx.user && ctx.user._id) {
+    await authSdk.logout({ ctx, userId: ctx.user._id })
+  }
+  ctx.body = { message: "User logged out." }
+}
+
+// INIT
+
 export const setInitInfo = (ctx: any) => {
   const initInfo = ctx.request.body
   setCookie(ctx, initInfo, Cookie.Init)
@@ -76,32 +101,16 @@ export const getInitInfo = (ctx: any) => {
   }
 }
 
+// PASSWORD MANAGEMENT
+
 /**
  * Reset the user password, used as part of a forgotten password flow.
  */
-export const reset = async (ctx: any) => {
+export const reset = async (ctx: Ctx<PasswordResetRequest>) => {
   const { email } = ctx.request.body
-  const configured = await isEmailConfigured()
-  if (!configured) {
-    ctx.throw(
-      400,
-      "Please contact your platform administrator, SMTP is not configured."
-    )
-  }
-  try {
-    const user = (await usersCore.getGlobalUserByEmail(email)) as User
-    // only if user exists, don't error though if they don't
-    if (user) {
-      await sendEmail(email, EmailTemplatePurpose.PASSWORD_RECOVERY, {
-        user,
-        subject: "{{ company }} platform password reset",
-      })
-      await events.user.passwordResetRequested(user)
-    }
-  } catch (err) {
-    console.log(err)
-    // don't throw any kind of error to the user, this might give away something
-  }
+
+  await authSdk.reset(email)
+
   ctx.body = {
     message: "Please check your email for a reset link.",
   }
@@ -110,32 +119,21 @@ export const reset = async (ctx: any) => {
 /**
  * Perform the user password update if the provided reset code is valid.
  */
-export const resetUpdate = async (ctx: any) => {
+export const resetUpdate = async (ctx: Ctx<PasswordResetUpdateRequest>) => {
   const { resetCode, password } = ctx.request.body
   try {
-    const { userId } = await checkResetPasswordCode(resetCode)
-    const db = tenancy.getGlobalDB()
-    const user = await db.get(userId)
-    user.password = await hash(password)
-    await db.put(user)
+    await authSdk.resetUpdate(resetCode, password)
     ctx.body = {
       message: "password reset successfully.",
     }
-    // remove password from the user before sending events
-    delete user.password
-    await events.user.passwordReset(user)
   } catch (err) {
-    console.error(err)
+    console.warn(err)
+    // hide any details of the error for security
     ctx.throw(400, "Cannot reset password.")
   }
 }
 
-export const logout = async (ctx: any) => {
-  if (ctx.user && ctx.user._id) {
-    await platformLogout({ ctx, userId: ctx.user._id })
-  }
-  ctx.body = { message: "User logged out." }
-}
+// DATASOURCE
 
 export const datasourcePreAuth = async (ctx: any, next: any) => {
   const provider = ctx.params.provider
@@ -163,6 +161,12 @@ export const datasourceAuth = async (ctx: any, next: any) => {
   return handler.postAuth(passport, ctx, next)
 }
 
+// GOOGLE SSO
+
+export async function googleCallbackUrl(config?: { callbackURL?: string }) {
+  return ssoCallbackUrl(tenancy.getGlobalDB(), config, ConfigType.GOOGLE)
+}
+
 /**
  * The initial call that google authentication makes to take you to the google login screen.
  * On a successful login, you will be redirected to the googleAuth callback route.
@@ -178,7 +182,7 @@ export const googlePreAuth = async (ctx: any, next: any) => {
   const strategy = await google.strategyFactory(
     config,
     callbackUrl,
-    sdk.users.save
+    userSdk.save
   )
 
   return passport.authenticate(strategy, {
@@ -188,7 +192,7 @@ export const googlePreAuth = async (ctx: any, next: any) => {
   })(ctx, next)
 }
 
-export const googleAuth = async (ctx: any, next: any) => {
+export const googleCallback = async (ctx: any, next: any) => {
   const db = tenancy.getGlobalDB()
 
   const config = await dbCore.getScopedConfig(db, {
@@ -199,14 +203,14 @@ export const googleAuth = async (ctx: any, next: any) => {
   const strategy = await google.strategyFactory(
     config,
     callbackUrl,
-    sdk.users.save
+    userSdk.save
   )
 
   return passport.authenticate(
     strategy,
     { successRedirect: "/", failureRedirect: "/error" },
-    async (err: any, user: User, info: any) => {
-      await authInternal(ctx, user, err, info)
+    async (err: any, user: SSOUser, info: any) => {
+      await passportCallback(ctx, user, err, info)
       await context.identity.doInUserContext(user, async () => {
         await events.auth.login("google-internal", user.email)
       })
@@ -215,6 +219,12 @@ export const googleAuth = async (ctx: any, next: any) => {
   )(ctx, next)
 }
 
+// OIDC SSO
+
+export async function oidcCallbackUrl(config?: { callbackURL?: string }) {
+  return ssoCallbackUrl(tenancy.getGlobalDB(), config, ConfigType.OIDC)
+}
+
 export const oidcStrategyFactory = async (ctx: any, configId: any) => {
   const db = tenancy.getGlobalDB()
   const config = await dbCore.getScopedConfig(db, {
@@ -230,7 +240,7 @@ export const oidcStrategyFactory = async (ctx: any, configId: any) => {
     chosenConfig,
     callbackUrl
   )
-  return oidc.strategyFactory(enrichedConfig, sdk.users.save)
+  return oidc.strategyFactory(enrichedConfig, userSdk.save)
 }
 
 /**
@@ -262,15 +272,15 @@ export const oidcPreAuth = async (ctx: any, next: any) => {
   })(ctx, next)
 }
 
-export const oidcAuth = async (ctx: any, next: any) => {
+export const oidcCallback = async (ctx: any, next: any) => {
   const configId = getCookie(ctx, Cookie.OIDC_CONFIG)
   const strategy = await oidcStrategyFactory(ctx, configId)
 
   return passport.authenticate(
     strategy,
     { successRedirect: "/", failureRedirect: "/error" },
-    async (err: any, user: any, info: any) => {
-      await authInternal(ctx, user, err, info)
+    async (err: any, user: SSOUser, info: any) => {
+      await passportCallback(ctx, user, err, info)
       await context.identity.doInUserContext(user, async () => {
         await events.auth.login("oidc", user.email)
       })
diff --git a/packages/worker/src/api/controllers/global/self.ts b/packages/worker/src/api/controllers/global/self.ts
index 06906f1e8e..889a3e6a27 100644
--- a/packages/worker/src/api/controllers/global/self.ts
+++ b/packages/worker/src/api/controllers/global/self.ts
@@ -1,18 +1,22 @@
-import sdk from "../../../sdk"
+import * as userSdk from "../../../sdk/users"
 import {
-  events,
   featureFlags,
   tenancy,
   constants,
   db as dbCore,
   utils,
-  cache,
   encryption,
+  auth as authCore,
 } from "@budibase/backend-core"
 import env from "../../../environment"
 import { groups } from "@budibase/pro"
-const { hash, platformLogout, getCookie, clearCookie, newid } = utils
-const { user: userCache } = cache
+import {
+  UpdateSelfRequest,
+  UpdateSelfResponse,
+  UpdateSelf,
+  UserCtx,
+} from "@budibase/types"
+const { getCookie, clearCookie, newid } = utils
 
 function newTestApiKey() {
   return env.ENCRYPTED_TEST_PUBLIC_API_KEY
@@ -93,17 +97,6 @@ const addSessionAttributesToUser = (ctx: any) => {
   ctx.body.csrfToken = ctx.user.csrfToken
 }
 
-const sanitiseUserUpdate = (ctx: any) => {
-  const allowed = ["firstName", "lastName", "password", "forceResetPassword"]
-  const resp: { [key: string]: any } = {}
-  for (let [key, value] of Object.entries(ctx.request.body)) {
-    if (allowed.includes(key)) {
-      resp[key] = value
-    }
-  }
-  return resp
-}
-
 export async function getSelf(ctx: any) {
   if (!ctx.user) {
     ctx.throw(403, "User not logged in")
@@ -116,7 +109,7 @@ export async function getSelf(ctx: any) {
   checkCurrentApp(ctx)
 
   // get the main body of the user
-  const user = await sdk.users.getUser(userId)
+  const user = await userSdk.getUser(userId)
   ctx.body = await groups.enrichUserRolesFromGroups(user)
 
   // add the feature flags for this tenant
@@ -126,39 +119,30 @@ export async function getSelf(ctx: any) {
   addSessionAttributesToUser(ctx)
 }
 
-export async function updateSelf(ctx: any) {
-  const db = tenancy.getGlobalDB()
-  const user = await db.get(ctx.user._id)
-  let passwordChange = false
+export async function updateSelf(
+  ctx: UserCtx<UpdateSelfRequest, UpdateSelfResponse>
+) {
+  const body = ctx.request.body
+  const update: UpdateSelf = {
+    firstName: body.firstName,
+    lastName: body.lastName,
+    password: body.password,
+    forceResetPassword: body.forceResetPassword,
+  }
 
-  const userUpdateObj = sanitiseUserUpdate(ctx)
-  if (userUpdateObj.password) {
-    // changing password
-    passwordChange = true
-    userUpdateObj.password = await hash(userUpdateObj.password)
+  const user = await userSdk.updateSelf(ctx.user._id!, update)
+
+  if (update.password) {
     // Log all other sessions out apart from the current one
-    await platformLogout({
+    await authCore.platformLogout({
       ctx,
-      userId: ctx.user._id,
+      userId: ctx.user._id!,
       keepActiveSession: true,
     })
   }
 
-  const response = await db.put({
-    ...user,
-    ...userUpdateObj,
-  })
-  await userCache.invalidateUser(user._id)
   ctx.body = {
-    _id: response.id,
-    _rev: response.rev,
-  }
-
-  // remove the old password from the user before sending events
-  user._rev = response.rev
-  delete user.password
-  await events.user.updated(user)
-  if (passwordChange) {
-    await events.user.passwordUpdated(user)
+    _id: user._id!,
+    _rev: user._rev!,
   }
 }
diff --git a/packages/worker/src/api/controllers/global/users.ts b/packages/worker/src/api/controllers/global/users.ts
index 817480151d..c722d27faa 100644
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@@ -1,31 +1,48 @@
 import { checkInviteCode } from "../../../utilities/redis"
-import sdk from "../../../sdk"
+import * as userSdk from "../../../sdk/users"
 import env from "../../../environment"
 import {
+  AcceptUserInviteRequest,
+  AcceptUserInviteResponse,
   BulkUserRequest,
   BulkUserResponse,
   CloudAccount,
   CreateAdminUserRequest,
+  CreateAdminUserResponse,
+  Ctx,
   InviteUserRequest,
   InviteUsersRequest,
+  MigrationType,
+  SaveUserResponse,
   SearchUsersRequest,
   User,
+  UserCtx,
 } from "@budibase/types"
 import {
   accounts,
   cache,
   errors,
   events,
+  migrations,
   tenancy,
+  platform,
 } from "@budibase/backend-core"
 import { checkAnyUserExists } from "../../../utilities/users"
 
 const MAX_USERS_UPLOAD_LIMIT = 1000
 
-export const save = async (ctx: any) => {
+export const save = async (ctx: UserCtx<User, SaveUserResponse>) => {
   try {
     const currentUserId = ctx.user._id
-    ctx.body = await sdk.users.save(ctx.request.body, { currentUserId })
+    const requestUser = ctx.request.body
+
+    const user = await userSdk.save(requestUser, { currentUserId })
+
+    ctx.body = {
+      _id: user._id!,
+      _rev: user._rev!,
+      email: user.email,
+    }
   } catch (err: any) {
     ctx.throw(err.status || 400, err)
   }
@@ -35,7 +52,7 @@ const bulkDelete = async (userIds: string[], currentUserId: string) => {
   if (userIds?.indexOf(currentUserId) !== -1) {
     throw new Error("Unable to delete self.")
   }
-  return await sdk.users.bulkDelete(userIds)
+  return await userSdk.bulkDelete(userIds)
 }
 
 const bulkCreate = async (users: User[], groupIds: string[]) => {
@@ -44,7 +61,7 @@ const bulkCreate = async (users: User[], groupIds: string[]) => {
       "Max limit for upload is 1000 users. Please reduce file size and try again."
     )
   }
-  return await sdk.users.bulkCreate(users, groupIds)
+  return await userSdk.bulkCreate(users, groupIds)
 }
 
 export const bulkUpdate = async (ctx: any) => {
@@ -68,19 +85,30 @@ const parseBooleanParam = (param: any) => {
   return !(param && param === "false")
 }
 
-export const adminUser = async (ctx: any) => {
-  const { email, password, tenantId } = ctx.request
-    .body as CreateAdminUserRequest
+export const adminUser = async (
+  ctx: Ctx<CreateAdminUserRequest, CreateAdminUserResponse>
+) => {
+  const { email, password, tenantId } = ctx.request.body
+
+  if (await platform.tenants.exists(tenantId)) {
+    ctx.throw(403, "Organisation already exists.")
+  }
+
+  if (env.MULTI_TENANCY) {
+    // store the new tenant record in the platform db
+    await platform.tenants.addTenant(tenantId)
+    await migrations.backPopulateMigrations({
+      type: MigrationType.GLOBAL,
+      tenantId,
+    })
+  }
+
   await tenancy.doInTenant(tenantId, async () => {
     // account portal sends a pre-hashed password - honour param to prevent double hashing
     const hashPassword = parseBooleanParam(ctx.request.query.hashPassword)
     // account portal sends no password for SSO users
     const requirePassword = parseBooleanParam(ctx.request.query.requirePassword)
 
-    if (await tenancy.doesTenantExist(tenantId)) {
-      ctx.throw(403, "Organisation already exists.")
-    }
-
     const userExists = await checkAnyUserExists()
     if (userExists) {
       ctx.throw(
@@ -106,7 +134,7 @@ export const adminUser = async (ctx: any) => {
       // always bust checklist beforehand, if an error occurs but can proceed, don't get
       // stuck in a cycle
       await cache.bustCache(cache.CacheKey.CHECKLIST)
-      const finalUser = await sdk.users.save(user, {
+      const finalUser = await userSdk.save(user, {
         hashPassword,
         requirePassword,
       })
@@ -118,7 +146,11 @@ export const adminUser = async (ctx: any) => {
       }
       await events.identification.identifyTenantGroup(tenantId, account)
 
-      ctx.body = finalUser
+      ctx.body = {
+        _id: finalUser._id!,
+        _rev: finalUser._rev!,
+        email: finalUser.email,
+      }
     } catch (err: any) {
       ctx.throw(err.status || 400, err)
     }
@@ -128,7 +160,7 @@ export const adminUser = async (ctx: any) => {
 export const countByApp = async (ctx: any) => {
   const appId = ctx.params.appId
   try {
-    ctx.body = await sdk.users.countUsersByApp(appId)
+    ctx.body = await userSdk.countUsersByApp(appId)
   } catch (err: any) {
     ctx.throw(err.status || 400, err)
   }
@@ -140,7 +172,7 @@ export const destroy = async (ctx: any) => {
     ctx.throw(400, "Unable to delete self.")
   }
 
-  await sdk.users.destroy(id, ctx.user)
+  await userSdk.destroy(id, ctx.user)
 
   ctx.body = {
     message: `User ${id} deleted.`,
@@ -149,7 +181,7 @@ export const destroy = async (ctx: any) => {
 
 export const search = async (ctx: any) => {
   const body = ctx.request.body as SearchUsersRequest
-  const paginated = await sdk.users.paginatedUsers(body)
+  const paginated = await userSdk.paginatedUsers(body)
   // user hashed password shouldn't ever be returned
   for (let user of paginated.data) {
     if (user) {
@@ -161,7 +193,7 @@ export const search = async (ctx: any) => {
 
 // called internally by app server user fetch
 export const fetch = async (ctx: any) => {
-  const all = await sdk.users.allUsers()
+  const all = await userSdk.allUsers()
   // user hashed password shouldn't ever be returned
   for (let user of all) {
     if (user) {
@@ -173,12 +205,12 @@ export const fetch = async (ctx: any) => {
 
 // called internally by app server user find
 export const find = async (ctx: any) => {
-  ctx.body = await sdk.users.getUser(ctx.params.id)
+  ctx.body = await userSdk.getUser(ctx.params.id)
 }
 
 export const tenantUserLookup = async (ctx: any) => {
   const id = ctx.params.id
-  const user = await sdk.users.getPlatformUser(id)
+  const user = await userSdk.getPlatformUser(id)
   if (user) {
     ctx.body = user
   } else {
@@ -188,7 +220,7 @@ export const tenantUserLookup = async (ctx: any) => {
 
 export const invite = async (ctx: any) => {
   const request = ctx.request.body as InviteUserRequest
-  const response = await sdk.users.invite([request])
+  const response = await userSdk.invite([request])
 
   // explicitly throw for single user invite
   if (response.unsuccessful.length) {
@@ -207,7 +239,7 @@ export const invite = async (ctx: any) => {
 
 export const inviteMultiple = async (ctx: any) => {
   const request = ctx.request.body as InviteUsersRequest
-  ctx.body = await sdk.users.invite(request)
+  ctx.body = await userSdk.invite(request)
 }
 
 export const checkInvite = async (ctx: any) => {
@@ -223,13 +255,15 @@ export const checkInvite = async (ctx: any) => {
   }
 }
 
-export const inviteAccept = async (ctx: any) => {
+export const inviteAccept = async (
+  ctx: Ctx<AcceptUserInviteRequest, AcceptUserInviteResponse>
+) => {
   const { inviteCode, password, firstName, lastName } = ctx.request.body
   try {
     // info is an extension of the user object that was stored by global
     const { email, info }: any = await checkInviteCode(inviteCode)
-    ctx.body = await tenancy.doInTenant(info.tenantId, async () => {
-      const saved = await sdk.users.save({
+    const user = await tenancy.doInTenant(info.tenantId, async () => {
+      const saved = await userSdk.save({
         firstName,
         lastName,
         password,
@@ -241,6 +275,12 @@ export const inviteAccept = async (ctx: any) => {
       await events.user.inviteAccepted(user)
       return saved
     })
+
+    ctx.body = {
+      _id: user._id,
+      _rev: user._rev,
+      email: user.email,
+    }
   } catch (err: any) {
     if (err.code === errors.codes.USAGE_LIMIT_EXCEEDED) {
       // explicitly re-throw limit exceeded errors
diff --git a/packages/worker/src/api/controllers/system/accounts.ts b/packages/worker/src/api/controllers/system/accounts.ts
index 0aa5f25785..10b809c0b5 100644
--- a/packages/worker/src/api/controllers/system/accounts.ts
+++ b/packages/worker/src/api/controllers/system/accounts.ts
@@ -1,21 +1,23 @@
 import { Account, AccountMetadata } from "@budibase/types"
-import sdk from "../../../sdk"
+import * as accounts from "../../../sdk/accounts"
 
 export const save = async (ctx: any) => {
   const account = ctx.request.body as Account
   let metadata: AccountMetadata = {
-    _id: sdk.accounts.formatAccountMetadataId(account.accountId),
+    _id: accounts.metadata.formatAccountMetadataId(account.accountId),
     email: account.email,
   }
 
-  metadata = await sdk.accounts.saveMetadata(metadata)
+  metadata = await accounts.metadata.saveMetadata(metadata)
 
   ctx.body = metadata
   ctx.status = 200
 }
 
 export const destroy = async (ctx: any) => {
-  const accountId = sdk.accounts.formatAccountMetadataId(ctx.params.accountId)
-  await sdk.accounts.destroyMetadata(accountId)
+  const accountId = accounts.metadata.formatAccountMetadataId(
+    ctx.params.accountId
+  )
+  await accounts.metadata.destroyMetadata(accountId)
   ctx.status = 204
 }
diff --git a/packages/worker/src/api/controllers/system/tenants.ts b/packages/worker/src/api/controllers/system/tenants.ts
index 6916049534..151507358f 100644
--- a/packages/worker/src/api/controllers/system/tenants.ts
+++ b/packages/worker/src/api/controllers/system/tenants.ts
@@ -1,8 +1,7 @@
-import { BBContext } from "@budibase/types"
-import { deprovisioning } from "@budibase/backend-core"
-import { quotas } from "@budibase/pro"
+import { UserCtx } from "@budibase/types"
+import * as tenantSdk from "../../../sdk/tenants"
 
-const _delete = async (ctx: BBContext) => {
+export async function destroy(ctx: UserCtx) {
   const user = ctx.user!
   const tenantId = ctx.params.tenantId
 
@@ -11,13 +10,10 @@ const _delete = async (ctx: BBContext) => {
   }
 
   try {
-    await quotas.bustCache()
-    await deprovisioning.deleteTenant(tenantId)
+    await tenantSdk.deleteTenant(tenantId)
     ctx.status = 204
   } catch (err) {
     ctx.log.error(err)
     throw err
   }
 }
-
-export { _delete as delete }
diff --git a/packages/worker/src/api/index.ts b/packages/worker/src/api/index.ts
index d8df62f532..b390d36bb8 100644
--- a/packages/worker/src/api/index.ts
+++ b/packages/worker/src/api/index.ts
@@ -3,8 +3,7 @@ const compress = require("koa-compress")
 const zlib = require("zlib")
 import { routes } from "./routes"
 import { middleware as pro } from "@budibase/pro"
-import { errors, auth, middleware } from "@budibase/backend-core"
-import { APIError } from "@budibase/types"
+import { auth, middleware } from "@budibase/backend-core"
 
 const PUBLIC_ENDPOINTS = [
   // deprecated single tenant sso callback
@@ -109,7 +108,9 @@ const NO_TENANCY_ENDPOINTS = [
 const NO_CSRF_ENDPOINTS = [...PUBLIC_ENDPOINTS]
 
 const router: Router = new Router()
+
 router
+  .use(middleware.errorHandling)
   .use(
     compress({
       threshold: 2048,
@@ -136,29 +137,12 @@ router
       (!ctx.isAuthenticated || (ctx.user && !ctx.user.budibaseAccess)) &&
       !ctx.internal
     ) {
-      ctx.throw(403, "Unauthorized - no public worker access")
+      ctx.throw(403, "Unauthorized")
     }
     return next()
   })
   .use(middleware.auditLog)
 
-// error handling middleware - TODO: This could be moved to backend-core
-router.use(async (ctx, next) => {
-  try {
-    await next()
-  } catch (err: any) {
-    ctx.log.error(err)
-    ctx.status = err.status || err.statusCode || 500
-    const error = errors.getPublicError(err)
-    const body: APIError = {
-      message: err.message,
-      status: ctx.status,
-      error,
-    }
-    ctx.body = body
-  }
-})
-
 router.get("/health", ctx => (ctx.status = 200))
 
 // authenticated routes
diff --git a/packages/worker/src/api/routes/global/auth.ts b/packages/worker/src/api/routes/global/auth.ts
index b13cef2fc6..503182a418 100644
--- a/packages/worker/src/api/routes/global/auth.ts
+++ b/packages/worker/src/api/routes/global/auth.ts
@@ -33,7 +33,7 @@ router
   .post(
     "/api/global/auth/:tenantId/login",
     buildAuthValidation(),
-    authController.authenticate
+    authController.login
   )
   .post("/api/global/auth/logout", authController.logout)
   .post(
@@ -68,21 +68,24 @@ router
 
   // GOOGLE - MULTI TENANT
   .get("/api/global/auth/:tenantId/google", authController.googlePreAuth)
-  .get("/api/global/auth/:tenantId/google/callback", authController.googleAuth)
+  .get(
+    "/api/global/auth/:tenantId/google/callback",
+    authController.googleCallback
+  )
 
   // GOOGLE - SINGLE TENANT - DEPRECATED
-  .get("/api/global/auth/google/callback", authController.googleAuth)
-  .get("/api/admin/auth/google/callback", authController.googleAuth)
+  .get("/api/global/auth/google/callback", authController.googleCallback)
+  .get("/api/admin/auth/google/callback", authController.googleCallback)
 
   // OIDC - MULTI TENANT
   .get(
     "/api/global/auth/:tenantId/oidc/configs/:configId",
     authController.oidcPreAuth
   )
-  .get("/api/global/auth/:tenantId/oidc/callback", authController.oidcAuth)
+  .get("/api/global/auth/:tenantId/oidc/callback", authController.oidcCallback)
 
   // OIDC - SINGLE TENANT - DEPRECATED
-  .get("/api/global/auth/oidc/callback", authController.oidcAuth)
-  .get("/api/admin/auth/oidc/callback", authController.oidcAuth)
+  .get("/api/global/auth/oidc/callback", authController.oidcCallback)
+  .get("/api/admin/auth/oidc/callback", authController.oidcCallback)
 
 export default router
diff --git a/packages/worker/src/api/routes/global/tests/auth.spec.ts b/packages/worker/src/api/routes/global/tests/auth.spec.ts
index ee753d49dc..84f8ce1b0a 100644
--- a/packages/worker/src/api/routes/global/tests/auth.spec.ts
+++ b/packages/worker/src/api/routes/global/tests/auth.spec.ts
@@ -1,13 +1,27 @@
-jest.mock("nodemailer")
-import { TestConfiguration, mocks } from "../../../../tests"
-const sendMailMock = mocks.email.mock()
-import { events, tenancy } from "@budibase/backend-core"
-import { structures } from "@budibase/backend-core/tests"
+import { CloudAccount, SSOUser, User } from "@budibase/types"
 
-const expectSetAuthCookie = (res: any) => {
-  expect(
-    res.get("Set-Cookie").find((c: string) => c.startsWith("budibase:auth"))
-  ).toBeDefined()
+jest.mock("nodemailer")
+import {
+  TestConfiguration,
+  mocks,
+  structures,
+  generator,
+} from "../../../../tests"
+const sendMailMock = mocks.email.mock()
+import { events, constants } from "@budibase/backend-core"
+import { Response } from "superagent"
+
+import * as userSdk from "../../../../sdk/users"
+
+function getAuthCookie(response: Response) {
+  return response.headers["set-cookie"]
+    .find((s: string) => s.startsWith(`${constants.Cookie.Auth}=`))
+    .split("=")[1]
+    .split(";")[0]
+}
+
+const expectSetAuthCookie = (response: Response) => {
+  expect(getAuthCookie(response).length > 1).toBe(true)
 }
 
 describe("/api/global/auth", () => {
@@ -25,60 +39,247 @@ describe("/api/global/auth", () => {
     jest.clearAllMocks()
   })
 
+  async function createSSOUser() {
+    return config.doInTenant(async () => {
+      return userSdk.save(structures.users.ssoUser(), {
+        requirePassword: false,
+      })
+    })
+  }
+
   describe("password", () => {
     describe("POST /api/global/auth/:tenantId/login", () => {
-      it("should login", () => {})
+      it("logs in with correct credentials", async () => {
+        const tenantId = config.tenantId!
+        const email = config.user?.email!
+        const password = config.userPassword
+
+        const response = await config.api.auth.login(tenantId, email, password)
+
+        expectSetAuthCookie(response)
+        expect(events.auth.login).toBeCalledTimes(1)
+      })
+
+      it("should return 403 with incorrect credentials", async () => {
+        const tenantId = config.tenantId!
+        const email = config.user?.email!
+        const password = "incorrect"
+
+        const response = await config.api.auth.login(
+          tenantId,
+          email,
+          password,
+          { status: 403 }
+        )
+        expect(response.body).toEqual({
+          message: "Invalid credentials",
+          status: 403,
+        })
+      })
+
+      it("should return 403 when user doesn't exist", async () => {
+        const tenantId = config.tenantId!
+        const email = "invaliduser@test.com"
+        const password = "password"
+
+        const response = await config.api.auth.login(
+          tenantId,
+          email,
+          password,
+          { status: 403 }
+        )
+        expect(response.body).toEqual({
+          message: "Invalid credentials",
+          status: 403,
+        })
+      })
+
+      describe("sso user", () => {
+        let user: User
+
+        async function testSSOUser() {
+          const tenantId = user.tenantId!
+          const email = user.email
+          const password = "test"
+
+          const response = await config.api.auth.login(
+            tenantId,
+            email,
+            password,
+            { status: 400 }
+          )
+
+          expect(response.body).toEqual({
+            message: "SSO user cannot login using password",
+            status: 400,
+          })
+        }
+
+        describe("budibase sso user", () => {
+          it("should prevent user from logging in", async () => {
+            user = await createSSOUser()
+            await testSSOUser()
+          })
+        })
+
+        describe("root account sso user", () => {
+          it("should prevent user from logging in", async () => {
+            user = await config.createUser()
+            const account = structures.accounts.ssoAccount() as CloudAccount
+            mocks.accounts.getAccount.mockReturnValueOnce(
+              Promise.resolve(account)
+            )
+
+            await testSSOUser()
+          })
+        })
+      })
     })
 
     describe("POST /api/global/auth/logout", () => {
       it("should logout", async () => {
-        await config.api.auth.logout()
+        const response = await config.api.auth.logout()
         expect(events.auth.logout).toBeCalledTimes(1)
 
-        // TODO: Verify sessions deleted
+        const authCookie = getAuthCookie(response)
+        expect(authCookie).toBe("")
       })
     })
 
     describe("POST /api/global/auth/:tenantId/reset", () => {
       it("should generate password reset email", async () => {
-        await tenancy.doInTenant(config.tenant1User!.tenantId, async () => {
-          const userEmail = structures.email()
-          const { res, code } = await config.api.auth.requestPasswordReset(
+        const user = await config.createUser()
+
+        const { res, code } = await config.api.auth.requestPasswordReset(
+          sendMailMock,
+          user.email
+        )
+
+        expect(res.body).toEqual({
+          message: "Please check your email for a reset link.",
+        })
+        expect(sendMailMock).toHaveBeenCalled()
+        expect(code).toBeDefined()
+        expect(events.user.passwordResetRequested).toBeCalledTimes(1)
+        expect(events.user.passwordResetRequested).toBeCalledWith(user)
+      })
+
+      describe("sso user", () => {
+        let user: User
+
+        async function testSSOUser() {
+          const { res } = await config.api.auth.requestPasswordReset(
             sendMailMock,
-            userEmail
+            user.email,
+            { status: 400 }
           )
-          const user = await config.getUser(userEmail)
 
           expect(res.body).toEqual({
-            message: "Please check your email for a reset link.",
+            message: "SSO user cannot reset password",
+            status: 400,
+            error: {
+              code: "http",
+              type: "generic",
+            },
           })
-          expect(sendMailMock).toHaveBeenCalled()
+          expect(sendMailMock).not.toHaveBeenCalled()
+        }
 
-          expect(code).toBeDefined()
-          expect(events.user.passwordResetRequested).toBeCalledTimes(1)
-          expect(events.user.passwordResetRequested).toBeCalledWith(user)
+        describe("budibase sso user", () => {
+          it("should prevent user from generating password reset email", async () => {
+            user = await createSSOUser()
+            await testSSOUser()
+          })
+        })
+
+        describe("root account sso user", () => {
+          it("should prevent user from generating password reset email", async () => {
+            user = await config.createUser(structures.users.user())
+            const account = structures.accounts.ssoAccount() as CloudAccount
+            mocks.accounts.getAccount.mockReturnValueOnce(
+              Promise.resolve(account)
+            )
+
+            await testSSOUser()
+          })
         })
       })
     })
 
     describe("POST /api/global/auth/:tenantId/reset/update", () => {
       it("should reset password", async () => {
-        await tenancy.doInTenant(config.tenant1User!.tenantId, async () => {
-          const userEmail = structures.email()
-          const { code } = await config.api.auth.requestPasswordReset(
-            sendMailMock,
-            userEmail
+        let user = await config.createUser()
+        const { code } = await config.api.auth.requestPasswordReset(
+          sendMailMock,
+          user.email
+        )
+        delete user.password
+
+        const newPassword = "newpassword"
+        const res = await config.api.auth.updatePassword(code!, newPassword)
+
+        user = await config.getUser(user.email)
+        delete user.password
+
+        expect(res.body).toEqual({ message: "password reset successfully." })
+        expect(events.user.passwordReset).toBeCalledTimes(1)
+        expect(events.user.passwordReset).toBeCalledWith(user)
+
+        // login using new password
+        await config.api.auth.login(user.tenantId, user.email, newPassword)
+      })
+
+      describe("sso user", () => {
+        let user: User | SSOUser
+
+        async function testSSOUser(code: string) {
+          const res = await config.api.auth.updatePassword(
+            code!,
+            generator.string(),
+            { status: 400 }
           )
-          const user = await config.getUser(userEmail)
-          delete user.password
 
-          const res = await config.api.auth.updatePassword(code)
+          expect(res.body).toEqual({
+            message: "Cannot reset password.",
+            status: 400,
+          })
+        }
 
-          expect(res.body).toEqual({ message: "password reset successfully." })
-          expect(events.user.passwordReset).toBeCalledTimes(1)
-          expect(events.user.passwordReset).toBeCalledWith(user)
+        describe("budibase sso user", () => {
+          it("should prevent user from generating password reset email", async () => {
+            user = await config.createUser()
+            const { code } = await config.api.auth.requestPasswordReset(
+              sendMailMock,
+              user.email
+            )
+
+            // convert to sso now that password reset has been requested
+            const ssoUser = user as SSOUser
+            ssoUser.providerType = structures.sso.providerType()
+            delete ssoUser.password
+            await config.doInTenant(() => userSdk.save(ssoUser))
+
+            await testSSOUser(code!)
+          })
+        })
+
+        describe("root account sso user", () => {
+          it("should prevent user from generating password reset email", async () => {
+            user = await config.createUser()
+            const { code } = await config.api.auth.requestPasswordReset(
+              sendMailMock,
+              user.email
+            )
+
+            // convert to account owner now that password has been requested
+            const account = structures.accounts.ssoAccount() as CloudAccount
+            mocks.accounts.getAccount.mockReturnValueOnce(
+              Promise.resolve(account)
+            )
+
+            await testSSOUser(code!)
+          })
         })
-        // TODO: Login using new password
       })
     })
   })
@@ -153,7 +354,7 @@ describe("/api/global/auth", () => {
         const location: string = res.get("location")
         expect(
           location.startsWith(
-            "http://localhost/auth?response_type=code&client_id=clientId&redirect_uri=http%3A%2F%2Flocalhost%3A10000%2Fapi%2Fglobal%2Fauth%2Fdefault%2Foidc%2Fcallback&scope=openid%20profile%20email%20offline_access"
+            `http://localhost/auth?response_type=code&client_id=clientId&redirect_uri=http%3A%2F%2Flocalhost%3A10000%2Fapi%2Fglobal%2Fauth%2F${config.tenantId}%2Foidc%2Fcallback&scope=openid%20profile%20email%20offline_access`
           )
         ).toBe(true)
       })
diff --git a/packages/worker/src/api/routes/global/tests/configs.spec.ts b/packages/worker/src/api/routes/global/tests/configs.spec.ts
index ee27c4d451..39ad74d295 100644
--- a/packages/worker/src/api/routes/global/tests/configs.spec.ts
+++ b/packages/worker/src/api/routes/global/tests/configs.spec.ts
@@ -2,7 +2,7 @@
 jest.mock("nodemailer")
 import { TestConfiguration, structures, mocks } from "../../../../tests"
 mocks.email.mock()
-import { Config, context, events } from "@budibase/backend-core"
+import { Config, events } from "@budibase/backend-core"
 
 describe("configs", () => {
   const config = new TestConfiguration()
@@ -113,64 +113,56 @@ describe("configs", () => {
 
       describe("create", () => {
         it("should create activated OIDC config", async () => {
-          await context.doInTenant(config.tenant1User!.tenantId, async () => {
-            await saveOIDCConfig()
-            expect(events.auth.SSOCreated).toBeCalledTimes(1)
-            expect(events.auth.SSOCreated).toBeCalledWith(Config.OIDC)
-            expect(events.auth.SSODeactivated).not.toBeCalled()
-            expect(events.auth.SSOActivated).toBeCalledTimes(1)
-            expect(events.auth.SSOActivated).toBeCalledWith(Config.OIDC)
-            await config.deleteConfig(Config.OIDC)
-          })
+          await saveOIDCConfig()
+          expect(events.auth.SSOCreated).toBeCalledTimes(1)
+          expect(events.auth.SSOCreated).toBeCalledWith(Config.OIDC)
+          expect(events.auth.SSODeactivated).not.toBeCalled()
+          expect(events.auth.SSOActivated).toBeCalledTimes(1)
+          expect(events.auth.SSOActivated).toBeCalledWith(Config.OIDC)
+          await config.deleteConfig(Config.OIDC)
         })
 
         it("should create deactivated OIDC config", async () => {
-          await context.doInTenant(config.tenant1User!.tenantId, async () => {
-            await saveOIDCConfig({ activated: false })
-            expect(events.auth.SSOCreated).toBeCalledTimes(1)
-            expect(events.auth.SSOCreated).toBeCalledWith(Config.OIDC)
-            expect(events.auth.SSOActivated).not.toBeCalled()
-            expect(events.auth.SSODeactivated).not.toBeCalled()
-            await config.deleteConfig(Config.OIDC)
-          })
+          await saveOIDCConfig({ activated: false })
+          expect(events.auth.SSOCreated).toBeCalledTimes(1)
+          expect(events.auth.SSOCreated).toBeCalledWith(Config.OIDC)
+          expect(events.auth.SSOActivated).not.toBeCalled()
+          expect(events.auth.SSODeactivated).not.toBeCalled()
+          await config.deleteConfig(Config.OIDC)
         })
       })
 
       describe("update", () => {
         it("should update OIDC config to deactivated", async () => {
-          await context.doInTenant(config.tenant1User!.tenantId, async () => {
-            const oidcConf = await saveOIDCConfig()
-            jest.clearAllMocks()
-            await saveOIDCConfig(
-              { ...oidcConf.config.configs[0], activated: false },
-              oidcConf._id,
-              oidcConf._rev
-            )
-            expect(events.auth.SSOUpdated).toBeCalledTimes(1)
-            expect(events.auth.SSOUpdated).toBeCalledWith(Config.OIDC)
-            expect(events.auth.SSOActivated).not.toBeCalled()
-            expect(events.auth.SSODeactivated).toBeCalledTimes(1)
-            expect(events.auth.SSODeactivated).toBeCalledWith(Config.OIDC)
-            await config.deleteConfig(Config.OIDC)
-          })
+          const oidcConf = await saveOIDCConfig()
+          jest.clearAllMocks()
+          await saveOIDCConfig(
+            { ...oidcConf.config.configs[0], activated: false },
+            oidcConf._id,
+            oidcConf._rev
+          )
+          expect(events.auth.SSOUpdated).toBeCalledTimes(1)
+          expect(events.auth.SSOUpdated).toBeCalledWith(Config.OIDC)
+          expect(events.auth.SSOActivated).not.toBeCalled()
+          expect(events.auth.SSODeactivated).toBeCalledTimes(1)
+          expect(events.auth.SSODeactivated).toBeCalledWith(Config.OIDC)
+          await config.deleteConfig(Config.OIDC)
         })
 
         it("should update OIDC config to activated", async () => {
-          await context.doInTenant(config.tenant1User!.tenantId, async () => {
-            const oidcConf = await saveOIDCConfig({ activated: false })
-            jest.clearAllMocks()
-            await saveOIDCConfig(
-              { ...oidcConf.config.configs[0], activated: true },
-              oidcConf._id,
-              oidcConf._rev
-            )
-            expect(events.auth.SSOUpdated).toBeCalledTimes(1)
-            expect(events.auth.SSOUpdated).toBeCalledWith(Config.OIDC)
-            expect(events.auth.SSODeactivated).not.toBeCalled()
-            expect(events.auth.SSOActivated).toBeCalledTimes(1)
-            expect(events.auth.SSOActivated).toBeCalledWith(Config.OIDC)
-            await config.deleteConfig(Config.OIDC)
-          })
+          const oidcConf = await saveOIDCConfig({ activated: false })
+          jest.clearAllMocks()
+          await saveOIDCConfig(
+            { ...oidcConf.config.configs[0], activated: true },
+            oidcConf._id,
+            oidcConf._rev
+          )
+          expect(events.auth.SSOUpdated).toBeCalledTimes(1)
+          expect(events.auth.SSOUpdated).toBeCalledWith(Config.OIDC)
+          expect(events.auth.SSODeactivated).not.toBeCalled()
+          expect(events.auth.SSOActivated).toBeCalledTimes(1)
+          expect(events.auth.SSOActivated).toBeCalledWith(Config.OIDC)
+          await config.deleteConfig(Config.OIDC)
         })
       })
     })
@@ -187,26 +179,22 @@ describe("configs", () => {
 
       describe("create", () => {
         it("should create SMTP config", async () => {
-          await context.doInTenant(config.tenant1User!.tenantId, async () => {
-            await config.deleteConfig(Config.SMTP)
-            await saveSMTPConfig()
-            expect(events.email.SMTPUpdated).not.toBeCalled()
-            expect(events.email.SMTPCreated).toBeCalledTimes(1)
-            await config.deleteConfig(Config.SMTP)
-          })
+          await config.deleteConfig(Config.SMTP)
+          await saveSMTPConfig()
+          expect(events.email.SMTPUpdated).not.toBeCalled()
+          expect(events.email.SMTPCreated).toBeCalledTimes(1)
+          await config.deleteConfig(Config.SMTP)
         })
       })
 
       describe("update", () => {
         it("should update SMTP config", async () => {
-          await context.doInTenant(config.tenant1User!.tenantId, async () => {
-            const smtpConf = await saveSMTPConfig()
-            jest.clearAllMocks()
-            await saveSMTPConfig(smtpConf.config, smtpConf._id, smtpConf._rev)
-            expect(events.email.SMTPCreated).not.toBeCalled()
-            expect(events.email.SMTPUpdated).toBeCalledTimes(1)
-            await config.deleteConfig(Config.SMTP)
-          })
+          const smtpConf = await saveSMTPConfig()
+          jest.clearAllMocks()
+          await saveSMTPConfig(smtpConf.config, smtpConf._id, smtpConf._rev)
+          expect(events.email.SMTPCreated).not.toBeCalled()
+          expect(events.email.SMTPUpdated).toBeCalledTimes(1)
+          await config.deleteConfig(Config.SMTP)
         })
       })
     })
@@ -223,73 +211,65 @@ describe("configs", () => {
 
       describe("create", () => {
         it("should create settings config with default settings", async () => {
-          await context.doInTenant(config.tenant1User!.tenantId, async () => {
-            await config.deleteConfig(Config.SETTINGS)
+          await config.deleteConfig(Config.SETTINGS)
 
-            await saveSettingsConfig()
+          await saveSettingsConfig()
 
-            expect(events.org.nameUpdated).not.toBeCalled()
-            expect(events.org.logoUpdated).not.toBeCalled()
-            expect(events.org.platformURLUpdated).not.toBeCalled()
-          })
+          expect(events.org.nameUpdated).not.toBeCalled()
+          expect(events.org.logoUpdated).not.toBeCalled()
+          expect(events.org.platformURLUpdated).not.toBeCalled()
         })
 
         it("should create settings config with non-default settings", async () => {
-          await context.doInTenant(config.tenant1User!.tenantId, async () => {
-            config.modeSelf()
-            await config.deleteConfig(Config.SETTINGS)
-            const conf = {
-              company: "acme",
-              logoUrl: "http://example.com",
-              platformUrl: "http://example.com",
-            }
+          config.selfHosted()
+          await config.deleteConfig(Config.SETTINGS)
+          const conf = {
+            company: "acme",
+            logoUrl: "http://example.com",
+            platformUrl: "http://example.com",
+          }
 
-            await saveSettingsConfig(conf)
+          await saveSettingsConfig(conf)
 
-            expect(events.org.nameUpdated).toBeCalledTimes(1)
-            expect(events.org.logoUpdated).toBeCalledTimes(1)
-            expect(events.org.platformURLUpdated).toBeCalledTimes(1)
-            config.modeCloud()
-          })
+          expect(events.org.nameUpdated).toBeCalledTimes(1)
+          expect(events.org.logoUpdated).toBeCalledTimes(1)
+          expect(events.org.platformURLUpdated).toBeCalledTimes(1)
+          config.cloudHosted()
         })
       })
 
       describe("update", () => {
         it("should update settings config", async () => {
-          await context.doInTenant(config.tenant1User!.tenantId, async () => {
-            config.modeSelf()
-            await config.deleteConfig(Config.SETTINGS)
-            const settingsConfig = await saveSettingsConfig()
-            settingsConfig.config.company = "acme"
-            settingsConfig.config.logoUrl = "http://example.com"
-            settingsConfig.config.platformUrl = "http://example.com"
+          config.selfHosted()
+          await config.deleteConfig(Config.SETTINGS)
+          const settingsConfig = await saveSettingsConfig()
+          settingsConfig.config.company = "acme"
+          settingsConfig.config.logoUrl = "http://example.com"
+          settingsConfig.config.platformUrl = "http://example.com"
 
-            await saveSettingsConfig(
-              settingsConfig.config,
-              settingsConfig._id,
-              settingsConfig._rev
-            )
+          await saveSettingsConfig(
+            settingsConfig.config,
+            settingsConfig._id,
+            settingsConfig._rev
+          )
 
-            expect(events.org.nameUpdated).toBeCalledTimes(1)
-            expect(events.org.logoUpdated).toBeCalledTimes(1)
-            expect(events.org.platformURLUpdated).toBeCalledTimes(1)
-            config.modeCloud()
-          })
+          expect(events.org.nameUpdated).toBeCalledTimes(1)
+          expect(events.org.logoUpdated).toBeCalledTimes(1)
+          expect(events.org.platformURLUpdated).toBeCalledTimes(1)
+          config.cloudHosted()
         })
       })
     })
   })
 
   it("should return the correct checklist status based on the state of the budibase installation", async () => {
-    await context.doInTenant(config.tenant1User!.tenantId, async () => {
-      await config.saveSmtpConfig()
+    await config.saveSmtpConfig()
 
-      const res = await config.api.configs.getConfigChecklist()
-      const checklist = res.body
+    const res = await config.api.configs.getConfigChecklist()
+    const checklist = res.body
 
-      expect(checklist.apps.checked).toBeFalsy()
-      expect(checklist.smtp.checked).toBeTruthy()
-      expect(checklist.adminUser.checked).toBeTruthy()
-    })
+    expect(checklist.apps.checked).toBeFalsy()
+    expect(checklist.smtp.checked).toBeTruthy()
+    expect(checklist.adminUser.checked).toBeTruthy()
   })
 })
diff --git a/packages/worker/src/api/routes/global/tests/roles.spec.ts b/packages/worker/src/api/routes/global/tests/roles.spec.ts
index 622a643f25..477ccaf94c 100644
--- a/packages/worker/src/api/routes/global/tests/roles.spec.ts
+++ b/packages/worker/src/api/routes/global/tests/roles.spec.ts
@@ -32,6 +32,7 @@ async function addAppMetadata() {
 
 describe("/api/global/roles", () => {
   const config = new TestConfiguration()
+
   const role = new roles.Role(
     db.generateRoleID("newRole"),
     roles.BUILTIN_ROLE_IDS.BASIC,
@@ -43,13 +44,13 @@ describe("/api/global/roles", () => {
   })
 
   beforeEach(async () => {
-    appId = db.generateAppID()
+    appId = db.generateAppID(config.tenantId)
     appDb = db.getDB(appId)
     const mockAppDB = context.getAppDB as Mock
     mockAppDB.mockReturnValue(appDb)
 
     await addAppMetadata()
-    appDb.put(role)
+    await appDb.put(role)
   })
 
   afterAll(async () => {
diff --git a/packages/worker/src/api/routes/global/tests/self.spec.ts b/packages/worker/src/api/routes/global/tests/self.spec.ts
index d253a7f24e..74d24c7c31 100644
--- a/packages/worker/src/api/routes/global/tests/self.spec.ts
+++ b/packages/worker/src/api/routes/global/tests/self.spec.ts
@@ -30,7 +30,7 @@ describe("/api/global/self", () => {
       user.dayPassRecordedAt = mocks.date.MOCK_DATE.toISOString()
       expect(res.body._id).toBe(user._id)
       expect(events.user.updated).toBeCalledTimes(1)
-      expect(events.user.updated).toBeCalledWith(user)
+      expect(events.user.updated).toBeCalledWith(dbUser)
       expect(events.user.passwordUpdated).not.toBeCalled()
     })
 
@@ -44,12 +44,11 @@ describe("/api/global/self", () => {
       const dbUser = await config.getUser(user.email)
       user._rev = dbUser._rev
       user.dayPassRecordedAt = mocks.date.MOCK_DATE.toISOString()
-      delete user.password
       expect(res.body._id).toBe(user._id)
       expect(events.user.updated).toBeCalledTimes(1)
-      expect(events.user.updated).toBeCalledWith(user)
+      expect(events.user.updated).toBeCalledWith(dbUser)
       expect(events.user.passwordUpdated).toBeCalledTimes(1)
-      expect(events.user.passwordUpdated).toBeCalledWith(user)
+      expect(events.user.passwordUpdated).toBeCalledWith(dbUser)
     })
   })
 })
diff --git a/packages/worker/src/api/routes/global/tests/users.spec.ts b/packages/worker/src/api/routes/global/tests/users.spec.ts
index a8b07ec815..31ef1d9b0c 100644
--- a/packages/worker/src/api/routes/global/tests/users.spec.ts
+++ b/packages/worker/src/api/routes/global/tests/users.spec.ts
@@ -3,7 +3,9 @@ import { InviteUsersResponse, User } from "@budibase/types"
 jest.mock("nodemailer")
 import { TestConfiguration, mocks, structures } from "../../../../tests"
 const sendMailMock = mocks.email.mock()
-import { context, events, tenancy } from "@budibase/backend-core"
+import { events, tenancy, accounts as _accounts } from "@budibase/backend-core"
+
+const accounts = jest.mocked(_accounts)
 
 describe("/api/global/users", () => {
   const config = new TestConfiguration()
@@ -20,26 +22,24 @@ describe("/api/global/users", () => {
     jest.clearAllMocks()
   })
 
-  describe("invite", () => {
+  describe("POST /api/global/users/invite", () => {
     it("should be able to generate an invitation", async () => {
-      await context.doInTenant(config.tenant1User!.tenantId, async () => {
-        const email = structures.users.newEmail()
-        const { code, res } = await config.api.users.sendUserInvite(
-          sendMailMock,
-          email
-        )
+      const email = structures.users.newEmail()
+      const { code, res } = await config.api.users.sendUserInvite(
+        sendMailMock,
+        email
+      )
 
-        expect(res.body).toEqual({ message: "Invitation has been sent." })
-        expect(sendMailMock).toHaveBeenCalled()
-        expect(code).toBeDefined()
-        expect(events.user.invited).toBeCalledTimes(1)
-      })
+      expect(res.body).toEqual({ message: "Invitation has been sent." })
+      expect(sendMailMock).toHaveBeenCalled()
+      expect(code).toBeDefined()
+      expect(events.user.invited).toBeCalledTimes(1)
     })
 
     it("should not be able to generate an invitation for existing user", async () => {
       const { code, res } = await config.api.users.sendUserInvite(
         sendMailMock,
-        config.defaultUser!.email,
+        config.user!.email,
         400
       )
 
@@ -50,26 +50,24 @@ describe("/api/global/users", () => {
     })
 
     it("should be able to create new user from invite", async () => {
-      await context.doInTenant(config.tenant1User!.tenantId, async () => {
-        const email = structures.users.newEmail()
-        const { code } = await config.api.users.sendUserInvite(
-          sendMailMock,
-          email
-        )
+      const email = structures.users.newEmail()
+      const { code } = await config.api.users.sendUserInvite(
+        sendMailMock,
+        email
+      )
 
-        const res = await config.api.users.acceptInvite(code)
+      const res = await config.api.users.acceptInvite(code)
 
-        expect(res.body._id).toBeDefined()
-        const user = await config.getUser(email)
-        expect(user).toBeDefined()
-        expect(user._id).toEqual(res.body._id)
-        expect(events.user.inviteAccepted).toBeCalledTimes(1)
-        expect(events.user.inviteAccepted).toBeCalledWith(user)
-      })
+      expect(res.body._id).toBeDefined()
+      const user = await config.getUser(email)
+      expect(user).toBeDefined()
+      expect(user._id).toEqual(res.body._id)
+      expect(events.user.inviteAccepted).toBeCalledTimes(1)
+      expect(events.user.inviteAccepted).toBeCalledWith(user)
     })
   })
 
-  describe("inviteMultiple", () => {
+  describe("POST /api/global/users/multi/invite", () => {
     it("should be able to generate an invitation", async () => {
       const newUserInvite = () => ({
         email: structures.users.newEmail(),
@@ -87,7 +85,7 @@ describe("/api/global/users", () => {
     })
 
     it("should not be able to generate an invitation for existing user", async () => {
-      const request = [{ email: config.defaultUser!.email, userInfo: {} }]
+      const request = [{ email: config.user!.email, userInfo: {} }]
 
       const res = await config.api.users.sendMultiUserInvite(request)
 
@@ -100,7 +98,7 @@ describe("/api/global/users", () => {
     })
   })
 
-  describe("bulk (create)", () => {
+  describe("POST /api/global/users/bulk", () => {
     it("should ignore users existing in the same tenant", async () => {
       const user = await config.createUser()
       jest.clearAllMocks()
@@ -163,7 +161,7 @@ describe("/api/global/users", () => {
     })
   })
 
-  describe("create", () => {
+  describe("POST /api/global/users", () => {
     it("should be able to create a basic user", async () => {
       const user = structures.users.user()
 
@@ -242,7 +240,7 @@ describe("/api/global/users", () => {
     it("should not be able to create user with the same email as an account", async () => {
       const user = structures.users.user()
       const account = structures.accounts.cloudAccount()
-      mocks.accounts.getAccount.mockReturnValueOnce(account)
+      accounts.getAccount.mockReturnValueOnce(Promise.resolve(account))
 
       const response = await config.api.users.saveUser(user, 400)
 
@@ -283,7 +281,7 @@ describe("/api/global/users", () => {
     })
   })
 
-  describe("update", () => {
+  describe("POST /api/global/users (update)", () => {
     it("should be able to update a basic user", async () => {
       const user = await config.createUser()
       jest.clearAllMocks()
@@ -298,7 +296,7 @@ describe("/api/global/users", () => {
     })
 
     it("should not allow a user to update their own admin/builder status", async () => {
-      const user = (await config.api.users.getUser(config.defaultUser?._id!))
+      const user = (await config.api.users.getUser(config.user?._id!))
         .body as User
       await config.api.users.saveUser({
         ...user,
@@ -468,9 +466,9 @@ describe("/api/global/users", () => {
     })
   })
 
-  describe("bulk (delete)", () => {
+  describe("POST /api/global/users/bulk (delete)", () => {
     it("should not be able to bulk delete current user", async () => {
-      const user = await config.defaultUser!
+      const user = await config.user!
 
       const response = await config.api.users.bulkDeleteUsers([user._id!], 400)
 
@@ -482,7 +480,7 @@ describe("/api/global/users", () => {
       const user = await config.createUser()
       const account = structures.accounts.cloudAccount()
       account.budibaseUserId = user._id!
-      mocks.accounts.getAccountByTenantId.mockReturnValue(account)
+      accounts.getAccountByTenantId.mockReturnValue(Promise.resolve(account))
 
       const response = await config.api.users.bulkDeleteUsers([user._id!])
 
@@ -497,7 +495,7 @@ describe("/api/global/users", () => {
 
     it("should be able to bulk delete users", async () => {
       const account = structures.accounts.cloudAccount()
-      mocks.accounts.getAccountByTenantId.mockReturnValue(account)
+      accounts.getAccountByTenantId.mockReturnValue(Promise.resolve(account))
 
       const builder = structures.users.builderUser()
       const admin = structures.users.adminUser()
@@ -521,7 +519,7 @@ describe("/api/global/users", () => {
     })
   })
 
-  describe("destroy", () => {
+  describe("DELETE /api/global/users/:userId", () => {
     it("should be able to destroy a basic user", async () => {
       const user = await config.createUser()
       jest.clearAllMocks()
@@ -558,7 +556,7 @@ describe("/api/global/users", () => {
     it("should not be able to destroy account owner", async () => {
       const user = await config.createUser()
       const account = structures.accounts.cloudAccount()
-      mocks.accounts.getAccount.mockReturnValueOnce(account)
+      accounts.getAccount.mockReturnValueOnce(Promise.resolve(account))
 
       const response = await config.api.users.deleteUser(user._id!, 400)
 
@@ -566,10 +564,10 @@ describe("/api/global/users", () => {
     })
 
     it("should not be able to destroy account owner as account owner", async () => {
-      const user = await config.defaultUser!
+      const user = await config.user!
       const account = structures.accounts.cloudAccount()
       account.email = user.email
-      mocks.accounts.getAccount.mockReturnValueOnce(account)
+      accounts.getAccount.mockReturnValueOnce(Promise.resolve(account))
 
       const response = await config.api.users.deleteUser(user._id!, 400)
 
diff --git a/packages/worker/src/api/routes/system/tenants.ts b/packages/worker/src/api/routes/system/tenants.ts
index 111cfc5819..234459cfdc 100644
--- a/packages/worker/src/api/routes/system/tenants.ts
+++ b/packages/worker/src/api/routes/system/tenants.ts
@@ -7,7 +7,7 @@ const router: Router = new Router()
 router.delete(
   "/api/system/tenants/:tenantId",
   middleware.adminOnly,
-  controller.delete
+  controller.destroy
 )
 
 export default router
diff --git a/packages/worker/src/api/routes/system/tests/accounts.spec.ts b/packages/worker/src/api/routes/system/tests/accounts.spec.ts
index fd54dd2b0a..7df2950212 100644
--- a/packages/worker/src/api/routes/system/tests/accounts.spec.ts
+++ b/packages/worker/src/api/routes/system/tests/accounts.spec.ts
@@ -1,4 +1,4 @@
-import sdk from "../../../../sdk"
+import * as accounts from "../../../../sdk/accounts"
 import { TestConfiguration, structures } from "../../../../tests"
 import { v4 as uuid } from "uuid"
 
@@ -24,8 +24,8 @@ describe("accounts", () => {
 
         const response = await config.api.accounts.saveMetadata(account)
 
-        const id = sdk.accounts.formatAccountMetadataId(account.accountId)
-        const metadata = await sdk.accounts.getMetadata(id)
+        const id = accounts.metadata.formatAccountMetadataId(account.accountId)
+        const metadata = await accounts.metadata.getMetadata(id)
         expect(response).toStrictEqual(metadata)
       })
     })
@@ -37,7 +37,7 @@ describe("accounts", () => {
 
         await config.api.accounts.destroyMetadata(account.accountId)
 
-        const deleted = await sdk.accounts.getMetadata(account.accountId)
+        const deleted = await accounts.metadata.getMetadata(account.accountId)
         expect(deleted).toBe(undefined)
       })
 
diff --git a/packages/worker/src/api/routes/system/tests/migrations.spec.ts b/packages/worker/src/api/routes/system/tests/migrations.spec.ts
index 304a64761e..950f5c2153 100644
--- a/packages/worker/src/api/routes/system/tests/migrations.spec.ts
+++ b/packages/worker/src/api/routes/system/tests/migrations.spec.ts
@@ -30,7 +30,7 @@ describe("/api/system/migrations", () => {
         headers: {},
         status: 403,
       })
-      expect(res.text).toBe("Unauthorized - no public worker access")
+      expect(res.body).toEqual({ message: "Unauthorized", status: 403 })
       expect(migrateFn).toBeCalledTimes(0)
     })
 
@@ -47,7 +47,7 @@ describe("/api/system/migrations", () => {
         headers: {},
         status: 403,
       })
-      expect(res.text).toBe("Unauthorized - no public worker access")
+      expect(res.body).toEqual({ message: "Unauthorized", status: 403 })
     })
 
     it("returns definitions", async () => {
diff --git a/packages/worker/src/api/routes/system/tests/restore.spec.ts b/packages/worker/src/api/routes/system/tests/restore.spec.ts
index 4dd973270f..2130fd8dde 100644
--- a/packages/worker/src/api/routes/system/tests/restore.spec.ts
+++ b/packages/worker/src/api/routes/system/tests/restore.spec.ts
@@ -25,12 +25,12 @@ describe("/api/system/restore", () => {
     })
 
     it("restores in self host", async () => {
-      config.modeSelf()
+      config.selfHosted()
       const res = await config.api.restore.restored()
       expect(res.body).toEqual({
         message: "System prepared after restore.",
       })
-      config.modeCloud()
+      config.cloudHosted()
     })
   })
 })
diff --git a/packages/worker/src/api/routes/system/tests/status.spec.ts b/packages/worker/src/api/routes/system/tests/status.spec.ts
index afd3f8ac46..fe0ff13551 100644
--- a/packages/worker/src/api/routes/system/tests/status.spec.ts
+++ b/packages/worker/src/api/routes/system/tests/status.spec.ts
@@ -1,6 +1,6 @@
 import { TestConfiguration } from "../../../../tests"
-import { accounts } from "@budibase/backend-core"
-import { mocks } from "@budibase/backend-core/tests"
+import { accounts as _accounts } from "@budibase/backend-core"
+const accounts = jest.mocked(_accounts)
 
 describe("/api/system/status", () => {
   const config = new TestConfiguration()
@@ -19,7 +19,7 @@ describe("/api/system/status", () => {
 
   describe("GET /api/system/status", () => {
     it("returns status in self host", async () => {
-      config.modeSelf()
+      config.selfHosted()
       const res = await config.api.status.getStatus()
       expect(res.body).toEqual({
         health: {
@@ -27,7 +27,7 @@ describe("/api/system/status", () => {
         },
       })
       expect(accounts.getStatus).toBeCalledTimes(0)
-      config.modeCloud()
+      config.cloudHosted()
     })
 
     it("returns status in cloud", async () => {
@@ -37,7 +37,7 @@ describe("/api/system/status", () => {
         },
       }
 
-      mocks.accounts.getStatus.mockReturnValueOnce(value)
+      accounts.getStatus.mockReturnValueOnce(Promise.resolve(value))
 
       const res = await config.api.status.getStatus()
 
diff --git a/packages/worker/src/ddApm.ts b/packages/worker/src/ddApm.ts
new file mode 100644
index 0000000000..6c9b8aa289
--- /dev/null
+++ b/packages/worker/src/ddApm.ts
@@ -0,0 +1,7 @@
+import apm from "dd-trace"
+
+// enable APM if configured
+if (process.env.DD_APM_ENABLED) {
+  console.log("Starting dd-trace")
+  apm.init()
+}
diff --git a/packages/worker/src/elasticApm.ts b/packages/worker/src/elasticApm.ts
new file mode 100644
index 0000000000..5581b9dd4b
--- /dev/null
+++ b/packages/worker/src/elasticApm.ts
@@ -0,0 +1,10 @@
+import apm from "elastic-apm-node"
+
+// enable APM if configured
+if (process.env.ELASTIC_APM_ENABLED) {
+  console.log("Starting elastic-apm-node")
+  apm.start({
+    serviceName: process.env.SERVICE,
+    environment: process.env.BUDIBASE_ENVIRONMENT,
+  })
+}
diff --git a/packages/worker/src/environment.ts b/packages/worker/src/environment.ts
index 52fec210bc..71fd89f276 100644
--- a/packages/worker/src/environment.ts
+++ b/packages/worker/src/environment.ts
@@ -26,6 +26,8 @@ function parseIntSafe(number: any) {
   }
 }
 
+const selfHosted = !!parseInt(process.env.SELF_HOSTED || "")
+
 const environment = {
   // auth
   MINIO_ACCESS_KEY: process.env.MINIO_ACCESS_KEY,
@@ -49,7 +51,7 @@ const environment = {
   CLUSTER_PORT: process.env.CLUSTER_PORT,
   // flags
   NODE_ENV: process.env.NODE_ENV,
-  SELF_HOSTED: !!parseInt(process.env.SELF_HOSTED || ""),
+  SELF_HOSTED: selfHosted,
   LOG_LEVEL: process.env.LOG_LEVEL,
   MULTI_TENANCY: process.env.MULTI_TENANCY,
   DISABLE_ACCOUNT_PORTAL: process.env.DISABLE_ACCOUNT_PORTAL,
@@ -65,6 +67,18 @@ const environment = {
   CHECKLIST_CACHE_TTL: parseIntSafe(process.env.CHECKLIST_CACHE_TTL) || 3600,
   SESSION_UPDATE_PERIOD: process.env.SESSION_UPDATE_PERIOD,
   ENCRYPTED_TEST_PUBLIC_API_KEY: process.env.ENCRYPTED_TEST_PUBLIC_API_KEY,
+  /**
+   * Mock the email service in use - links to ethereal hosted emails are logged instead.
+   */
+  ENABLE_EMAIL_TEST_MODE: process.env.ENABLE_EMAIL_TEST_MODE,
+  /**
+   * Enable to allow an admin user to login using a password.
+   * This can be useful to prevent lockout when configuring SSO.
+   * However, this should be turned OFF by default for security purposes.
+   */
+  ENABLE_SSO_MAINTENANCE_MODE: selfHosted
+    ? process.env.ENABLE_SSO_MAINTENANCE_MODE
+    : false,
   _set(key: any, value: any) {
     process.env[key] = value
     // @ts-ignore
diff --git a/packages/worker/src/index.ts b/packages/worker/src/index.ts
index 48cbd74c4c..69cd900637 100644
--- a/packages/worker/src/index.ts
+++ b/packages/worker/src/index.ts
@@ -1,14 +1,13 @@
-// need to load environment first
-import env from "./environment"
-
-// enable APM if configured
-if (process.env.ELASTIC_APM_ENABLED) {
-  const apm = require("elastic-apm-node").start({
-    serviceName: process.env.SERVICE,
-    environment: process.env.BUDIBASE_ENVIRONMENT,
-  })
+if (process.env.DD_APM_ENABLED) {
+  require("./ddApm")
 }
 
+if (process.env.ELASTIC_APM_ENABLED) {
+  require("./elasticApm")
+}
+
+// need to load environment first
+import env from "./environment"
 import { Scope } from "@sentry/node"
 import { Event } from "@sentry/types/dist/event"
 import Application from "koa"
@@ -31,6 +30,12 @@ import destroyable from "server-destroy"
 // can't integrate directly into backend-core due to cyclic issues
 events.configure(sdk.auditLogs.write)
 
+if (env.ENABLE_SSO_MAINTENANCE_MODE) {
+  console.warn(
+    "Warning: ENABLE_SSO_MAINTENANCE_MODE is set. It is recommended this flag is disabled if maintenance is not in progress"
+  )
+}
+
 // this will setup http and https proxies form env variables
 bootstrap()
 
diff --git a/packages/worker/src/middleware/tests/tenancy.spec.ts b/packages/worker/src/middleware/tests/tenancy.spec.ts
index a8b7a50e55..8853291634 100644
--- a/packages/worker/src/middleware/tests/tenancy.spec.ts
+++ b/packages/worker/src/middleware/tests/tenancy.spec.ts
@@ -24,7 +24,7 @@ describe("tenancy middleware", () => {
   })
 
   it("should get tenant id from header", async () => {
-    const tenantId = structures.uuid()
+    const tenantId = structures.tenant.id()
     const headers = {
       [constants.Header.TENANT_ID]: tenantId,
     }
@@ -35,7 +35,7 @@ describe("tenancy middleware", () => {
   })
 
   it("should get tenant id from query param", async () => {
-    const tenantId = structures.uuid()
+    const tenantId = structures.tenant.id()
     const res = await config.request.get(
       `/api/global/configs/checklist?tenantId=${tenantId}`
     )
@@ -43,7 +43,7 @@ describe("tenancy middleware", () => {
   })
 
   it("should get tenant id from subdomain", async () => {
-    const tenantId = structures.uuid()
+    const tenantId = structures.tenant.id()
     const headers = {
       host: `${tenantId}.localhost:10000`,
     }
@@ -67,7 +67,7 @@ describe("tenancy middleware", () => {
   it("should throw when no tenant id is found", async () => {
     const res = await config.request.get(`/api/global/configs/checklist`)
     expect(res.status).toBe(403)
-    expect(res.text).toBe("Tenant id not set")
+    expect(res.body).toEqual({ message: "Tenant id not set", status: 403 })
     expect(res.headers[constants.Header.TENANT_ID]).toBe(undefined)
   })
 })
diff --git a/packages/worker/src/migrations/functions/globalInfoSyncUsers.ts b/packages/worker/src/migrations/functions/globalInfoSyncUsers.ts
index 941791fe93..1ffcc762c4 100644
--- a/packages/worker/src/migrations/functions/globalInfoSyncUsers.ts
+++ b/packages/worker/src/migrations/functions/globalInfoSyncUsers.ts
@@ -1,5 +1,6 @@
 import { User } from "@budibase/types"
-import sdk from "../../sdk"
+import * as usersSdk from "../../sdk/users"
+import { platform } from "@budibase/backend-core"
 
 /**
  * Date:
@@ -9,11 +10,11 @@ import sdk from "../../sdk"
  * Re-sync the global-db users to the global-info db users
  */
 export const run = async (globalDb: any) => {
-  const users = (await sdk.users.allUsers()) as User[]
+  const users = (await usersSdk.allUsers()) as User[]
   const promises = []
   for (let user of users) {
     promises.push(
-      sdk.users.addTenant(user.tenantId, user._id as string, user.email)
+      platform.users.addUser(user.tenantId, user._id as string, user.email)
     )
   }
   await Promise.all(promises)
diff --git a/packages/worker/src/sdk/accounts/index.ts b/packages/worker/src/sdk/accounts/index.ts
index f2ae03040e..72db8c3d85 100644
--- a/packages/worker/src/sdk/accounts/index.ts
+++ b/packages/worker/src/sdk/accounts/index.ts
@@ -1 +1,2 @@
-export * from "./accounts"
+export * as metadata from "./metadata"
+export { accounts as api } from "@budibase/backend-core"
diff --git a/packages/worker/src/sdk/accounts/accounts.ts b/packages/worker/src/sdk/accounts/metadata.ts
similarity index 99%
rename from packages/worker/src/sdk/accounts/accounts.ts
rename to packages/worker/src/sdk/accounts/metadata.ts
index e43285087b..64065e8b78 100644
--- a/packages/worker/src/sdk/accounts/accounts.ts
+++ b/packages/worker/src/sdk/accounts/metadata.ts
@@ -2,7 +2,6 @@ import { AccountMetadata } from "@budibase/types"
 import {
   db,
   StaticDatabases,
-  HTTPError,
   DocumentType,
   SEPARATOR,
 } from "@budibase/backend-core"
diff --git a/packages/worker/src/sdk/auth/auth.ts b/packages/worker/src/sdk/auth/auth.ts
new file mode 100644
index 0000000000..15a4f3c7e7
--- /dev/null
+++ b/packages/worker/src/sdk/auth/auth.ts
@@ -0,0 +1,86 @@
+import {
+  auth as authCore,
+  tenancy,
+  utils as coreUtils,
+  sessions,
+  events,
+  HTTPError,
+} from "@budibase/backend-core"
+import { PlatformLogoutOpts, User } from "@budibase/types"
+import jwt from "jsonwebtoken"
+import env from "../../environment"
+import * as userSdk from "../users"
+import * as emails from "../../utilities/email"
+import * as redis from "../../utilities/redis"
+import { EmailTemplatePurpose } from "../../constants"
+
+// LOGIN / LOGOUT
+
+export async function loginUser(user: User) {
+  const sessionId = coreUtils.newid()
+  const tenantId = tenancy.getTenantId()
+  await sessions.createASession(user._id!, { sessionId, tenantId })
+  const token = jwt.sign(
+    {
+      userId: user._id,
+      sessionId,
+      tenantId,
+    },
+    env.JWT_SECRET!
+  )
+  return token
+}
+
+export async function logout(opts: PlatformLogoutOpts) {
+  // TODO: This should be moved out of core and into worker only
+  // account-portal can call worker endpoint
+  return authCore.platformLogout(opts)
+}
+
+// PASSWORD MANAGEMENT
+
+/**
+ * Reset the user password, used as part of a forgotten password flow.
+ */
+export const reset = async (email: string) => {
+  const configured = await emails.isEmailConfigured()
+  if (!configured) {
+    throw new HTTPError(
+      "Please contact your platform administrator, SMTP is not configured.",
+      400
+    )
+  }
+
+  const user = await userSdk.core.getGlobalUserByEmail(email)
+  // exit if user doesn't exist
+  if (!user) {
+    return
+  }
+
+  // exit if user has sso
+  if (await userSdk.isPreventSSOPasswords(user)) {
+    throw new HTTPError("SSO user cannot reset password", 400)
+  }
+
+  // send password reset
+  await emails.sendEmail(email, EmailTemplatePurpose.PASSWORD_RECOVERY, {
+    user,
+    subject: "{{ company }} platform password reset",
+  })
+  await events.user.passwordResetRequested(user)
+}
+
+/**
+ * Perform the user password update if the provided reset code is valid.
+ */
+export const resetUpdate = async (resetCode: string, password: string) => {
+  const { userId } = await redis.checkResetPasswordCode(resetCode)
+
+  let user = await userSdk.getUser(userId)
+  user.password = password
+  user = await userSdk.save(user)
+
+  // remove password from the user before sending events
+  delete user.password
+  await events.user.passwordReset(user)
+}
diff --git a/packages/worker/src/sdk/auth/index.ts b/packages/worker/src/sdk/auth/index.ts
new file mode 100644
index 0000000000..306751af96
--- /dev/null
+++ b/packages/worker/src/sdk/auth/index.ts
@@ -0,0 +1 @@
+export * from "./auth"
diff --git a/packages/worker/src/sdk/tenants/index.ts b/packages/worker/src/sdk/tenants/index.ts
new file mode 100644
index 0000000000..19b7ea6615
--- /dev/null
+++ b/packages/worker/src/sdk/tenants/index.ts
@@ -0,0 +1 @@
+export * from "./tenants"
diff --git a/packages/worker/src/sdk/tenants/tenants.ts b/packages/worker/src/sdk/tenants/tenants.ts
new file mode 100644
index 0000000000..829b144c75
--- /dev/null
+++ b/packages/worker/src/sdk/tenants/tenants.ts
@@ -0,0 +1,76 @@
+import { App } from "@budibase/types"
+import { tenancy, db as dbCore, platform } from "@budibase/backend-core"
+import { quotas } from "@budibase/pro"
+
+export async function deleteTenant(tenantId: string) {
+  await quotas.bustCache()
+  await platform.tenants.removeTenant(tenantId)
+  await removeTenantUsers(tenantId)
+  await removeTenantApps(tenantId)
+  await removeGlobalDB(tenantId)
+}
+
+async function removeGlobalDB(tenantId: string) {
+  try {
+    const db = tenancy.getTenantDB(tenantId)
+    await db.destroy()
+  } catch (err) {
+    console.error(`Error removing tenant ${tenantId} users from info db`, err)
+    throw err
+  }
+}
+
+async function removeTenantApps(tenantId: string) {
+  try {
+    const apps = (await dbCore.getAllApps({ all: true })) as App[]
+    const destroyPromises = apps.map(app => {
+      const db = dbCore.getDB(app.appId)
+      return db.destroy()
+    })
+    await Promise.allSettled(destroyPromises)
+  } catch (err) {
+    console.error(`Error removing tenant ${tenantId} apps`, err)
+    throw err
+  }
+}
+
+function getTenantUsers(tenantId: string) {
+  const db = tenancy.getTenantDB(tenantId)
+
+  return db.allDocs(
+    dbCore.getGlobalUserParams(null, {
+      include_docs: true,
+    })
+  )
+}
+
+async function removeTenantUsers(tenantId: string) {
+  try {
+    const allUsers = await getTenantUsers(tenantId)
+    const allEmails = allUsers.rows.map((row: any) => row.doc.email)
+
+    // get the id and email doc ids
+    let keys = allUsers.rows.map((row: any) => row.id)
+    keys = keys.concat(allEmails)
+
+    const platformDb = platform.getPlatformDB()
+
+    // retrieve the docs
+    const userDocs = await platformDb.allDocs({
+      keys,
+      include_docs: true,
+    })
+
+    // delete the docs
+    const toDelete = userDocs.rows.map((row: any) => {
+      return {
+        ...row.doc,
+        _deleted: true,
+      }
+    })
+    await platformDb.bulkDocs(toDelete)
+  } catch (err) {
+    console.error(`Error removing tenant ${tenantId} users from info db`, err)
+    throw err
+  }
+}
diff --git a/packages/worker/src/sdk/users/events.ts b/packages/worker/src/sdk/users/events.ts
index 17c4748dff..7d86182a3c 100644
--- a/packages/worker/src/sdk/users/events.ts
+++ b/packages/worker/src/sdk/users/events.ts
@@ -84,6 +84,10 @@ export const handleSaveEvents = async (
     ) {
       await events.user.passwordForceReset(user)
     }
+
+    if (user.password !== existingUser.password) {
+      await events.user.passwordUpdated(user)
+    }
   } else {
     await events.user.created(user)
   }
diff --git a/packages/worker/src/sdk/users/index.ts b/packages/worker/src/sdk/users/index.ts
index 056d6e5675..2eaa0e68a2 100644
--- a/packages/worker/src/sdk/users/index.ts
+++ b/packages/worker/src/sdk/users/index.ts
@@ -1 +1,2 @@
 export * from "./users"
+export { users as core } from "@budibase/backend-core"
diff --git a/packages/worker/src/sdk/users/tests/users.spec.ts b/packages/worker/src/sdk/users/tests/users.spec.ts
new file mode 100644
index 0000000000..41d9298997
--- /dev/null
+++ b/packages/worker/src/sdk/users/tests/users.spec.ts
@@ -0,0 +1,52 @@
+import { structures } from "../../../tests"
+import * as users from "../users"
+import env from "../../../environment"
+import { mocks } from "@budibase/backend-core/tests"
+import { CloudAccount } from "@budibase/types"
+
+describe("users", () => {
+  describe("isPreventSSOPasswords", () => {
+    it("returns true for sso account user", async () => {
+      const user = structures.users.user()
+      mocks.accounts.getAccount.mockReturnValue(
+        Promise.resolve(structures.accounts.ssoAccount() as CloudAccount)
+      )
+      const result = await users.isPreventSSOPasswords(user)
+      expect(result).toBe(true)
+    })
+
+    it("returns true for sso user", async () => {
+      const user = structures.users.ssoUser()
+      const result = await users.isPreventSSOPasswords(user)
+      expect(result).toBe(true)
+    })
+
+    describe("sso maintenance mode", () => {
+      beforeEach(() => {
+        env._set("ENABLE_SSO_MAINTENANCE_MODE", true)
+      })
+
+      afterEach(() => {
+        env._set("ENABLE_SSO_MAINTENANCE_MODE", false)
+      })
+
+      describe("non-admin user", () => {
+        it("returns true", async () => {
+          const user = structures.users.ssoUser()
+          const result = await users.isPreventSSOPasswords(user)
+          expect(result).toBe(true)
+        })
+      })
+
+      describe("admin user", () => {
+        it("returns false", async () => {
+          const user = structures.users.ssoUser({
+            user: structures.users.adminUser(),
+          })
+          const result = await users.isPreventSSOPasswords(user)
+          expect(result).toBe(false)
+        })
+      })
+    })
+  })
+})
diff --git a/packages/worker/src/sdk/users/users.ts b/packages/worker/src/sdk/users/users.ts
index 617f07d404..db04f9a7e9 100644
--- a/packages/worker/src/sdk/users/users.ts
+++ b/packages/worker/src/sdk/users/users.ts
@@ -6,12 +6,11 @@ import {
   cache,
   constants,
   db as dbUtils,
-  deprovisioning,
   events,
   HTTPError,
-  migrations,
   sessions,
   tenancy,
+  platform,
   users as usersCore,
   utils,
   ViewName,
@@ -21,21 +20,22 @@ import {
   AllDocsResponse,
   BulkUserResponse,
   CloudAccount,
-  CreateUserResponse,
   InviteUsersRequest,
   InviteUsersResponse,
-  MigrationType,
+  isSSOAccount,
+  isSSOUser,
   PlatformUser,
   PlatformUserByEmail,
   RowResponse,
   SearchUsersRequest,
+  UpdateSelf,
   User,
-  ThirdPartyUser,
-  isUser,
+  SaveUserOpts,
 } from "@budibase/types"
 import { sendEmail } from "../../utilities/email"
 import { EmailTemplatePurpose } from "../../constants"
 import { groups as groupsSdk } from "@budibase/pro"
+import * as accountSdk from "../accounts"
 
 const PAGE_LIMIT = 8
 
@@ -94,26 +94,23 @@ export const paginatedUsers = async ({
   })
 }
 
+export async function getUserByEmail(email: string) {
+  return usersCore.getGlobalUserByEmail(email)
+}
+
 /**
  * Gets a user by ID from the global database, based on the current tenancy.
  */
 export const getUser = async (userId: string) => {
-  const db = tenancy.getGlobalDB()
-  let user = await db.get(userId)
+  const user = await usersCore.getById(userId)
   if (user) {
     delete user.password
   }
   return user
 }
 
-export interface SaveUserOpts {
-  hashPassword?: boolean
-  requirePassword?: boolean
-  currentUserId?: string
-}
-
 const buildUser = async (
-  user: User | ThirdPartyUser,
+  user: User,
   opts: SaveUserOpts = {
     hashPassword: true,
     requirePassword: true,
@@ -121,11 +118,13 @@ const buildUser = async (
   tenantId: string,
   dbUser?: any
 ): Promise<User> => {
-  let fullUser = user as User
-  let { password, _id } = fullUser
+  let { password, _id } = user
 
   let hashedPassword
   if (password) {
+    if (await isPreventSSOPasswords(user)) {
+      throw new HTTPError("SSO user cannot set password", 400)
+    }
     hashedPassword = opts.hashPassword ? await utils.hash(password) : password
   } else if (dbUser) {
     hashedPassword = dbUser.password
@@ -135,10 +134,10 @@ const buildUser = async (
 
   _id = _id || dbUtils.generateGlobalUserID()
 
-  fullUser = {
+  const fullUser = {
     createdAt: Date.now(),
     ...dbUser,
-    ...fullUser,
+    ...user,
     _id,
     password: hashedPassword,
     tenantId,
@@ -189,10 +188,36 @@ const validateUniqueUser = async (email: string, tenantId: string) => {
   }
 }
 
+export async function isPreventSSOPasswords(user: User) {
+  // when in maintenance mode we allow sso users with the admin role
+  // to perform any password action - this prevents lockout
+  if (env.ENABLE_SSO_MAINTENANCE_MODE && user.admin?.global) {
+    return false
+  }
+
+  // Check local sso
+  if (isSSOUser(user)) {
+    return true
+  }
+
+  // Check account sso
+  const account = await accountSdk.api.getAccount(user.email)
+  return !!(account && isSSOAccount(account))
+}
+
+export async function updateSelf(id: string, data: UpdateSelf) {
+  let user = await getUser(id)
+  user = {
+    ...user,
+    ...data,
+  }
+  return save(user)
+}
+
 export const save = async (
-  user: User | ThirdPartyUser,
+  user: User,
   opts: SaveUserOpts = {}
-): Promise<CreateUserResponse> => {
+): Promise<User> => {
   // default booleans to true
   if (opts.hashPassword == null) {
     opts.hashPassword = true
@@ -264,6 +289,7 @@ export const save = async (
     builtUser._rev = response.rev
 
     await eventHelpers.handleSaveEvents(builtUser, dbUser)
+    await platform.users.addUser(tenantId, builtUser._id!, builtUser.email)
     await cache.user.invalidateUser(response.id)
 
     // let server know to sync user
@@ -271,11 +297,8 @@ export const save = async (
 
     await Promise.all(groupPromises)
 
-    return {
-      _id: response.id,
-      _rev: response.rev,
-      email,
-    }
+    // finally returned the saved user from the db
+    return db.get(builtUser._id!)
   } catch (err: any) {
     if (err.status === 409) {
       throw "User exists already"
@@ -285,21 +308,6 @@ export const save = async (
   }
 }
 
-export const addTenant = async (
-  tenantId: string,
-  _id: string,
-  email: string
-) => {
-  if (env.MULTI_TENANCY) {
-    const afterCreateTenant = () =>
-      migrations.backPopulateMigrations({
-        type: MigrationType.GLOBAL,
-        tenantId,
-      })
-    await tenancy.tryAddTenant(tenantId, _id, email, afterCreateTenant)
-  }
-}
-
 const getExistingTenantUsers = async (emails: string[]): Promise<User[]> => {
   const lcEmails = emails.map(email => email.toLowerCase())
   const params = {
@@ -431,7 +439,7 @@ export const bulkCreate = async (
   for (const user of usersToBulkSave) {
     // TODO: Refactor to bulk insert users into the info db
     // instead of relying on looping tenant creation
-    await addTenant(tenantId, user._id, user.email)
+    await platform.users.addUser(tenantId, user._id, user.email)
     await eventHelpers.handleSaveEvents(user, undefined)
     await apps.syncUserInApps(user._id)
   }
@@ -549,7 +557,7 @@ export const bulkDelete = async (
 
 export const destroy = async (id: string, currentUser: any) => {
   const db = tenancy.getGlobalDB()
-  const dbUser = await db.get(id)
+  const dbUser = (await db.get(id)) as User
   const userId = dbUser._id as string
 
   if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {
@@ -565,7 +573,7 @@ export const destroy = async (id: string, currentUser: any) => {
     }
   }
 
-  await deprovisioning.removeUserFromInfoDB(dbUser)
+  await platform.users.removeUser(dbUser)
 
   await db.remove(userId, dbUser._rev)
 
@@ -578,7 +586,7 @@ export const destroy = async (id: string, currentUser: any) => {
 
 const bulkDeleteProcessing = async (dbUser: User) => {
   const userId = dbUser._id as string
-  await deprovisioning.removeUserFromInfoDB(dbUser)
+  await platform.users.removeUser(dbUser)
   await eventHelpers.handleDeleteEvents(dbUser)
   await cache.user.invalidateUser(userId)
   await sessions.invalidateSessions(userId, { reason: "bulk-deletion" })
diff --git a/packages/worker/src/tests/TestConfiguration.ts b/packages/worker/src/tests/TestConfiguration.ts
index 0cc1e61e65..3004d0aed4 100644
--- a/packages/worker/src/tests/TestConfiguration.ts
+++ b/packages/worker/src/tests/TestConfiguration.ts
@@ -15,61 +15,29 @@ const supertest = require("supertest")
 import { Config } from "../constants"
 import {
   users,
-  tenancy,
+  context,
   sessions,
   auth,
   constants,
   env as coreEnv,
-  DEFAULT_TENANT_ID,
 } from "@budibase/backend-core"
-import structures, { TENANT_ID, CSRF_TOKEN } from "./structures"
-import { CreateUserResponse, User, AuthToken } from "@budibase/types"
+import structures, { CSRF_TOKEN } from "./structures"
+import { SaveUserResponse, User, AuthToken } from "@budibase/types"
 import API from "./api"
-import sdk from "../sdk"
-
-enum Mode {
-  CLOUD = "cloud",
-  SELF = "self",
-}
-
-async function retry<T extends (...arg0: any[]) => any>(
-  fn: T,
-  maxTry: number = 5,
-  retryCount = 1
-): Promise<Awaited<ReturnType<T>>> {
-  const currRetry = typeof retryCount === "number" ? retryCount : 1
-  try {
-    const result = await fn()
-    return result
-  } catch (e) {
-    console.log(`Retry ${currRetry} failed.`)
-    if (currRetry > maxTry) {
-      console.log(`All ${maxTry} retry attempts exhausted`)
-      throw e
-    }
-    return retry(fn, maxTry, currRetry + 1)
-  }
-}
 
 class TestConfiguration {
   server: any
   request: any
   api: API
-  defaultUser?: User
-  tenant1User?: User
-  #tenantId?: string
+  tenantId: string
+  user?: User
+  userPassword = "test"
 
-  constructor(
-    opts: { openServer: boolean; mode: Mode } = {
-      openServer: true,
-      mode: Mode.CLOUD,
-    }
-  ) {
-    if (opts.mode === Mode.CLOUD) {
-      this.modeCloud()
-    } else if (opts.mode === Mode.SELF) {
-      this.modeSelf()
-    }
+  constructor(opts: { openServer: boolean } = { openServer: true }) {
+    // default to cloud hosting
+    this.cloudHosted()
+
+    this.tenantId = structures.tenant.id()
 
     if (opts.openServer) {
       env.PORT = "0" // random port
@@ -85,26 +53,19 @@ class TestConfiguration {
     return this.request
   }
 
-  // MODES
-
-  setMultiTenancy = (value: boolean) => {
-    env._set("MULTI_TENANCY", value)
-    coreEnv._set("MULTI_TENANCY", value)
-  }
+  // HOSTING
 
   setSelfHosted = (value: boolean) => {
     env._set("SELF_HOSTED", value)
     coreEnv._set("SELF_HOSTED", value)
   }
 
-  modeCloud = () => {
+  cloudHosted = () => {
     this.setSelfHosted(false)
-    this.setMultiTenancy(true)
   }
 
-  modeSelf = () => {
+  selfHosted = () => {
     this.setSelfHosted(true)
-    this.setMultiTenancy(false)
   }
 
   // UTILS
@@ -125,7 +86,7 @@ class TestConfiguration {
     if (params) {
       request.params = params
     }
-    await tenancy.doInTenant(this.getTenantId(), () => {
+    await context.doInTenant(this.getTenantId(), () => {
       return controlFunc(request)
     })
     return request.body
@@ -135,18 +96,10 @@ class TestConfiguration {
 
   async beforeAll() {
     try {
-      this.#tenantId = structures.tenant.id()
-
-      // Running tests in parallel causes issues creating the globaldb twice. This ensures the db is properly created before starting
-      await retry(async () => await this.createDefaultUser())
-      await this.createSession(this.defaultUser!)
-
-      await tenancy.doInTenant(this.#tenantId, async () => {
-        await this.createTenant1User()
-        await this.createSession(this.tenant1User!)
-      })
+      await this.createDefaultUser()
+      await this.createSession(this.user!)
     } catch (e: any) {
-      console.log(e)
+      console.error(e)
       throw new Error(e.message)
     }
   }
@@ -159,12 +112,16 @@ class TestConfiguration {
 
   // TENANCY
 
+  doInTenant(task: any) {
+    return context.doInTenant(this.tenantId, () => {
+      return task()
+    })
+  }
+
   createTenant = async (): Promise<User> => {
     // create user / new tenant
     const res = await this.api.users.createAdminUser()
 
-    await sdk.users.addTenant(res.tenantId, res.userId, res.email)
-
     // return the created user
     const userRes = await this.api.users.getUser(res.userId, {
       headers: {
@@ -182,9 +139,9 @@ class TestConfiguration {
 
   getTenantId() {
     try {
-      return tenancy.getTenantId()
-    } catch (e: any) {
-      return DEFAULT_TENANT_ID
+      return context.getTenantId()
+    } catch (e) {
+      return this.tenantId!
     }
   }
 
@@ -232,14 +189,11 @@ class TestConfiguration {
   }
 
   defaultHeaders() {
-    const tenantId = this.getTenantId()
-    if (tenantId === TENANT_ID) {
-      return this.authHeaders(this.defaultUser!)
-    } else if (tenantId === this.getTenantId()) {
-      return this.authHeaders(this.tenant1User!)
-    } else {
-      throw new Error("could not determine auth headers to use")
-    }
+    return this.authHeaders(this.user!)
+  }
+
+  tenantIdHeaders() {
+    return { [constants.Header.TENANT_ID]: this.tenantId }
   }
 
   internalAPIHeaders() {
@@ -254,20 +208,15 @@ class TestConfiguration {
 
   async createDefaultUser() {
     const user = structures.users.adminUser({
-      password: "test",
+      password: this.userPassword,
     })
-    this.defaultUser = await this.createUser(user)
-  }
-
-  async createTenant1User() {
-    const user = structures.users.adminUser({
-      password: "test",
+    await context.doInTenant(this.tenantId!, async () => {
+      this.user = await this.createUser(user)
     })
-    this.tenant1User = await this.createUser(user)
   }
 
   async getUser(email: string): Promise<User> {
-    return tenancy.doInTenant(this.getTenantId(), () => {
+    return context.doInTenant(this.getTenantId(), () => {
       return users.getGlobalUserByEmail(email)
     })
   }
@@ -277,7 +226,7 @@ class TestConfiguration {
       user = structures.users.user()
     }
     const response = await this._req(user, null, controllers.users.save)
-    const body = response as CreateUserResponse
+    const body = response as SaveUserResponse
     return this.getUser(body.email)
   }
 
diff --git a/packages/worker/src/tests/api/auth.ts b/packages/worker/src/tests/api/auth.ts
index ccbf747273..bd0471ca74 100644
--- a/packages/worker/src/tests/api/auth.ts
+++ b/packages/worker/src/tests/api/auth.ts
@@ -1,21 +1,39 @@
-import structures from "../structures"
 import TestConfiguration from "../TestConfiguration"
-import { TestAPI } from "./base"
+import { TestAPI, TestAPIOpts } from "./base"
 
 export class AuthAPI extends TestAPI {
   constructor(config: TestConfiguration) {
     super(config)
   }
 
-  updatePassword = (code: string) => {
+  updatePassword = (
+    resetCode: string,
+    password: string,
+    opts?: TestAPIOpts
+  ) => {
     return this.request
       .post(`/api/global/auth/${this.config.getTenantId()}/reset/update`)
       .send({
-        password: "newpassword",
-        resetCode: code,
+        password,
+        resetCode,
       })
       .expect("Content-Type", /json/)
-      .expect(200)
+      .expect(opts?.status ? opts.status : 200)
+  }
+
+  login = (
+    tenantId: string,
+    email: string,
+    password: string,
+    opts?: TestAPIOpts
+  ) => {
+    return this.request
+      .post(`/api/global/auth/${tenantId}/login`)
+      .send({
+        username: email,
+        password: password,
+      })
+      .expect(opts?.status ? opts.status : 200)
   }
 
   logout = () => {
@@ -25,25 +43,31 @@ export class AuthAPI extends TestAPI {
       .expect(200)
   }
 
-  requestPasswordReset = async (sendMailMock: any, userEmail: string) => {
+  requestPasswordReset = async (
+    sendMailMock: any,
+    email: string,
+    opts?: TestAPIOpts
+  ) => {
     await this.config.saveSmtpConfig()
     await this.config.saveSettingsConfig()
-    await this.config.createUser({
-      ...structures.users.user(),
-      email: userEmail,
-    })
+
     const res = await this.request
       .post(`/api/global/auth/${this.config.getTenantId()}/reset`)
       .send({
-        email: userEmail,
+        email: email,
       })
       .expect("Content-Type", /json/)
-      .expect(200)
-    const emailCall = sendMailMock.mock.calls[0][0]
-    const parts = emailCall.html.split(
-      `http://localhost:10000/builder/auth/reset?code=`
-    )
-    const code = parts[1].split('"')[0].split("&")[0]
+      .expect(opts?.status ? opts.status : 200)
+
+    let code: string | undefined
+    if (res.status === 200) {
+      const emailCall = sendMailMock.mock.calls[0][0]
+      const parts = emailCall.html.split(
+        `http://localhost:10000/builder/auth/reset?code=`
+      )
+      code = parts[1].split('"')[0].split("&")[0]
+    }
+
     return { code, res }
   }
 }
diff --git a/packages/worker/src/tests/api/base.ts b/packages/worker/src/tests/api/base.ts
index c1263ed5cb..460d61e70a 100644
--- a/packages/worker/src/tests/api/base.ts
+++ b/packages/worker/src/tests/api/base.ts
@@ -1,4 +1,5 @@
 import TestConfiguration from "../TestConfiguration"
+import { SuperTest, Test } from "supertest"
 
 export interface TestAPIOpts {
   headers?: any
@@ -7,7 +8,7 @@ export interface TestAPIOpts {
 
 export abstract class TestAPI {
   config: TestConfiguration
-  request: any
+  request: SuperTest<Test>
 
   protected constructor(config: TestConfiguration) {
     this.config = config
diff --git a/packages/worker/src/tests/api/restore.ts b/packages/worker/src/tests/api/restore.ts
index 6069c20185..c6a646317d 100644
--- a/packages/worker/src/tests/api/restore.ts
+++ b/packages/worker/src/tests/api/restore.ts
@@ -9,6 +9,7 @@ export class RestoreAPI extends TestAPI {
   restored = (opts?: TestAPIOpts) => {
     return this.request
       .post(`/api/system/restored`)
+      .set(this.config.tenantIdHeaders())
       .expect(opts?.status ? opts.status : 200)
   }
 }
diff --git a/packages/worker/src/tests/jestEnv.ts b/packages/worker/src/tests/jestEnv.ts
index 0b27cf52aa..061897451e 100644
--- a/packages/worker/src/tests/jestEnv.ts
+++ b/packages/worker/src/tests/jestEnv.ts
@@ -1,7 +1,8 @@
 process.env.SELF_HOSTED = "0"
 process.env.NODE_ENV = "jest"
 process.env.JWT_SECRET = "test-jwtsecret"
-process.env.LOG_LEVEL = "silent"
+process.env.LOG_LEVEL = process.env.LOG_LEVEL || "error"
+process.env.ENABLE_4XX_HTTP_LOGGING = "0"
 process.env.MULTI_TENANCY = "1"
 process.env.MINIO_URL = "http://localhost"
 process.env.MINIO_ACCESS_KEY = "test"
diff --git a/packages/worker/src/tests/jestSetup.ts b/packages/worker/src/tests/jestSetup.ts
index 2deef96176..31d36f00ae 100644
--- a/packages/worker/src/tests/jestSetup.ts
+++ b/packages/worker/src/tests/jestSetup.ts
@@ -1,5 +1,6 @@
-import { mocks, testContainerUtils } from "@budibase/backend-core/tests"
+import "./logging"
 
+import { mocks, testContainerUtils } from "@budibase/backend-core/tests"
 import env from "../environment"
 import { env as coreEnv } from "@budibase/backend-core"
 
@@ -11,10 +12,6 @@ mocks.fetch.enable()
 const tk = require("timekeeper")
 tk.freeze(mocks.date.MOCK_DATE)
 
-if (!process.env.DEBUG) {
-  global.console.log = jest.fn() // console.log are ignored in tests
-}
-
 if (!process.env.CI) {
   // set a longer timeout in dev for debugging
   // 100 seconds
diff --git a/packages/worker/src/tests/logging.ts b/packages/worker/src/tests/logging.ts
new file mode 100644
index 0000000000..271f4d62ff
--- /dev/null
+++ b/packages/worker/src/tests/logging.ts
@@ -0,0 +1,34 @@
+export enum LogLevel {
+  TRACE = "trace",
+  DEBUG = "debug",
+  INFO = "info",
+  WARN = "warn",
+  ERROR = "error",
+}
+
+const LOG_INDEX: { [key in LogLevel]: number } = {
+  [LogLevel.TRACE]: 1,
+  [LogLevel.DEBUG]: 2,
+  [LogLevel.INFO]: 3,
+  [LogLevel.WARN]: 4,
+  [LogLevel.ERROR]: 5,
+}
+
+const setIndex = LOG_INDEX[process.env.LOG_LEVEL as LogLevel]
+
+if (setIndex > LOG_INDEX.trace) {
+  global.console.trace = jest.fn()
+}
+
+if (setIndex > LOG_INDEX.debug) {
+  global.console.debug = jest.fn()
+}
+
+if (setIndex > LOG_INDEX.info) {
+  global.console.info = jest.fn()
+  global.console.log = jest.fn()
+}
+
+if (setIndex > LOG_INDEX.warn) {
+  global.console.warn = jest.fn()
+}
diff --git a/packages/worker/src/tests/structures/index.ts b/packages/worker/src/tests/structures/index.ts
index dad055f7a7..bec15df6dd 100644
--- a/packages/worker/src/tests/structures/index.ts
+++ b/packages/worker/src/tests/structures/index.ts
@@ -1,6 +1,5 @@
 import { structures } from "@budibase/backend-core/tests"
 import * as configs from "./configs"
-import * as users from "./users"
 import * as groups from "./groups"
 import { v4 as uuid } from "uuid"
 
@@ -11,7 +10,6 @@ const pkg = {
   ...structures,
   uuid,
   configs,
-  users,
   TENANT_ID,
   CSRF_TOKEN,
   groups,
diff --git a/packages/worker/src/tests/structures/users.ts b/packages/worker/src/tests/structures/users.ts
deleted file mode 100644
index 3348670b7d..0000000000
--- a/packages/worker/src/tests/structures/users.ts
+++ /dev/null
@@ -1,37 +0,0 @@
-export const email = "test@test.com"
-import { AdminUser, BuilderUser, User } from "@budibase/types"
-import { v4 as uuid } from "uuid"
-
-export const newEmail = () => {
-  return `${uuid()}@test.com`
-}
-
-export const user = (userProps?: any): User => {
-  return {
-    email: newEmail(),
-    password: "test",
-    roles: { app_test: "admin" },
-    ...userProps,
-  }
-}
-
-export const adminUser = (userProps?: any): AdminUser => {
-  return {
-    ...user(userProps),
-    admin: {
-      global: true,
-    },
-    builder: {
-      global: true,
-    },
-  }
-}
-
-export const builderUser = (userProps?: any): BuilderUser => {
-  return {
-    ...user(userProps),
-    builder: {
-      global: true,
-    },
-  }
-}
diff --git a/packages/worker/src/utilities/email.ts b/packages/worker/src/utilities/email.ts
index 7ec3447707..66e860edcb 100644
--- a/packages/worker/src/utilities/email.ts
+++ b/packages/worker/src/utilities/email.ts
@@ -26,7 +26,7 @@ type SendEmailOpts = {
   automation?: boolean
 }
 
-const TEST_MODE = false
+const TEST_MODE = env.ENABLE_EMAIL_TEST_MODE && env.isDev()
 const TYPE = TemplateType.EMAIL
 
 const FULL_EMAIL_PURPOSES = [
@@ -62,8 +62,8 @@ function createSMTPTransport(config: any) {
       host: "smtp.ethereal.email",
       secure: false,
       auth: {
-        user: "don.bahringer@ethereal.email",
-        pass: "yCKSH8rWyUPbnhGYk9",
+        user: "wyatt.zulauf29@ethereal.email",
+        pass: "tEwDtHBWWxusVWAPfa",
       },
     }
   }
diff --git a/packages/worker/src/utilities/redis.ts b/packages/worker/src/utilities/redis.ts
index 893ec9f0a8..9171fe97ee 100644
--- a/packages/worker/src/utilities/redis.ts
+++ b/packages/worker/src/utilities/redis.ts
@@ -54,6 +54,8 @@ export async function init() {
 export async function shutdown() {
   if (pwResetClient) await pwResetClient.finish()
   if (invitationClient) await invitationClient.finish()
+  // shutdown core clients
+  await redis.clients.shutdown()
   console.log("Redis shutdown")
 }
 
diff --git a/packages/worker/yarn.lock b/packages/worker/yarn.lock
index cdff3b0a12..83417a2e84 100644
--- a/packages/worker/yarn.lock
+++ b/packages/worker/yarn.lock
@@ -475,14 +475,14 @@
   resolved "https://registry.yarnpkg.com/@bcoe/v8-coverage/-/v8-coverage-0.2.3.tgz#75a2e8b51cb758a7553d6804a5932d7aace75c39"
   integrity sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==
 
-"@budibase/backend-core@2.3.14-alpha.0":
-  version "2.3.14-alpha.0"
-  resolved "https://registry.yarnpkg.com/@budibase/backend-core/-/backend-core-2.3.14-alpha.0.tgz#8d60c93e9861301296907f61e770bdf1881b560c"
-  integrity sha512-lvRl6o9CCUx1VQ6ftu4FYuTp5mGgvbshNYoeaH0DbWFfhLNbibEHxx+pR+6M1ufhbu/EO6jKEr7DDeNiRBBMTw==
+"@budibase/backend-core@2.3.18-alpha.0":
+  version "2.3.18-alpha.0"
+  resolved "https://registry.yarnpkg.com/@budibase/backend-core/-/backend-core-2.3.18-alpha.0.tgz#c0a64a150c1fef9cc69f95f0aece4e857d64438d"
+  integrity sha512-ugD+WMoFwpXm+moSLHUgaBOu4XpX0+5UhmMWcNeRtH0Yd9GpDh2QzwtoN8BtXq8k5gkVEyoNSz+6oxKfNkNVdQ==
   dependencies:
     "@budibase/nano" "10.1.1"
     "@budibase/pouchdb-replication-stream" "1.2.10"
-    "@budibase/types" "2.3.14-alpha.0"
+    "@budibase/types" "2.3.18-alpha.0"
     "@shopify/jest-koa-mocks" "5.0.1"
     "@techpass/passport-openidconnect" "0.3.2"
     aws-cloudfront-sign "2.2.0"
@@ -539,13 +539,13 @@
     pouchdb-promise "^6.0.4"
     through2 "^2.0.0"
 
-"@budibase/pro@2.3.14-alpha.0":
-  version "2.3.14-alpha.0"
-  resolved "https://registry.yarnpkg.com/@budibase/pro/-/pro-2.3.14-alpha.0.tgz#db8ac1d0cacea21240c59458c4143e3e55663a4d"
-  integrity sha512-RJqXlvZmYrKCLxe7uVnc2KmDwE5OmoUZCA9M6b5Ne7ZHqrhtaNB/4Xlr1ESG79///epEWLv+Fde7mpHPzCvsZw==
+"@budibase/pro@2.3.18-alpha.0":
+  version "2.3.18-alpha.0"
+  resolved "https://registry.yarnpkg.com/@budibase/pro/-/pro-2.3.18-alpha.0.tgz#e87a2449d9e2453766c0ea77539af359bf5a81ff"
+  integrity sha512-nKLhCdLxmBX+VY7LF6daH0/AItcHoQTmBB3tc0SP7y4OLcJZfBEYidoWqWJKCgdz6LScWWogLgbDIAC8t+LNzg==
   dependencies:
-    "@budibase/backend-core" "2.3.14-alpha.0"
-    "@budibase/types" "2.3.14-alpha.0"
+    "@budibase/backend-core" "2.3.18-alpha.0"
+    "@budibase/types" "2.3.18-alpha.0"
     "@koa/router" "8.0.8"
     bull "4.10.1"
     joi "17.6.0"
@@ -553,10 +553,10 @@
     lru-cache "^7.14.1"
     node-fetch "^2.6.1"
 
-"@budibase/types@2.3.14-alpha.0":
-  version "2.3.14-alpha.0"
-  resolved "https://registry.yarnpkg.com/@budibase/types/-/types-2.3.14-alpha.0.tgz#03072a669c016c616278dc01c577119dd710e4fe"
-  integrity sha512-D5qOD7YJhHUrPy81C9OpTlVzsXBmZwbF9WdoxYo/M8JYmhTJfj7Fu5dGTyDpipPQVqknFpTsig5kQqG3r08ZZw==
+"@budibase/types@2.3.18-alpha.0":
+  version "2.3.18-alpha.0"
+  resolved "https://registry.yarnpkg.com/@budibase/types/-/types-2.3.18-alpha.0.tgz#14480e760c9e7931e884e9e0f8b1d5dd7e5d91c9"
+  integrity sha512-d+OcW2sNYw7VthMGrOBRY2Bz6iPQVWOnJ94XfYlBRJVIoYwBgudbYkOXPz/vQmHyjSUQFobrvs6UDeZ/3VJTaA==
 
 "@cspotcode/source-map-support@^0.8.0":
   version "0.8.1"
@@ -565,6 +565,53 @@
   dependencies:
     "@jridgewell/trace-mapping" "0.3.9"
 
+"@datadog/native-appsec@2.0.0":
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/@datadog/native-appsec/-/native-appsec-2.0.0.tgz#ad65ba19bfd68e6b6c6cf64bb8ef55d099af8edc"
+  integrity sha512-XHARZ6MVgbnfOUO6/F3ZoZ7poXHJCNYFlgcyS2Xetuk9ITA5bfcooX2B2F7tReVB+RLJ+j8bsm0t55SyF04KDw==
+  dependencies:
+    node-gyp-build "^3.9.0"
+
+"@datadog/native-iast-rewriter@1.1.2":
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/@datadog/native-iast-rewriter/-/native-iast-rewriter-1.1.2.tgz#793cbf92d218ec80d645be0830023656b81018ea"
+  integrity sha512-pigRfRtAjZjMjqIXyXb98S4aDnuHz/EmqpoxAajFZsNjBLM87YonwSY5zoBdCsOyA46ddKOJRoCQd5ZalpOFMQ==
+  dependencies:
+    node-gyp-build "^4.5.0"
+
+"@datadog/native-iast-taint-tracking@1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@datadog/native-iast-taint-tracking/-/native-iast-taint-tracking-1.1.0.tgz#8f7d0016157b32dbf5c01b15b8afb1c4286b4a18"
+  integrity sha512-TOrngpt6Qh52zWFOz1CkFXw0g43rnuUziFBtIMUsOLGzSHr9wdnTnE6HAyuvKy3f3ecAoZESlMfilGRKP93hXQ==
+  dependencies:
+    node-gyp-build "^3.9.0"
+
+"@datadog/native-metrics@^1.5.0":
+  version "1.5.0"
+  resolved "https://registry.yarnpkg.com/@datadog/native-metrics/-/native-metrics-1.5.0.tgz#e71b6b6d65f4bd58dfdffab2737890e8eef34584"
+  integrity sha512-K63XMDx74RLhOpM8I9GGZR9ft0CNNB/RkjYPLHcVGvVnBR47zmWE2KFa7Yrtzjbk73+88PXI4nzqLyR3PJsaIQ==
+  dependencies:
+    node-gyp-build "^3.9.0"
+
+"@datadog/pprof@^1.1.1":
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/@datadog/pprof/-/pprof-1.1.1.tgz#17e86035140523ac3a96f3662e5dd29822042d61"
+  integrity sha512-5lYXUpikQhrJwzODtJ7aFM0oKmPccISnTCecuWhjxIj4/7UJv0DamkLak634bgEW+kiChgkKFDapHSesuXRDXQ==
+  dependencies:
+    delay "^5.0.0"
+    findit2 "^2.2.3"
+    node-gyp-build "^3.9.0"
+    p-limit "^3.1.0"
+    pify "^5.0.0"
+    protobufjs "^7.0.0"
+    source-map "^0.7.3"
+    split "^1.0.1"
+
+"@datadog/sketches-js@^2.1.0":
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/@datadog/sketches-js/-/sketches-js-2.1.0.tgz#8c7e8028a5fc22ad102fa542b0a446c956830455"
+  integrity sha512-smLocSfrt3s53H/XSVP3/1kP42oqvrkjUPtyaFd1F79ux24oE31BKt+q0c6lsa6hOYrFzsIwyc5GXAI5JmfOew==
+
 "@elastic/ecs-helpers@^1.1.0":
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/@elastic/ecs-helpers/-/ecs-helpers-1.1.0.tgz#ee7e6f870f75a2222c5d7179b36a628f1db4779e"
@@ -800,17 +847,6 @@
     slash "^3.0.0"
     write-file-atomic "^4.0.1"
 
-"@jest/types@^26.6.2":
-  version "26.6.2"
-  resolved "https://registry.yarnpkg.com/@jest/types/-/types-26.6.2.tgz#bef5a532030e1d88a2f5a6d933f84e97226ed48e"
-  integrity sha512-fC6QCp7Sc5sX6g8Tvbmj4XUTbyrik0akgRy03yjXbQaBWWNWGE7SGtJk98m0N8nzegD/7SggrUlivxo5ax4KWQ==
-  dependencies:
-    "@types/istanbul-lib-coverage" "^2.0.0"
-    "@types/istanbul-reports" "^3.0.0"
-    "@types/node" "*"
-    "@types/yargs" "^15.0.0"
-    chalk "^4.0.0"
-
 "@jest/types@^27.5.1":
   version "27.5.1"
   resolved "https://registry.yarnpkg.com/@jest/types/-/types-27.5.1.tgz#3c79ec4a8ba61c170bf937bcf9e98a9df175ec80"
@@ -997,6 +1033,59 @@
   resolved "https://registry.yarnpkg.com/@opentelemetry/api/-/api-1.1.0.tgz#563539048255bbe1a5f4f586a4a10a1bb737f44a"
   integrity sha512-hf+3bwuBwtXsugA2ULBc95qxrOqP2pOekLz34BJhcAKawt94vfeNyUKpYc0lZQ/3sCP6LqRa7UAdHA7i5UODzQ==
 
+"@protobufjs/aspromise@^1.1.1", "@protobufjs/aspromise@^1.1.2":
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/@protobufjs/aspromise/-/aspromise-1.1.2.tgz#9b8b0cc663d669a7d8f6f5d0893a14d348f30fbf"
+  integrity sha512-j+gKExEuLmKwvz3OgROXtrJ2UG2x8Ch2YZUxahh+s1F2HZ+wAceUNLkvy6zKCPVRkU++ZWQrdxsUeQXmcg4uoQ==
+
+"@protobufjs/base64@^1.1.2":
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/@protobufjs/base64/-/base64-1.1.2.tgz#4c85730e59b9a1f1f349047dbf24296034bb2735"
+  integrity sha512-AZkcAA5vnN/v4PDqKyMR5lx7hZttPDgClv83E//FMNhR2TMcLUhfRUBHCmSl0oi9zMgDDqRUJkSxO3wm85+XLg==
+
+"@protobufjs/codegen@^2.0.4":
+  version "2.0.4"
+  resolved "https://registry.yarnpkg.com/@protobufjs/codegen/-/codegen-2.0.4.tgz#7ef37f0d010fb028ad1ad59722e506d9262815cb"
+  integrity sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==
+
+"@protobufjs/eventemitter@^1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@protobufjs/eventemitter/-/eventemitter-1.1.0.tgz#355cbc98bafad5978f9ed095f397621f1d066b70"
+  integrity sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q==
+
+"@protobufjs/fetch@^1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@protobufjs/fetch/-/fetch-1.1.0.tgz#ba99fb598614af65700c1619ff06d454b0d84c45"
+  integrity sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==
+  dependencies:
+    "@protobufjs/aspromise" "^1.1.1"
+    "@protobufjs/inquire" "^1.1.0"
+
+"@protobufjs/float@^1.0.2":
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/@protobufjs/float/-/float-1.0.2.tgz#5e9e1abdcb73fc0a7cb8b291df78c8cbd97b87d1"
+  integrity sha512-Ddb+kVXlXst9d+R9PfTIxh1EdNkgoRe5tOX6t01f1lYWOvJnSPDBlG241QLzcyPdoNTsblLUdujGSE4RzrTZGQ==
+
+"@protobufjs/inquire@^1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@protobufjs/inquire/-/inquire-1.1.0.tgz#ff200e3e7cf2429e2dcafc1140828e8cc638f089"
+  integrity sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==
+
+"@protobufjs/path@^1.1.2":
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/@protobufjs/path/-/path-1.1.2.tgz#6cc2b20c5c9ad6ad0dccfd21ca7673d8d7fbf68d"
+  integrity sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA==
+
+"@protobufjs/pool@^1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@protobufjs/pool/-/pool-1.1.0.tgz#09fd15f2d6d3abfa9b65bc366506d6ad7846ff54"
+  integrity sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw==
+
+"@protobufjs/utf8@^1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@protobufjs/utf8/-/utf8-1.1.0.tgz#a777360b5b39a1a2e5106f8e858f2fd2d060c570"
+  integrity sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==
+
 "@sentry/core@6.17.7":
   version "6.17.7"
   resolved "https://registry.yarnpkg.com/@sentry/core/-/core-6.17.7.tgz#f591235c06b1a4e75d748b15c539e071bd3f5cf5"
@@ -1317,6 +1406,11 @@
   resolved "https://registry.yarnpkg.com/@types/content-disposition/-/content-disposition-0.5.5.tgz#650820e95de346e1f84e30667d168c8fd25aa6e3"
   integrity sha512-v6LCdKfK6BwcqMo+wYW05rLS12S0ZO0Fl4w1h4aaZMD7bqT3gVUns6FvLJKGZHQmYn3SX55JWGpziwJRwVgutA==
 
+"@types/cookiejar@*":
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/@types/cookiejar/-/cookiejar-2.1.2.tgz#66ad9331f63fe8a3d3d9d8c6e3906dd10f6446e8"
+  integrity sha512-t73xJJrvdTjXrn4jLS9VSGRbz0nUY3cl2DMGDU48lKl+HR9dbbjW2A9r3g40VA++mQpy6uuHg33gy7du2BKpog==
+
 "@types/cookies@*":
   version "0.7.7"
   resolved "https://registry.yarnpkg.com/@types/cookies/-/cookies-0.7.7.tgz#7a92453d1d16389c05a5301eef566f34946cfd81"
@@ -1413,13 +1507,13 @@
   dependencies:
     "@types/istanbul-lib-report" "*"
 
-"@types/jest@26.0.23":
-  version "26.0.23"
-  resolved "https://registry.yarnpkg.com/@types/jest/-/jest-26.0.23.tgz#a1b7eab3c503b80451d019efb588ec63522ee4e7"
-  integrity sha512-ZHLmWMJ9jJ9PTiT58juykZpL7KjwJywFN3Rr2pTSkyQfydf/rk22yS7W8p5DaVUMQ2BQC7oYiU3FjbTM/mYrOA==
+"@types/jest@28.1.1":
+  version "28.1.1"
+  resolved "https://registry.yarnpkg.com/@types/jest/-/jest-28.1.1.tgz#8c9ba63702a11f8c386ee211280e8b68cb093cd1"
+  integrity sha512-C2p7yqleUKtCkVjlOur9BWVA4HgUQmEj/HWCt5WzZ5mLXrWnyIfl0wGuArc+kBXsy0ZZfLp+7dywB4HtSVYGVA==
   dependencies:
-    jest-diff "^26.0.0"
-    pretty-format "^26.0.0"
+    jest-matcher-utils "^27.0.0"
+    pretty-format "^27.0.0"
 
 "@types/json-buffer@~3.0.0":
   version "3.0.0"
@@ -1501,6 +1595,11 @@
   resolved "https://registry.yarnpkg.com/@types/node/-/node-14.18.20.tgz#268f028b36eaf51181c3300252f605488c4f0650"
   integrity sha512-Q8KKwm9YqEmUBRsqJ2GWJDtXltBDxTdC4m5vTdXBolu2PeQh8LX+f6BTwU+OuXPu37fLxoN6gidqBmnky36FXA==
 
+"@types/node@>=13.7.0":
+  version "18.13.0"
+  resolved "https://registry.yarnpkg.com/@types/node/-/node-18.13.0.tgz#0400d1e6ce87e9d3032c19eb6c58205b0d3f7850"
+  integrity sha512-gC3TazRzGoOnoKAhUx+Q0t8S9Tzs74z7m0ipwGpSqQrleP14hKxP4/JUeEQcD3W1/aIpnWl8pHowI7WokuZpXg==
+
 "@types/pouchdb-adapter-cordova-sqlite@*":
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/@types/pouchdb-adapter-cordova-sqlite/-/pouchdb-adapter-cordova-sqlite-1.0.1.tgz#49e5ee6df7cc0c23196fcb340f43a560e74eb1d6"
@@ -1689,6 +1788,21 @@
   resolved "https://registry.yarnpkg.com/@types/stack-utils/-/stack-utils-2.0.1.tgz#20f18294f797f2209b5f65c8e3b5c8e8261d127c"
   integrity sha512-Hl219/BT5fLAaz6NDkSuhzasy49dwQS/DSdu4MdggFB8zcXv7vflBI3xp7FEmkmdDkBUI2bPUNeMttp2knYdxw==
 
+"@types/superagent@*":
+  version "4.1.16"
+  resolved "https://registry.yarnpkg.com/@types/superagent/-/superagent-4.1.16.tgz#12c9c16f232f9d89beab91d69368f96ce8e2d881"
+  integrity sha512-tLfnlJf6A5mB6ddqF159GqcDizfzbMUB1/DeT59/wBNqzRTNNKsaw79A/1TZ84X+f/EwWH8FeuSkjlCLyqS/zQ==
+  dependencies:
+    "@types/cookiejar" "*"
+    "@types/node" "*"
+
+"@types/supertest@2.0.12":
+  version "2.0.12"
+  resolved "https://registry.yarnpkg.com/@types/supertest/-/supertest-2.0.12.tgz#ddb4a0568597c9aadff8dbec5b2e8fddbe8692fc"
+  integrity sha512-X3HPWTwXRerBZS7Mo1k6vMVR1Z6zmJcDVn5O/31whe0tnjE4te6ZJSJGq1RiqHPjzPdMTfjCFogDJmwng9xHaQ==
+  dependencies:
+    "@types/superagent" "*"
+
 "@types/tough-cookie@^4.0.2":
   version "4.0.2"
   resolved "https://registry.yarnpkg.com/@types/tough-cookie/-/tough-cookie-4.0.2.tgz#6286b4c7228d58ab7866d19716f3696e03a09397"
@@ -1704,13 +1818,6 @@
   resolved "https://registry.yarnpkg.com/@types/yargs-parser/-/yargs-parser-21.0.0.tgz#0c60e537fa790f5f9472ed2776c2b71ec117351b"
   integrity sha512-iO9ZQHkZxHn4mSakYV0vFHAVDyEOIJQrV2uZ06HxEPcx+mt8swXoZHIbaaJ2crJYFfErySgktuTZ3BeLz+XmFA==
 
-"@types/yargs@^15.0.0":
-  version "15.0.14"
-  resolved "https://registry.yarnpkg.com/@types/yargs/-/yargs-15.0.14.tgz#26d821ddb89e70492160b66d10a0eb6df8f6fb06"
-  integrity sha512-yEJzHoxf6SyQGhBhIYGXQDSCkJjB6HohDShto7m8vaKg9Yp0Yn8+71J9eakh2bnPg6BfsH9PRMhiRTZnd4eXGQ==
-  dependencies:
-    "@types/yargs-parser" "*"
-
 "@types/yargs@^16.0.0":
   version "16.0.5"
   resolved "https://registry.yarnpkg.com/@types/yargs/-/yargs-16.0.5.tgz#12cc86393985735a283e387936398c2f9e5f88e3"
@@ -1898,7 +2005,7 @@ ansi-regex@^4.1.0:
   resolved "https://registry.yarnpkg.com/ansi-regex/-/ansi-regex-4.1.1.tgz#164daac87ab2d6f6db3a29875e2d1766582dabed"
   integrity sha512-ILlv4k/3f6vfQ4OoP2AGvirOktlQ98ZEL1k9FaQjxa3L1abBgbuTDAdPOpvbGncC0BTVQrl+OM8xZGK6tWXt7g==
 
-ansi-regex@^5.0.0, ansi-regex@^5.0.1:
+ansi-regex@^5.0.1:
   version "5.0.1"
   resolved "https://registry.yarnpkg.com/ansi-regex/-/ansi-regex-5.0.1.tgz#082cb2c89c9fe8659a311a53bd6a4dc5301db304"
   integrity sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==
@@ -2829,6 +2936,11 @@ crypto-random-string@^2.0.0:
   resolved "https://registry.yarnpkg.com/crypto-random-string/-/crypto-random-string-2.0.0.tgz#ef2a7a966ec11083388369baa02ebead229b30d5"
   integrity sha512-v1plID3y9r/lPhviJ1wrXpLeyUIGAZ2SHNYTEapm7/8A9nLPoyvVp3RK/EPFqn5kEznyWgYZNsRtYYIWbuG8KA==
 
+crypto-randomuuid@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/crypto-randomuuid/-/crypto-randomuuid-1.0.0.tgz#acf583e5e085e867ae23e107ff70279024f9e9e7"
+  integrity sha512-/RC5F4l1SCqD/jazwUF6+t34Cd8zTSAGZ7rvvZu1whZUhD2a5MOGKjSGowoGcpj/cbVZk1ZODIooJEQQq3nNAA==
+
 cwd@^0.10.0:
   version "0.10.0"
   resolved "https://registry.yarnpkg.com/cwd/-/cwd-0.10.0.tgz#172400694057c22a13b0cf16162c7e4b7a7fe567"
@@ -2849,6 +2961,39 @@ dateformat@^4.5.1:
   resolved "https://registry.yarnpkg.com/dateformat/-/dateformat-4.6.3.tgz#556fa6497e5217fedb78821424f8a1c22fa3f4b5"
   integrity sha512-2P0p0pFGzHS5EMnhdxQi7aJN+iMheud0UhG4dlE1DLAlvL8JHjJJTX/CSm4JXwV0Ka5nGk3zC5mcb5bUQUxxMA==
 
+dd-trace@3.13.2:
+  version "3.13.2"
+  resolved "https://registry.yarnpkg.com/dd-trace/-/dd-trace-3.13.2.tgz#95b1ec480ab9ac406e1da7591a8c6f678d3799fd"
+  integrity sha512-POO9nEcAufe5pgp2xV1X3PfWip6wh+6TpEcRSlSgZJCIIMvWVCkcIVL/J2a6KAZq6V3Yjbkl8Ktfe+MOzQf5kw==
+  dependencies:
+    "@datadog/native-appsec" "2.0.0"
+    "@datadog/native-iast-rewriter" "1.1.2"
+    "@datadog/native-iast-taint-tracking" "1.1.0"
+    "@datadog/native-metrics" "^1.5.0"
+    "@datadog/pprof" "^1.1.1"
+    "@datadog/sketches-js" "^2.1.0"
+    crypto-randomuuid "^1.0.0"
+    diagnostics_channel "^1.1.0"
+    ignore "^5.2.0"
+    import-in-the-middle "^1.3.4"
+    ipaddr.js "^2.0.1"
+    istanbul-lib-coverage "3.2.0"
+    koalas "^1.0.2"
+    limiter "^1.1.4"
+    lodash.kebabcase "^4.1.1"
+    lodash.pick "^4.4.0"
+    lodash.sortby "^4.7.0"
+    lodash.uniq "^4.5.0"
+    lru-cache "^7.14.0"
+    methods "^1.1.2"
+    module-details-from-path "^1.0.3"
+    node-abort-controller "^3.0.1"
+    opentracing ">=0.12.1"
+    path-to-regexp "^0.1.2"
+    protobufjs "^7.1.2"
+    retry "^0.10.1"
+    semver "^5.5.0"
+
 debug@4, debug@^4.0.1, debug@^4.1.0, debug@^4.1.1, debug@^4.3.1, debug@^4.3.2, debug@^4.3.4:
   version "4.3.4"
   resolved "https://registry.yarnpkg.com/debug/-/debug-4.3.4.tgz#1319f6579357f2338d3337d2cdd4914bb5dcc865"
@@ -2938,6 +3083,11 @@ defined@^1.0.0:
   resolved "https://registry.yarnpkg.com/defined/-/defined-1.0.0.tgz#c98d9bcef75674188e110969151199e39b1fa693"
   integrity sha512-Y2caI5+ZwS5c3RiNDJ6u53VhQHv+hHKwhkI1iHvceKUHw9Df6EK2zRLfjejRgMuCuxK7PfSWIMwWecceVvThjQ==
 
+delay@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/delay/-/delay-5.0.0.tgz#137045ef1b96e5071060dd5be60bf9334436bd1d"
+  integrity sha512-ReEBKkIfe4ya47wlPYf/gu5ib6yUG0/Aez0JQZQz94kiWtRQvZIQbTiehsnwHvLSWJnQdhVeqYue7Id1dKr0qw==
+
 delayed-stream@~1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/delayed-stream/-/delayed-stream-1.0.0.tgz#df3ae199acadfb7d440aaae0b29e2272b24ec619"
@@ -2999,10 +3149,15 @@ dezalgo@1.0.3:
     asap "^2.0.0"
     wrappy "1"
 
-diff-sequences@^26.6.2:
-  version "26.6.2"
-  resolved "https://registry.yarnpkg.com/diff-sequences/-/diff-sequences-26.6.2.tgz#48ba99157de1923412eed41db6b6d4aa9ca7c0b1"
-  integrity sha512-Mv/TDa3nZ9sbc5soK+OoA74BsS3mL37yixCvUAQkiuA4Wz6YtwP/K47n2rv2ovzHZvoiQeA5FTQOschKkEwB0Q==
+diagnostics_channel@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/diagnostics_channel/-/diagnostics_channel-1.1.0.tgz#bd66c49124ce3bac697dff57466464487f57cea5"
+  integrity sha512-OE1ngLDjSBPG6Tx0YATELzYzy3RKHC+7veQ8gLa8yS7AAgw65mFbVdcsu3501abqOZCEZqZyAIemB0zXlqDSuw==
+
+diff-sequences@^27.5.1:
+  version "27.5.1"
+  resolved "https://registry.yarnpkg.com/diff-sequences/-/diff-sequences-27.5.1.tgz#eaecc0d327fd68c8d9672a1e64ab8dccb2ef5327"
+  integrity sha512-k1gCAXAsNgLwEL+Y8Wvl+M6oEFj5bgazfZULpS5CneoPPXRaCCW7dm+q21Ky2VEE5X+VeRDBVg1Pcvvsr4TtNQ==
 
 diff-sequences@^28.1.1:
   version "28.1.1"
@@ -3022,9 +3177,9 @@ dir-glob@^3.0.1:
     path-type "^4.0.0"
 
 docker-compose@^0.23.5:
-  version "0.23.17"
-  resolved "https://registry.yarnpkg.com/docker-compose/-/docker-compose-0.23.17.tgz#8816bef82562d9417dc8c790aa4871350f93a2ba"
-  integrity sha512-YJV18YoYIcxOdJKeFcCFihE6F4M2NExWM/d4S1ITcS9samHKnNUihz9kjggr0dNtsrbpFNc7/Yzd19DWs+m1xg==
+  version "0.23.19"
+  resolved "https://registry.yarnpkg.com/docker-compose/-/docker-compose-0.23.19.tgz#9947726e2fe67bdfa9e8efe1ff15aa0de2e10eb8"
+  integrity sha512-v5vNLIdUqwj4my80wxFDkNH+4S85zsRuH29SO7dCWVWPCMt/ohZBsGN6g6KXWifT0pzQ7uOxqEKCYCDPJ8Vz4g==
   dependencies:
     yaml "^1.10.2"
 
@@ -3654,6 +3809,11 @@ find-up@^4.0.0, find-up@^4.1.0:
     locate-path "^5.0.0"
     path-exists "^4.0.0"
 
+findit2@^2.2.3:
+  version "2.2.3"
+  resolved "https://registry.yarnpkg.com/findit2/-/findit2-2.2.3.tgz#58a466697df8a6205cdfdbf395536b8bd777a5f6"
+  integrity sha512-lg/Moejf4qXovVutL0Lz4IsaPoNYMuxt4PA0nGqFxnJ1CTTGGlEO2wKgoDpwknhvZ8k4Q2F+eesgkLbG2Mxfog==
+
 flat-cache@^2.0.1:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/flat-cache/-/flat-cache-2.0.1.tgz#5d296d6f04bda44a4630a301413bdbc2ec085ec0"
@@ -4234,6 +4394,13 @@ import-fresh@^3.0.0:
     parent-module "^1.0.0"
     resolve-from "^4.0.0"
 
+import-in-the-middle@^1.3.4:
+  version "1.3.4"
+  resolved "https://registry.yarnpkg.com/import-in-the-middle/-/import-in-the-middle-1.3.4.tgz#7074bbd4e84e8cdafd1eae400b04e6fe252a0768"
+  integrity sha512-TUXqqEFacJ2DWAeYOhHwGZTMJtFxFVw0C1pYA+AXmuWXZGnBqUhHdtVrSkSbW5D7k2yriBG45j23iH9TRtI+bQ==
+  dependencies:
+    module-details-from-path "^1.0.3"
+
 import-lazy@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/import-lazy/-/import-lazy-2.1.0.tgz#05698e3d45c88e8d7e9d92cb0584e77f096f3e43"
@@ -4347,6 +4514,11 @@ ioredis@^4.28.5:
     redis-parser "^3.0.0"
     standard-as-callback "^2.1.0"
 
+ipaddr.js@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/ipaddr.js/-/ipaddr.js-2.0.1.tgz#eca256a7a877e917aeb368b0a7497ddf42ef81c0"
+  integrity sha512-1qTgH9NG+IIJ4yfKs2e6Pp1bZg8wbDbKHT21HrLIeYBTRLgMYKnMTPAuI3Lcs61nfx5h1xlXnbJtH1kX5/d/ng==
+
 is-arrayish@^0.2.1:
   version "0.2.1"
   resolved "https://registry.yarnpkg.com/is-arrayish/-/is-arrayish-0.2.1.tgz#77c99840527aa8ecb1a8ba697b80645a7a926a9d"
@@ -4606,7 +4778,7 @@ isstream@~0.1.2:
   resolved "https://registry.yarnpkg.com/isstream/-/isstream-0.1.2.tgz#47e63f7af55afa6f92e1500e690eb8b8529c099a"
   integrity sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==
 
-istanbul-lib-coverage@^3.0.0, istanbul-lib-coverage@^3.2.0:
+istanbul-lib-coverage@3.2.0, istanbul-lib-coverage@^3.0.0, istanbul-lib-coverage@^3.2.0:
   version "3.2.0"
   resolved "https://registry.yarnpkg.com/istanbul-lib-coverage/-/istanbul-lib-coverage-3.2.0.tgz#189e7909d0a39fa5a3dfad5b03f71947770191d3"
   integrity sha512-eOeJ5BHCmHYvQK7xt9GkdHuzuCGS1Y6g9Gvnx3Ym33fz/HpLRYxiS0wHNr+m/MBC8B647Xt608vCDEvhl9c6Mw==
@@ -4727,15 +4899,15 @@ jest-config@^28.1.3:
     slash "^3.0.0"
     strip-json-comments "^3.1.1"
 
-jest-diff@^26.0.0:
-  version "26.6.2"
-  resolved "https://registry.yarnpkg.com/jest-diff/-/jest-diff-26.6.2.tgz#1aa7468b52c3a68d7d5c5fdcdfcd5e49bd164394"
-  integrity sha512-6m+9Z3Gv9wN0WFVasqjCL/06+EFCMTqDEUl/b87HYK2rAPTyfz4ZIuSlPhY51PIQRWx5TaxeF1qmXKe9gfN3sA==
+jest-diff@^27.5.1:
+  version "27.5.1"
+  resolved "https://registry.yarnpkg.com/jest-diff/-/jest-diff-27.5.1.tgz#a07f5011ac9e6643cf8a95a462b7b1ecf6680def"
+  integrity sha512-m0NvkX55LDt9T4mctTEgnZk3fmEg3NRYutvMPWM/0iPnkFj2wIeF45O1718cMSOFO1vINkqmxqD8vE37uTEbqw==
   dependencies:
     chalk "^4.0.0"
-    diff-sequences "^26.6.2"
-    jest-get-type "^26.3.0"
-    pretty-format "^26.6.2"
+    diff-sequences "^27.5.1"
+    jest-get-type "^27.5.1"
+    pretty-format "^27.5.1"
 
 jest-diff@^28.1.3:
   version "28.1.3"
@@ -4777,10 +4949,10 @@ jest-environment-node@^28.1.3:
     jest-mock "^28.1.3"
     jest-util "^28.1.3"
 
-jest-get-type@^26.3.0:
-  version "26.3.0"
-  resolved "https://registry.yarnpkg.com/jest-get-type/-/jest-get-type-26.3.0.tgz#e97dc3c3f53c2b406ca7afaed4493b1d099199e0"
-  integrity sha512-TpfaviN1R2pQWkIihlfEanwOXK0zcxrKEE4MlU6Tn7keoXdN6/3gK/xl0yEh8DOunn5pOVGKf8hB4R9gVh04ig==
+jest-get-type@^27.5.1:
+  version "27.5.1"
+  resolved "https://registry.yarnpkg.com/jest-get-type/-/jest-get-type-27.5.1.tgz#3cd613c507b0f7ace013df407a1c1cd578bcb4f1"
+  integrity sha512-2KY95ksYSaK7DMBWQn6dQz3kqAf3BB64y2udeG+hv4KfSOb9qwcYQstTJc1KCbsix+wLZWZYN8t7nwX3GOBLRw==
 
 jest-get-type@^28.0.2:
   version "28.0.2"
@@ -4814,6 +4986,16 @@ jest-leak-detector@^28.1.3:
     jest-get-type "^28.0.2"
     pretty-format "^28.1.3"
 
+jest-matcher-utils@^27.0.0:
+  version "27.5.1"
+  resolved "https://registry.yarnpkg.com/jest-matcher-utils/-/jest-matcher-utils-27.5.1.tgz#9c0cdbda8245bc22d2331729d1091308b40cf8ab"
+  integrity sha512-z2uTx/T6LBaCoNWNFWwChLBKYxTMcGBRjAt+2SbP929/Fflb9aa5LGma654Rz8z9HLxsrUaYzxE9T/EFIL/PAw==
+  dependencies:
+    chalk "^4.0.0"
+    jest-diff "^27.5.1"
+    jest-get-type "^27.5.1"
+    pretty-format "^27.5.1"
+
 jest-matcher-utils@^28.1.3:
   version "28.1.3"
   resolved "https://registry.yarnpkg.com/jest-matcher-utils/-/jest-matcher-utils-28.1.3.tgz#5a77f1c129dd5ba3b4d7fc20728806c78893146e"
@@ -5314,6 +5496,11 @@ koa@2.13.4, koa@^2.13.4:
     type-is "^1.6.16"
     vary "^1.1.2"
 
+koalas@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/koalas/-/koalas-1.0.2.tgz#318433f074235db78fae5661a02a8ca53ee295cd"
+  integrity sha512-RYhBbYaTTTHId3l6fnMZc3eGQNW6FVCqMG6AMwA5I1Mafr6AflaXeoi6x3xQuATRotGYRLk6+1ELZH4dstFNOA==
+
 latest-version@^5.1.0:
   version "5.1.0"
   resolved "https://registry.yarnpkg.com/latest-version/-/latest-version-5.1.0.tgz#119dfe908fe38d15dfa43ecd13fa12ec8832face"
@@ -5435,6 +5622,11 @@ lie@3.1.1:
   dependencies:
     immediate "~3.0.5"
 
+limiter@^1.1.4:
+  version "1.1.5"
+  resolved "https://registry.yarnpkg.com/limiter/-/limiter-1.1.5.tgz#8f92a25b3b16c6131293a0cc834b4a838a2aa7c2"
+  integrity sha512-FWWMIEOxz3GwUI4Ts/IvgVy6LPvoMPgjMdQ185nN6psJyBJ4yOpzqm695/h5umdLJg2vW3GR5iG11MAkR2AzJA==
+
 lines-and-columns@^1.1.6:
   version "1.2.4"
   resolved "https://registry.yarnpkg.com/lines-and-columns/-/lines-and-columns-1.2.4.tgz#eca284f75d2965079309dc0ad9255abb2ebc1632"
@@ -5492,6 +5684,11 @@ lodash.isstring@^4.0.1:
   resolved "https://registry.yarnpkg.com/lodash.isstring/-/lodash.isstring-4.0.1.tgz#d527dfb5456eca7cc9bb95d5daeaf88ba54a5451"
   integrity sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==
 
+lodash.kebabcase@^4.1.1:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/lodash.kebabcase/-/lodash.kebabcase-4.1.1.tgz#8489b1cb0d29ff88195cceca448ff6d6cc295c36"
+  integrity sha512-N8XRTIMMqqDgSy4VLKPnJ/+hpGZN+PHQiJnSenYqPaVV/NCqEogTnAdZLQiGKhxX+JCs8waWq2t1XHWKOmlY8g==
+
 lodash.memoize@4.x:
   version "4.1.2"
   resolved "https://registry.yarnpkg.com/lodash.memoize/-/lodash.memoize-4.1.2.tgz#bcc6c49a42a2840ed997f323eada5ecd182e0bfe"
@@ -5502,7 +5699,7 @@ lodash.once@^4.0.0:
   resolved "https://registry.yarnpkg.com/lodash.once/-/lodash.once-4.1.1.tgz#0dd3971213c7c56df880977d504c88fb471a97ac"
   integrity sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==
 
-lodash.pick@^4.0.0:
+lodash.pick@^4.0.0, lodash.pick@^4.4.0:
   version "4.4.0"
   resolved "https://registry.yarnpkg.com/lodash.pick/-/lodash.pick-4.4.0.tgz#52f05610fff9ded422611441ed1fc123a03001b3"
   integrity sha512-hXt6Ul/5yWjfklSGvLQl8vM//l3FtyHZeuelpzK6mm99pNvN9yTDruNZPEJZD1oWrqo+izBmB7oUfWgcCX7s4Q==
@@ -5512,6 +5709,11 @@ lodash.sortby@^4.7.0:
   resolved "https://registry.yarnpkg.com/lodash.sortby/-/lodash.sortby-4.7.0.tgz#edd14c824e2cc9c1e0b0a1b42bb5210516a42438"
   integrity sha512-HDWXG8isMntAyRF5vZ7xKuEvOhT4AhlRt/3czTSjvGUxjYCBVRQY48ViDHyfYz9VIoBkW4TMGQNapx+l3RUwdA==
 
+lodash.uniq@^4.5.0:
+  version "4.5.0"
+  resolved "https://registry.yarnpkg.com/lodash.uniq/-/lodash.uniq-4.5.0.tgz#d0225373aeb652adc1bc82e4945339a842754773"
+  integrity sha512-xfBaXQd9ryd9dlSDvnvI0lvxfLJlYAZzXomUYzLKtUeOQvOP5piqAWuGtrhWeqaXK9hhoM/iyJc5AV+XfsX3HQ==
+
 lodash@4.17.21, lodash@^4.17.14, lodash@^4.17.19, lodash@^4.17.21:
   version "4.17.21"
   resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
@@ -5522,6 +5724,11 @@ lodash@^3.6.0:
   resolved "https://registry.yarnpkg.com/lodash/-/lodash-3.10.1.tgz#5bf45e8e49ba4189e17d482789dfd15bd140b7b6"
   integrity sha512-9mDDwqVIma6OZX79ZlDACZl8sBm0TEnkf99zV3iMA4GzkIT/9hiqP5mY0HoT1iNLCrKc/R1HByV+yJfRWVJryQ==
 
+long@^5.0.0:
+  version "5.2.1"
+  resolved "https://registry.yarnpkg.com/long/-/long-5.2.1.tgz#e27595d0083d103d2fa2c20c7699f8e0c92b897f"
+  integrity sha512-GKSNGeNAtw8IryjjkhZxuKB3JzlcLTwjtiQCHKvqQet81I93kXslhDQruGI/QsddO83mcDToBVy7GqGS/zYf/A==
+
 lowercase-keys@^1.0.0, lowercase-keys@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/lowercase-keys/-/lowercase-keys-1.0.1.tgz#6f9e30b47084d971a7c820ff15a6c5167b74c26f"
@@ -5547,7 +5754,7 @@ lru-cache@^6.0.0:
   dependencies:
     yallist "^4.0.0"
 
-lru-cache@^7.14.1:
+lru-cache@^7.14.0, lru-cache@^7.14.1:
   version "7.14.1"
   resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-7.14.1.tgz#8da8d2f5f59827edb388e63e459ac23d6d408fea"
   integrity sha512-ysxwsnTKdAx96aTRdhDOCQfDgbHnt8SK0KY8SEjO0wHinhWOFTESbjVCMPbU1uGXg/ch4lifqx0wfjOawU2+WA==
@@ -5874,6 +6081,16 @@ node-gyp-build-optional-packages@5.0.3:
   resolved "https://registry.yarnpkg.com/node-gyp-build-optional-packages/-/node-gyp-build-optional-packages-5.0.3.tgz#92a89d400352c44ad3975010368072b41ad66c17"
   integrity sha512-k75jcVzk5wnnc/FMxsf4udAoTEUv2jY3ycfdSd3yWu6Cnd1oee6/CfZJApyscA4FJOmdoixWwiwOyf16RzD5JA==
 
+node-gyp-build@^3.9.0:
+  version "3.9.0"
+  resolved "https://registry.yarnpkg.com/node-gyp-build/-/node-gyp-build-3.9.0.tgz#53a350187dd4d5276750da21605d1cb681d09e25"
+  integrity sha512-zLcTg6P4AbcHPq465ZMFNXx7XpKKJh+7kkN699NiQWisR2uWYOWNWqRHAmbnmKiL4e9aLSlmy5U7rEMUXV59+A==
+
+node-gyp-build@^4.5.0:
+  version "4.6.0"
+  resolved "https://registry.yarnpkg.com/node-gyp-build/-/node-gyp-build-4.6.0.tgz#0c52e4cbf54bbd28b709820ef7b6a3c2d6209055"
+  integrity sha512-NTZVKn9IylLwUzaKjkas1e4u2DLNcV4rdYagA4PWdPwW87Bi7z+BznyKSRwS/761tV/lzCGXplWsiaMjLqP2zQ==
+
 node-gyp-build@~4.1.0:
   version "4.1.1"
   resolved "https://registry.yarnpkg.com/node-gyp-build/-/node-gyp-build-4.1.1.tgz#d7270b5d86717068d114cc57fff352f96d745feb"
@@ -6072,6 +6289,11 @@ only@~0.0.2:
   resolved "https://registry.yarnpkg.com/only/-/only-0.0.2.tgz#2afde84d03e50b9a8edc444e30610a70295edfb4"
   integrity sha512-Fvw+Jemq5fjjyWz6CpKx6w9s7xxqo3+JCyM0WXWeCSOboZ8ABkyvP8ID4CZuChA/wxSx+XSJmdOm8rGVyJ1hdQ==
 
+opentracing@>=0.12.1:
+  version "0.14.7"
+  resolved "https://registry.yarnpkg.com/opentracing/-/opentracing-0.14.7.tgz#25d472bd0296dc0b64d7b94cbc995219031428f5"
+  integrity sha512-vz9iS7MJ5+Bp1URw8Khvdyw1H/hGvzHWlKQ7eRrQojSCDL1/SrWfrY9QebLw97n2deyRtzHRC3MkQfVNUCo91Q==
+
 optional-js@^2.0.0:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/optional-js/-/optional-js-2.3.0.tgz#81d54c4719afa8845b988143643a5148f9d89490"
@@ -6303,6 +6525,11 @@ path-to-regexp@1.x:
   dependencies:
     isarray "0.0.1"
 
+path-to-regexp@^0.1.2:
+  version "0.1.7"
+  resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-0.1.7.tgz#df604178005f522f15eb4490e7247a1bfaa67f8c"
+  integrity sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ==
+
 path-type@^4.0.0:
   version "4.0.0"
   resolved "https://registry.yarnpkg.com/path-type/-/path-type-4.0.0.tgz#84ed01c0a7ba380afe09d90a8c180dcd9d03043b"
@@ -6328,6 +6555,11 @@ picomatch@^2.0.4, picomatch@^2.2.1, picomatch@^2.2.3, picomatch@^2.3.1:
   resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.3.1.tgz#3ba3833733646d9d3e4995946c1365a67fb07a42"
   integrity sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==
 
+pify@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/pify/-/pify-5.0.0.tgz#1f5eca3f5e87ebec28cc6d54a0e4aaf00acc127f"
+  integrity sha512-eW/gHNMlxdSP6dmG6uJip6FXN0EQBwm2clYYd8Wul42Cwu/DK8HEftzsapcNdYe2MfLiIwZqsDk2RDEsTE79hA==
+
 pino-http@^5.0.1:
   version "5.8.0"
   resolved "https://registry.yarnpkg.com/pino-http/-/pino-http-5.8.0.tgz#6e688fd5f965c5b6991f340eb660ea2927be9aa7"
@@ -6624,14 +6856,13 @@ prettier@2.3.1:
   resolved "https://registry.yarnpkg.com/prettier/-/prettier-2.3.1.tgz#76903c3f8c4449bc9ac597acefa24dc5ad4cbea6"
   integrity sha512-p+vNbgpLjif/+D+DwAZAbndtRrR0md0MwfmOVN9N+2RgyACMT+7tfaRnT+WDPkqnuVwleyuBIG2XBxKDme3hPA==
 
-pretty-format@^26.0.0, pretty-format@^26.6.2:
-  version "26.6.2"
-  resolved "https://registry.yarnpkg.com/pretty-format/-/pretty-format-26.6.2.tgz#e35c2705f14cb7fe2fe94fa078345b444120fc93"
-  integrity sha512-7AeGuCYNGmycyQbCqd/3PWH4eOoX/OiCa0uphp57NVTeAGdJGaAliecxwBDHYQCIvrW7aDBZCYeNTP/WX69mkg==
+pretty-format@^27.0.0, pretty-format@^27.5.1:
+  version "27.5.1"
+  resolved "https://registry.yarnpkg.com/pretty-format/-/pretty-format-27.5.1.tgz#2181879fdea51a7a5851fb39d920faa63f01d88e"
+  integrity sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==
   dependencies:
-    "@jest/types" "^26.6.2"
-    ansi-regex "^5.0.0"
-    ansi-styles "^4.0.0"
+    ansi-regex "^5.0.1"
+    ansi-styles "^5.0.0"
     react-is "^17.0.1"
 
 pretty-format@^28.1.3:
@@ -6672,6 +6903,24 @@ prompts@^2.0.1:
     kleur "^3.0.3"
     sisteransi "^1.0.5"
 
+protobufjs@^7.0.0, protobufjs@^7.1.2:
+  version "7.2.2"
+  resolved "https://registry.yarnpkg.com/protobufjs/-/protobufjs-7.2.2.tgz#2af401d8c547b9476fb37ffc65782cf302342ca3"
+  integrity sha512-++PrQIjrom+bFDPpfmqXfAGSQs40116JRrqqyf53dymUMvvb5d/LMRyicRoF1AUKoXVS1/IgJXlEgcpr4gTF3Q==
+  dependencies:
+    "@protobufjs/aspromise" "^1.1.2"
+    "@protobufjs/base64" "^1.1.2"
+    "@protobufjs/codegen" "^2.0.4"
+    "@protobufjs/eventemitter" "^1.1.0"
+    "@protobufjs/fetch" "^1.1.0"
+    "@protobufjs/float" "^1.0.2"
+    "@protobufjs/inquire" "^1.1.0"
+    "@protobufjs/path" "^1.1.2"
+    "@protobufjs/pool" "^1.1.0"
+    "@protobufjs/utf8" "^1.1.0"
+    "@types/node" ">=13.7.0"
+    long "^5.0.0"
+
 proxy-from-env@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz#e102f16ca355424865755d2c9e8ea4f24d58c3e2"
@@ -7075,6 +7324,11 @@ restore-cursor@^3.1.0:
     onetime "^5.1.0"
     signal-exit "^3.0.2"
 
+retry@^0.10.1:
+  version "0.10.1"
+  resolved "https://registry.yarnpkg.com/retry/-/retry-0.10.1.tgz#e76388d217992c252750241d3d3956fed98d8ff4"
+  integrity sha512-ZXUSQYTHdl3uS7IuCehYfMzKyIDBNoAuUblvy5oGO5UJSUTmStUUVPXbA9Qxd173Bgre53yCQczQuHgRWAdvJQ==
+
 reusify@^1.0.4:
   version "1.0.4"
   resolved "https://registry.yarnpkg.com/reusify/-/reusify-1.0.4.tgz#90da382b1e126efc02146e90845a88db12925d76"
@@ -7323,6 +7577,11 @@ source-map@^0.6.0, source-map@^0.6.1:
   resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.6.1.tgz#74722af32e9614e9c287a8d0bbde48b5e2f1a263"
   integrity sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==
 
+source-map@^0.7.3:
+  version "0.7.4"
+  resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.7.4.tgz#a9bbe705c9d8846f4e08ff6765acf0f1b0898656"
+  integrity sha512-l3BikUxvPOcn5E74dZiq5BGsTb5yEwhaTSzccU6t4sDOH8NWJCstKO5QT2CvtFoK6F0saL7p9xHAqHOlCPJygA==
+
 source-map@^0.8.0-beta.0:
   version "0.8.0-beta.0"
   resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.8.0-beta.0.tgz#d4c1bb42c3f7ee925f005927ba10709e0d1d1f11"
@@ -7364,6 +7623,13 @@ split2@^3.1.1:
   dependencies:
     readable-stream "^3.0.0"
 
+split@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/split/-/split-1.0.1.tgz#605bd9be303aa59fb35f9229fbea0ddec9ea07d9"
+  integrity sha512-mTyOoPbrivtXnwnIxZRFYRrPNtEFKlpB2fvjSnCQUiAA6qAZzqwna5envK4uk6OIeP17CsdF3rSBGYVBsU0Tkg==
+  dependencies:
+    through "2"
+
 sprintf-js@^1.1.2:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/sprintf-js/-/sprintf-js-1.1.2.tgz#da1765262bf8c0f571749f2ad6c26300207ae673"
@@ -7735,10 +8001,10 @@ through2@^2.0.0, through2@^2.0.1, through2@^2.0.2, through2@^2.0.3:
     readable-stream "~2.3.6"
     xtend "~4.0.1"
 
-through@^2.3.6, through@~2.3.4:
+through@2, through@^2.3.6, through@~2.3.4:
   version "2.3.8"
   resolved "https://registry.yarnpkg.com/through/-/through-2.3.8.tgz#0dd4c9ffaabc357960b1b724115d7e0e86a2e1f5"
-  integrity sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU=
+  integrity sha512-w89qg7PI8wAdvX60bMDP+bFoD5Dvhm9oLheFp5O4a2QF0cSBGsBX4qZmadPMvVqlLJBBci+WqGGOAPvcDeNSVg==
 
 timekeeper@2.2.0:
   version "2.2.0"
diff --git a/qa-core/.gitignore b/qa-core/.gitignore
index e82880bc81..08660a00a8 100644
--- a/qa-core/.gitignore
+++ b/qa-core/.gitignore
@@ -1,4 +1,5 @@
 node_modules/
 .env
 watchtower-hook.json
-dist/
\ No newline at end of file
+dist/
+.testReport.json
diff --git a/qa-core/package.json b/qa-core/package.json
index 8508361566..7733e95d46 100644
--- a/qa-core/package.json
+++ b/qa-core/package.json
@@ -12,6 +12,8 @@
     "test": "env-cmd jest --runInBand",
     "test:watch": "env-cmd jest --watch",
     "test:debug": "DEBUG=1 jest",
+    "test:notify": "node scripts/testResultsWebhook",
+    "test:ci": "jest --runInBand --json --outputFile=testResults.json",
     "docker:up": "docker-compose up -d",
     "docker:down": "docker-compose down",
     "api:server:setup": "npm run docker:up && env-cmd ts-node ../packages/builder/ts/setup.ts",
diff --git a/packages/builder/scripts/cypressResultsWebhook.js b/qa-core/scripts/testResultsWebhook.js
similarity index 70%
rename from packages/builder/scripts/cypressResultsWebhook.js
rename to qa-core/scripts/testResultsWebhook.js
index 4de4c01cc7..fc00bf34ad 100644
--- a/packages/builder/scripts/cypressResultsWebhook.js
+++ b/qa-core/scripts/testResultsWebhook.js
@@ -4,37 +4,30 @@ const fetch = require("node-fetch")
 const path = require("path")
 const fs = require("fs")
 
-const WEBHOOK_URL = process.env.CYPRESS_WEBHOOK_URL
-const DASHBOARD_URL = process.env.CYPRESS_DASHBOARD_URL
+const WEBHOOK_URL = process.env.WEBHOOK_URL
 const GIT_SHA = process.env.GITHUB_SHA
 const GITHUB_ACTIONS_RUN_URL = process.env.GITHUB_ACTIONS_RUN_URL
 
 async function generateReport() {
   // read the report file
-  const REPORT_PATH = path.resolve(
-    __dirname,
-    "..",
-    "cypress",
-    "reports",
-    "testReport.json"
-  )
+  const REPORT_PATH = path.resolve(__dirname, "..", "testReport.json")
   const report = fs.readFileSync(REPORT_PATH, "utf-8")
   return JSON.parse(report)
 }
 
-async function discordCypressResultsNotification(report) {
+async function discordResultsNotification(report) {
   const {
-    suites,
-    tests,
-    passes,
-    pending,
-    failures,
-    duration,
-    passPercent,
-    skipped,
-  } = report.stats
+    numTotalTestSuites,
+    numTotalTests,
+    numPassedTests,
+    numPendingTests,
+    numFailedTests,
+    success,
+    startTime,
+    endTime,
+  } = report
 
-  const OUTCOME = failures > 0 ? "failure" : "success"
+  const OUTCOME = success ? "success" : "failure"
 
   const options = {
     method: "POST",
@@ -68,51 +61,51 @@ async function discordCypressResultsNotification(report) {
               name: "Commit",
               value: `https://github.com/Budibase/budibase/commit/${GIT_SHA}`,
             },
-            {
-              name: "Cypress Dashboard URL",
-              value: DASHBOARD_URL || "None Supplied",
-            },
             {
               name: "Github Actions Run URL",
               value: GITHUB_ACTIONS_RUN_URL || "None Supplied",
             },
             {
               name: "Test Suites",
-              value: suites,
+              value: numTotalTestSuites,
             },
             {
               name: "Tests",
-              value: tests,
+              value: numTotalTests,
             },
             {
               name: "Passed",
-              value: passes,
+              value: numPassedTests,
             },
             {
               name: "Pending",
-              value: pending,
-            },
-            {
-              name: "Skipped",
-              value: skipped,
+              value: numPendingTests,
             },
             {
               name: "Failures",
-              value: failures,
+              value: numFailedTests,
             },
             {
               name: "Duration",
-              value: `${duration / 1000} Seconds`,
+              value: endTime
+                ? `${(endTime - startTime) / 1000} Seconds`
+                : "DNF",
             },
             {
               name: "Pass Percentage",
-              value: Math.floor(passPercent),
+              value: Math.floor((numPassedTests / numTotalTests) * 100),
             },
           ],
         },
       ],
     }),
   }
+
+  // Only post in discord when tests fail
+  if (success) {
+    return
+  }
+
   const response = await fetch(WEBHOOK_URL, options)
 
   if (response.status >= 201) {
@@ -125,7 +118,7 @@ async function discordCypressResultsNotification(report) {
 
 async function run() {
   const report = await generateReport()
-  await discordCypressResultsNotification(report)
+  await discordResultsNotification(report)
 }
 
 run()
diff --git a/scripts/pro/release.sh b/scripts/pro/release.sh
index 7fbb3c0fd6..e57d8deeb8 100755
--- a/scripts/pro/release.sh
+++ b/scripts/pro/release.sh
@@ -53,7 +53,7 @@ yarn clean -y && yarn bootstrap
 
 # Commit and push
 git add packages/pro/yarn.lock
-git commit -m "Update dependency versions to $VERSION"
+git commit -m "Update dependency versions to $VERSION" -n
 git push
 
 #############################################
@@ -91,5 +91,5 @@ git add packages/server/package.json
 git add packages/server/yarn.lock
 git add packages/worker/package.json
 git add packages/worker/yarn.lock
-git commit -m "Update pro version to $VERSION"
+git commit -m "Update pro version to $VERSION" -n
 git push