Skip to content

Auto re-login drops --domain and ignores INFISICAL_API_URL for EU Cloud — expired EU sessions open the US login page and silently flip LoggedInUserDomain to US #312

Description

@TsunamiAI

Summary

When a logged-in user's session JWT expires, the CLI's automatic re-login flow cannot be pinned to EU Cloud: it drops the parent command's --domain flag, deliberately ignores INFISICAL_API_URL when it points at a default cloud URL, defaults its region prompt to the US, and opens a browser at https://app.infisical.com/login. If that US login is completed, the config file's LoggedInUserDomain is silently rewritten to US, breaking every subsequent command for an EU-hosted org.

For EU Cloud customers running unattended scripts (hooks, cron/launchd jobs), this manifests as recurring, apparently random US-login browser pop-ups that no amount of domain configuration prevents.

Version / platform

  • CLI 0.43.89 (Homebrew, macOS). Code paths verified identical in the v0.43.105 tag.
  • Account/org on Infisical Cloud EU (https://eu.infisical.com).

Steps to reproduce

  1. Log in to EU Cloud: infisical login --domain https://eu.infisical.com (browser flow). ~/.infisical/infisical-config.json correctly records LoggedInUserDomain: https://eu.infisical.com/api.
  2. Let the session JWT expire.
  3. Run any user-auth command with the domain explicitly pinned, e.g.
    infisical secrets get FOO --projectId <id> --env=dev --plain --silent --domain https://eu.infisical.com
    (or with INFISICAL_API_URL=https://eu.infisical.com exported).

Actual behaviour

  • util.GetAllEnvironmentVariables detects the expired token and calls EstablishUserLoginSession() (packages/util/secrets.go:307-309).
  • EstablishUserLoginSession() re-execs the CLI as exec.Command(exePath, "login", "--silent") (packages/util/auth.go:74) — only --silent is forwarded; the parent's --domain is dropped.
  • In the child, usePresetDomain() returns false even though INFISICAL_API_URL is inherited, because default cloud URLs are explicitly excluded unless --domain was set on that invocation (packages/cmd/login.go:465):
    shouldUsePresetDomain := preconfiguredUrl != "" && (domainFlagExplicitlySet ||
        (preconfiguredUrl != util.INFISICAL_DEFAULT_US_URL && preconfiguredUrl != util.INFISICAL_DEFAULT_EU_URL))
  • Control falls to askForDomain() (packages/cmd/login.go:503), whose default-highlighted option is "Infisical Cloud (US Region)".
  • browserCliLogin() opens the browser at config.INFISICAL_LOGIN_URLhttps://app.infisical.com/login?... (packages/cmd/login.go:873-896). Note browser.OpenURL runs before the TTY check, so semi-interactive contexts (editor-spawned hooks etc.) still get the browser window.
  • If the user completes the US login, WriteInitalConfig persists LoggedInUserDomain: config.INFISICAL_URL (packages/util/config.go:55) — the stored EU domain is silently replaced with US.

Expected behaviour

  • The automatic re-login should reuse the domain of the session that expired (configFile.LoggedInUserDomain), or at minimum honor the parent command's --domain / INFISICAL_DOMAIN / INFISICAL_API_URL.
  • An EU Cloud value in INFISICAL_API_URL should not be discarded by usePresetDomain().
  • A completed re-login should not silently change the stored account domain.

Suggested fixes

  1. In EstablishUserLoginSession(), forward the domain: exec.Command(exePath, "login", "--silent", "--domain", <current config.INFISICAL_URL or LoggedInUserDomain>).
  2. In usePresetDomain(), accept a preconfigured EU/US cloud URL when it matches the stored LoggedInUserDomain.
  3. Guard askForDomain()/browserCliLogin() behind a TTY check so unattended runs fail loudly instead of opening a browser.

Related

Workarounds found

  • Re-login manually with the explicit flag: infisical login --domain https://eu.infisical.com.
  • For unattended scripts: use machine identity / --token (universal auth), which never reaches the interactive login path.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions