Summary
When a logged-in user's session JWT expires, the CLI's automatic re-login flow cannot be pinned to EU Cloud: it drops the parent command's --domain flag, deliberately ignores INFISICAL_API_URL when it points at a default cloud URL, defaults its region prompt to the US, and opens a browser at https://app.infisical.com/login. If that US login is completed, the config file's LoggedInUserDomain is silently rewritten to US, breaking every subsequent command for an EU-hosted org.
For EU Cloud customers running unattended scripts (hooks, cron/launchd jobs), this manifests as recurring, apparently random US-login browser pop-ups that no amount of domain configuration prevents.
Version / platform
- CLI 0.43.89 (Homebrew, macOS). Code paths verified identical in the
v0.43.105 tag.
- Account/org on Infisical Cloud EU (
https://eu.infisical.com).
Steps to reproduce
- Log in to EU Cloud:
infisical login --domain https://eu.infisical.com (browser flow). ~/.infisical/infisical-config.json correctly records LoggedInUserDomain: https://eu.infisical.com/api.
- Let the session JWT expire.
- Run any user-auth command with the domain explicitly pinned, e.g.
infisical secrets get FOO --projectId <id> --env=dev --plain --silent --domain https://eu.infisical.com
(or with INFISICAL_API_URL=https://eu.infisical.com exported).
Actual behaviour
util.GetAllEnvironmentVariables detects the expired token and calls EstablishUserLoginSession() (packages/util/secrets.go:307-309).
EstablishUserLoginSession() re-execs the CLI as exec.Command(exePath, "login", "--silent") (packages/util/auth.go:74) — only --silent is forwarded; the parent's --domain is dropped.
- In the child,
usePresetDomain() returns false even though INFISICAL_API_URL is inherited, because default cloud URLs are explicitly excluded unless --domain was set on that invocation (packages/cmd/login.go:465):
shouldUsePresetDomain := preconfiguredUrl != "" && (domainFlagExplicitlySet ||
(preconfiguredUrl != util.INFISICAL_DEFAULT_US_URL && preconfiguredUrl != util.INFISICAL_DEFAULT_EU_URL))
- Control falls to
askForDomain() (packages/cmd/login.go:503), whose default-highlighted option is "Infisical Cloud (US Region)".
browserCliLogin() opens the browser at config.INFISICAL_LOGIN_URL → https://app.infisical.com/login?... (packages/cmd/login.go:873-896). Note browser.OpenURL runs before the TTY check, so semi-interactive contexts (editor-spawned hooks etc.) still get the browser window.
- If the user completes the US login,
WriteInitalConfig persists LoggedInUserDomain: config.INFISICAL_URL (packages/util/config.go:55) — the stored EU domain is silently replaced with US.
Expected behaviour
- The automatic re-login should reuse the domain of the session that expired (
configFile.LoggedInUserDomain), or at minimum honor the parent command's --domain / INFISICAL_DOMAIN / INFISICAL_API_URL.
- An EU Cloud value in
INFISICAL_API_URL should not be discarded by usePresetDomain().
- A completed re-login should not silently change the stored account domain.
Suggested fixes
- In
EstablishUserLoginSession(), forward the domain: exec.Command(exePath, "login", "--silent", "--domain", <current config.INFISICAL_URL or LoggedInUserDomain>).
- In
usePresetDomain(), accept a preconfigured EU/US cloud URL when it matches the stored LoggedInUserDomain.
- Guard
askForDomain()/browserCliLogin() behind a TTY check so unattended runs fail loudly instead of opening a browser.
Related
Workarounds found
- Re-login manually with the explicit flag:
infisical login --domain https://eu.infisical.com.
- For unattended scripts: use machine identity /
--token (universal auth), which never reaches the interactive login path.
Summary
When a logged-in user's session JWT expires, the CLI's automatic re-login flow cannot be pinned to EU Cloud: it drops the parent command's
--domainflag, deliberately ignoresINFISICAL_API_URLwhen it points at a default cloud URL, defaults its region prompt to the US, and opens a browser athttps://app.infisical.com/login. If that US login is completed, the config file'sLoggedInUserDomainis silently rewritten to US, breaking every subsequent command for an EU-hosted org.For EU Cloud customers running unattended scripts (hooks, cron/launchd jobs), this manifests as recurring, apparently random US-login browser pop-ups that no amount of domain configuration prevents.
Version / platform
v0.43.105tag.https://eu.infisical.com).Steps to reproduce
infisical login --domain https://eu.infisical.com(browser flow).~/.infisical/infisical-config.jsoncorrectly recordsLoggedInUserDomain: https://eu.infisical.com/api.infisical secrets get FOO --projectId <id> --env=dev --plain --silent --domain https://eu.infisical.com(or with
INFISICAL_API_URL=https://eu.infisical.comexported).Actual behaviour
util.GetAllEnvironmentVariablesdetects the expired token and callsEstablishUserLoginSession()(packages/util/secrets.go:307-309).EstablishUserLoginSession()re-execs the CLI asexec.Command(exePath, "login", "--silent")(packages/util/auth.go:74) — only--silentis forwarded; the parent's--domainis dropped.usePresetDomain()returns false even thoughINFISICAL_API_URLis inherited, because default cloud URLs are explicitly excluded unless--domainwas set on that invocation (packages/cmd/login.go:465):askForDomain()(packages/cmd/login.go:503), whose default-highlighted option is "Infisical Cloud (US Region)".browserCliLogin()opens the browser atconfig.INFISICAL_LOGIN_URL→https://app.infisical.com/login?...(packages/cmd/login.go:873-896). Notebrowser.OpenURLruns before the TTY check, so semi-interactive contexts (editor-spawned hooks etc.) still get the browser window.WriteInitalConfigpersistsLoggedInUserDomain: config.INFISICAL_URL(packages/util/config.go:55) — the stored EU domain is silently replaced with US.Expected behaviour
configFile.LoggedInUserDomain), or at minimum honor the parent command's--domain/INFISICAL_DOMAIN/INFISICAL_API_URL.INFISICAL_API_URLshould not be discarded byusePresetDomain().Suggested fixes
EstablishUserLoginSession(), forward the domain:exec.Command(exePath, "login", "--silent", "--domain", <current config.INFISICAL_URL or LoggedInUserDomain>).usePresetDomain(), accept a preconfigured EU/US cloud URL when it matches the storedLoggedInUserDomain.askForDomain()/browserCliLogin()behind a TTY check so unattended runs fail loudly instead of opening a browser.Related
--domain/INFISICAL_API_URLfor explicitinfisical logininvocations, but not this auto-re-login child process, and the EU-cloud exclusion inusePresetDomainremains.Workarounds found
infisical login --domain https://eu.infisical.com.--token(universal auth), which never reaches the interactive login path.