fix: auto-authenticate with Universal Auth client credentials in GetInfisicalToken#201
fix: auto-authenticate with Universal Auth client credentials in GetInfisicalToken#201devin-ai-integration[bot] wants to merge 3 commits intomainfrom
Conversation
…nfisicalToken When INFISICAL_UNIVERSAL_AUTH_CLIENT_ID and INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET environment variables are set, GetInfisicalToken() now automatically exchanges them for an access token using the existing UniversalAuthLogin() function. Previously, GetInfisicalToken() only checked for pre-existing access tokens (--token flag, INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN, INFISICAL_TOKEN env vars). If none were found, it returned nil, causing commands like 'infisical run' to fall back to the interactive login flow — which fails in non-interactive environments like Claude Code, CI runners, and other automated tooling. This fixes 'run', 'export', 'secrets', and all other commands that use GetInfisicalToken. Co-Authored-By: jake <jake@infisical.com>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9592fb9063
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
- Split GetInfisicalToken into local-only DetectInfisicalToken (for PersistentPreRun warning) and network-capable GetInfisicalToken, so the root command no longer performs a network call or double-mints tokens on every CLI invocation. - Skip auto-UA-login when --auth-method flag or INFISICAL_AUTH_METHOD env var is set, so gateway/relay flows using AWS/GCP/K8s auth are not short-circuited by stale UA credentials in the environment. - Reduce UniversalAuthLogin retry count from 10000 (≈55h worst-case) to 3 retries with 2-5s wait, so CLI commands fail fast on transport errors instead of blocking indefinitely. Co-Authored-By: jake <jake@infisical.com>
|
Addressed all three Codex review comments in 4a991c2:
|
|
@codex re-review this PR |
|
@claude re-review this PR |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4a991c203e
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Only check INFISICAL_AUTH_METHOD env var when the command actually has the --auth-method flag registered (e.g. gateway, relay). Commands like run, export, and secrets do not define this flag, so a globally-set INFISICAL_AUTH_METHOD should not prevent auto-login for those commands. Co-Authored-By: jake <jake@infisical.com>
|
@claude re-review this and be super cautious |
|
@codex re-review this and be super cautious |
|
Codex Review: Didn't find any major issues. Hooray! ℹ️ About Codex in GitHubCodex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback". |
1 participant
Description 📣
When
INFISICAL_UNIVERSAL_AUTH_CLIENT_IDandINFISICAL_UNIVERSAL_AUTH_CLIENT_SECRETenvironment variables are set, commands likeinfisical run,infisical export, andinfisical secretsfail with "No valid login session found, triggering login flow" instead of automatically authenticating.Root cause:
GetInfisicalToken()only checks for pre-existing access tokens (--tokenflag,INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN,INFISICAL_TOKENenv vars). The client ID and client secret are credentials that need to be exchanged for an access token, butGetInfisicalToken()never performs that exchange — so it returnsnil, and downstream code falls back to the interactive login flow.Fix: In
GetInfisicalToken(), right before returningnilwhen no explicit token is found, check if bothINFISICAL_UNIVERSAL_AUTH_CLIENT_IDandINFISICAL_UNIVERSAL_AUTH_CLIENT_SECRETare set. If so, call the existingUniversalAuthLogin()function to exchange them for an access token. This fixes every command that usesGetInfisicalToken—run,export,secrets, etc. — in one shot.This is critical for non-interactive environments like Claude Code, CI runners, and other automated tooling where the interactive login flow is not possible.
Codex Review Feedback (addressed in follow-up commit)
Respect
--auth-methodover auto UA login —GetInfisicalTokennow checks for--auth-methodflag orINFISICAL_AUTH_METHODenv var before attempting auto-login. If either is set, it returnsnilso the caller's auth-method flow (AWS, GCP, K8s, etc.) takes over. This prevents stale UA env vars from short-circuiting gateway/relay flows using other auth strategies.Fail-fast retries — Reduced
UniversalAuthLoginfrom 10,000 retries / 20s max-wait (≈55h worst-case) to 3 retries with 2-5s wait, appropriate for one-shot CLI commands in CI/automation.No network call in PersistentPreRun — Split into
DetectInfisicalToken(local-only, for the "session overwritten" warning) andGetInfisicalToken(with network exchange). The root command'sPersistentPreRunnow usesDetectInfisicalToken, eliminating the double token-minting and network dependency on every CLI invocation.Type ✨
Tests 🛠️
go build ./...To verify manually:
Link to Devin session: https://app.devin.ai/sessions/28035c0473714f72a18187edc405bf38