Login command in CLI does not respect --domain flag and INFISICAL_API_URL env var for self-hosted instances

[Badbird5907]

Describe the bug

The Infisical CLI should respect the --domain flag/INFISICAL_API_URL environment variable, bypassing the manual domain entry for self-hosted instances during login. Currently, even when specifying these parameters, users are prompted to input the domain manually.

This would make the CLI more user & script-friendly, particularly in scenarios where shell scripts use the CLI, and the user's session expires. I currently use this expect script in my shell scripts to automate the domain input. A way to bypass the prompt (or a flag like --self-hosted) would eliminate the need for these workarounds.

To Reproduce

Steps to reproduce the behavior:

1. Set INFISICAL_API_URL or --domain to a self-hosted instance
2. run infisical login

Expected behavior

When using the CLI for a self-hosted instance, the flow should be entirely non-interactive after providing the necessary environment variables or flags (other than the user passing in the token).

For example:

$ export INFISICAL_API_URL="https://infisical.example.com/"
$ infisical login
✔ Self Hosting
Domain: https://infisical.example.com
To complete your login, open this address in your browser: https://infisical.example.com/login?callback_port=1234
...
Token: 

Screenshots

Platform you are having the issue on:

Linux

[Rishabhg71]

Can i take this issue?

[Dani4kor]

same here

infisical version 0.31.0

[varonix0]

Hey @Dani4kor, @Rishabhg71, and @Badbird5907! This has now been rolled out in the latest CLI update. Please update to version 0.31.9 in order to see these changes. You can now use the --domain flag when using the infisical login command, or alternatively simply set the INFISICAL_API_URL environment variable. Both options are now respected by the login command.

Thank you for reporting this!

[willquill]

This issue is still present in 0.41.2. Please let me know if I should create a new issue. See below for my testing:

➜ infisical -v
infisical version 0.41.2

My script is as follows (obfuscated FQDN):

#!/usr/bin/env bash
set -euo pipefail

# Ensure required environment variables are set
: "${INFISICAL_CLIENT_ID:?Missing INFISICAL_CLIENT_ID}"
: "${INFISICAL_CLIENT_SECRET:?Missing INFISICAL_CLIENT_SECRET}"

# Export the token by logging in with universal auth
export INFISICAL_TOKEN=$(
    infisical login \
        --domain="https://my-fqdn.com/api" \
        --method=universal-auth \
        --client-id="${INFISICAL_CLIENT_ID}" \
        --client-secret="${INFISICAL_CLIENT_SECRET}" \
        --silent \
        --plain
)

# Fetch secrets for the given project and environment
infisical secrets \
    --projectId=17f37396-0b2e-4324-bb45-9aa22672394f \
    --env=prod \
    --recursive

This is what it returns:

➜ ./fetch_infisical_secrets.sh
error: CallGetRawSecretsV3: Unsuccessful response [GET https://app.infisical.com/api/v3/secrets/raw?environment=prod&expandSecretReferences=true&include_imports=true&recursive=true&secretPath=%2F&workspaceId=17f37396-0b2e-4324-bb45-9aa22672394f] [status-code=403] [response={"reqId":"req-1JCNlgLHC3OeqE","statusCode":403,"message":"invalid signature","error":"TokenError"}]

However, if I do export INFISICAL_API_URL="https://my-fqdn.com/api" and omit the --domain option from the script, it successfully retrieves secrets, as shown below:

➜ ./fetch_infisical_secrets.sh                             
┌─────────────┬──────────────┬─────────────┐
│ SECRET NAME │ SECRET VALUE │ SECRET TYPE │
├─────────────┼──────────────┼─────────────┤
│ test_secret │ test_value   │ shared      │
└─────────────┴──────────────┴─────────────┘