feat: add login status command#240
Conversation
|
💬 Discussion in Slack: #pr-review-cli-240-feat-add-login-status-command Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM, self-contained additive command that follows existing CLI patterns.
Extended reasoning...
Overview
This PR adds a single new file, packages/cmd/login_status.go, registering an infisical login status subcommand under the existing loginCmd. It reads the persisted credentials via the existing util.GetCurrentLoggedInUserDetails, optionally decodes the JWT payload to display org/expiry info, and supports a --json flag.
Security risks
The JWT payload is decoded without signature verification, which is fine here because it is only being used to display claims about the user's own locally-stored session (no auth decisions are made from it). The token is sent via SetAuthToken only to the configured Infisical domain to resolve org names, matching the patterns already used elsewhere in the CLI. No new credential storage, no new network endpoints, no permission-affecting logic.
Level of scrutiny
Low. This is an additive, read-only diagnostic command — analogous to gh auth status. It does not touch existing code paths, does not modify auth/crypto, and failures degrade to debug logs without exposing data.
Other factors
The bug-hunting system found nothing, the API calls (CallGetAllOrganizationsWithSubOrgs, CallGetAllOrganizations) and util helpers (PrintfStdout, GetRestyClientWithCustomHeaders, HandleError) are all pre-existing and used consistently. Exit codes correctly distinguish authenticated, expired, and not-authenticated states.
victorvhs017
left a comment
victorvhs017
left a comment
There was a problem hiding this comment.
The user login works great!
But if I try after logging in with a machine identity, I get:
We should support machine identities, too
| func buildMachineIdentityContext(token, source, domain string) loginStatusContext { | ||
| // Service tokens (`st.<id>.<key>` format) are opaque — no JWT to decode. | ||
| if strings.HasPrefix(token, "st.") { | ||
| return loginStatusContext{ | ||
| kind: principalKindServiceToken, | ||
| domain: domain, | ||
| rawToken: token, | ||
| tokenSource: source, | ||
| } | ||
| } |
There was a problem hiding this comment.
The function name here is a bit misleading; machine identities are not the same as service tokens.
| // detectMachineIdentityEnvToken returns the machine-identity / service-token | ||
| // credential exported in the environment, mirroring the precedence used by | ||
| // util.GetInfisicalToken. The legacy `TOKEN` gateway variable is intentionally | ||
| // omitted here because its name collides with too many unrelated tools. | ||
| func detectMachineIdentityEnvToken() (token, source string, ok bool) { |
| case principalKindMachineIdentity: | ||
| util.PrintlnStdout(" - Run `infisical login` to re-authenticate and re-export your token.") |
There was a problem hiding this comment.
This may be only a domain issue, like this example, where I expected this to work with the same domain as my logged-in user, but I needed to add the --domain flag for it:
We could update the message to also tell the user to check the domain and update with --domain if needed
There was a problem hiding this comment.
Like the public doc state, if all operations using machine/service token will either use the INFISICAL_API_URL or the --domain flag. I kept the same behavior from other commands. This for me is confusing in the entire CLI not only here.
There was a problem hiding this comment.
The behavior is fine. I think we just need to update the message on the last bullet point to make it clear that they may not need to export the token, just pass the domain. (if that's the issue)
There was a problem hiding this comment.
If I'm using a JWT token from a user saved in the INFISICAL_TOKEN, it's saying that I'm logged in as a machine identity:
There was a problem hiding this comment.
So the doc explicitly consents that the env var and --token are for machine identity usage
That's why I made that assumption, will look a way to deterministically tell the types apart.
There was a problem hiding this comment.
This is from the user authentication section in the docs:
There was a problem hiding this comment.
The CLI is too broad haha, already found a way to tell them apart, working in the fix
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 33062794 | Triggered | Generic CLI Secret | 4917f68 | packages/cmd/login_status_test.go | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
2 participants
Description 📣
Type ✨
Tests 🛠️
# Here's some code block to paste some code snippets