fix: extend offline secret caching to token-based auth and fix connection check #272
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -374,6 +374,33 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectCo | |
| errorToReturn = err | ||
| secretsToReturn = res.Secrets | ||
| } | ||
|
|
||
| // cache secrets on success, fallback to cached secrets on connection/server failure | ||
| if errorToReturn == nil && params.WorkspaceId != "" { | ||
| if backupEncryptionKey, err := GetBackupEncryptionKey(); err == nil { | ||
| WriteBackupSecrets(params.WorkspaceId, params.Environment, params.SecretsPath, backupEncryptionKey, secretsToReturn) | ||
| } | ||
| } else if errorToReturn != nil && params.WorkspaceId != "" { | ||
| // Only fall back to cache for connection errors or server errors (5xx). | ||
| // Do not mask client errors (4xx) like 401/403 which indicate auth issues. | ||
| shouldFallback := true | ||
| var apiErr *api.APIError | ||
| if errors.As(errorToReturn, &apiErr) && apiErr.StatusCode >= 400 && apiErr.StatusCode < 500 { | ||
| shouldFallback = false | ||
| } | ||
|
|
||
| if shouldFallback { | ||
| backupEncryptionKey, _ := GetBackupEncryptionKey() | ||
| if backupEncryptionKey != nil { | ||
| backedUpSecrets, err := ReadBackupSecrets(params.WorkspaceId, params.Environment, params.SecretsPath, backupEncryptionKey) | ||
| if len(backedUpSecrets) > 0 { | ||
| PrintWarning("Unable to fetch the latest secret(s) due to connection error, serving secrets from last successful fetch. For more info, run with --debug") | ||
| secretsToReturn = backedUpSecrets | ||
| errorToReturn = err | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
Comment on lines
+383
to
+403
Contributor
There was a problem hiding this comment.
The user-auth path (line 349) only reads from cache when
Contributor
Author
There was a problem hiding this comment. Good catch β fixed. The fallback now only triggers on connection errors or server errors (5xx). Client errors (4xx) like 401/403 are no longer masked β they propagate as-is so the user sees an actionable auth failure message instead of stale cached secrets. shouldFallback := true
var apiErr *api.APIError
if errors.As(errorToReturn, &apiErr) && apiErr.StatusCode >= 400 && apiErr.StatusCode < 500 {
shouldFallback = false
} |
||
| } | ||
|
|
||
| return secretsToReturn, errorToReturn | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
INFISICAL_URLconfig.INFISICAL_URLis user-supplied and passed directly tohttp.Get. An attacker who can influence this value (e.g., via a misconfigured environment variable) could use it to probe internal network endpoints β making the CLI an SSRF oracle. Consider validating that the URL is a known-safe external host, or at minimum ensuring the scheme ishttpsand the host is not a private/loopback address. This vector existed before this PR but the change makes it more prominent as the health-check path is now load-bearing for the offline fallback decision.Context Used: Flag SSRF risks (source)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Acknowledged β this is a pre-existing pattern (the URL was already used in
http.Getbefore this PR). HardeningINFISICAL_URLvalidation is a good idea but out of scope for this bugfix PR.