improvement: used fix length mask for secrets when unfocused to prevent inference attacks

fix outdated cli instructions
Merge pull request #4424 from Infisical/fix-daily-invite-users
2025-08-28 18:55:53 +00:00 · 2025-08-27 18:20:01 -07:00 · 2025-08-27 17:02:52 -04:00 · 2025-08-27 15:10:37 -04:00 · 2025-08-27 09:38:06 -07:00 · 2025-08-27 17:51:14 +05:30
28 changed files with 330 additions and 148 deletions
--- a/backend/src/db/migrations/20250808174003_add-user-alias-is-email-verified.ts
+++ b/backend/src/db/migrations/20250808174003_add-user-alias-is-email-verified.ts
@@ -0,0 +1,49 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const BATCH_SIZE = 1000;
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.UserAliases, "isEmailVerified"))) {
+    // Add the column
+    await knex.schema.alterTable(TableName.UserAliases, (t) => {
+      t.boolean("isEmailVerified").defaultTo(false);
+    });
+
+    const aliasesToUpdate: { aliasId: string; isEmailVerified: boolean }[] = await knex(TableName.UserAliases)
+      .join(TableName.Users, `${TableName.UserAliases}.userId`, `${TableName.Users}.id`)
+      .select([`${TableName.UserAliases}.id as aliasId`, `${TableName.Users}.isEmailVerified`]);
+
+    for (let i = 0; i < aliasesToUpdate.length; i += BATCH_SIZE) {
+      const batch = aliasesToUpdate.slice(i, i + BATCH_SIZE);
+
+      const trueIds = batch.filter((row) => row.isEmailVerified).map((row) => row.aliasId);
+
+      if (trueIds.length > 0) {
+        // eslint-disable-next-line no-await-in-loop
+        await knex(TableName.UserAliases).whereIn("id", trueIds).update({ isEmailVerified: true });
+      }
+    }
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.AuthTokens, "aliasId"))) {
+    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
+      t.string("aliasId").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.UserAliases, "isEmailVerified")) {
+    await knex.schema.alterTable(TableName.UserAliases, (t) => {
+      t.dropColumn("isEmailVerified");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.AuthTokens, "aliasId")) {
+    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
+      t.dropColumn("aliasId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250824173438_add-approval-secret-read-compat.ts
+++ b/backend/src/db/migrations/20250824173438_add-approval-secret-read-compat.ts
@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "shouldCheckSecretPermission"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.boolean("shouldCheckSecretPermission").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "shouldCheckSecretPermission")) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.dropColumn("shouldCheckSecretPermission");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250824192801_backfill-secret-read-compat-flag.ts
+++ b/backend/src/db/migrations/20250824192801_backfill-secret-read-compat-flag.ts
@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { selectAllTableCols } from "@app/lib/knex";
+
+import { TableName } from "../schemas";
+
+const BATCH_SIZE = 100;
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "shouldCheckSecretPermission")) {
+    // find all existing SecretApprovalPolicy rows to backfill shouldCheckSecretPermission flag
+    const rows = await knex(TableName.SecretApprovalPolicy).select(selectAllTableCols(TableName.SecretApprovalPolicy));
+
+    if (rows.length > 0) {
+      for (let i = 0; i < rows.length; i += BATCH_SIZE) {
+        const batch = rows.slice(i, i + BATCH_SIZE);
+        // eslint-disable-next-line no-await-in-loop
+        await knex(TableName.SecretApprovalPolicy)
+          .whereIn(
+            "id",
+            batch.map((row) => row.id)
+          )
+          .update({ shouldCheckSecretPermission: true });
+      }
+    }
+  }
+}
+
+export async function down(): Promise<void> {}
--- a/backend/src/db/schemas/auth-tokens.ts
+++ b/backend/src/db/schemas/auth-tokens.ts
@@ -17,7 +17,8 @@ export const AuthTokensSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  userId: z.string().uuid().nullable().optional(),
-  orgId: z.string().uuid().nullable().optional()
+  orgId: z.string().uuid().nullable().optional(),
+  aliasId: z.string().nullable().optional()
 });

 export type TAuthTokens = z.infer<typeof AuthTokensSchema>;
--- a/backend/src/db/schemas/secret-approval-policies.ts
+++ b/backend/src/db/schemas/secret-approval-policies.ts
@@ -17,7 +17,8 @@ export const SecretApprovalPoliciesSchema = z.object({
  updatedAt: z.date(),
  enforcementLevel: z.string().default("hard"),
  deletedAt: z.date().nullable().optional(),
-  allowedSelfApprovals: z.boolean().default(true)
+  allowedSelfApprovals: z.boolean().default(true),
+  shouldCheckSecretPermission: z.boolean().nullable().optional()
 });

 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/user-aliases.ts
+++ b/backend/src/db/schemas/user-aliases.ts
@@ -16,7 +16,8 @@ export const UserAliasesSchema = z.object({
  emails: z.string().array().nullable().optional(),
  orgId: z.string().uuid().nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  isEmailVerified: z.boolean().default(false).nullable().optional()
 });

 export type TUserAliases = z.infer<typeof UserAliasesSchema>;
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@@ -305,7 +305,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                secretPath: z.string().optional().nullable(),
                enforcementLevel: z.string(),
                deletedAt: z.date().nullish(),
-                allowedSelfApprovals: z.boolean()
+                allowedSelfApprovals: z.boolean(),
+                shouldCheckSecretPermission: z.boolean().nullable().optional()
              }),
              environment: z.string(),
              statusChangedByUser: approvalRequestUser.optional(),
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@@ -400,15 +400,13 @@ export const ldapConfigServiceFactory = ({

      userAlias = await userDAL.transaction(async (tx) => {
        let newUser: TUsers | undefined;
-        if (serverCfg.trustLdapEmails) {
-          newUser = await userDAL.findOne(
-            {
-              email: email.toLowerCase(),
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
+        newUser = await userDAL.findOne(
+          {
+            email: email.toLowerCase(),
+            isEmailVerified: true
+          },
+          tx
+        );

        if (!newUser) {
          const uniqueUsername = await normalizeUsername(username, userDAL);
@@ -433,7 +431,8 @@ export const ldapConfigServiceFactory = ({
            aliasType: UserAliasType.LDAP,
            externalId,
            emails: [email],
-            orgId
+            orgId,
+            isEmailVerified: serverCfg.trustLdapEmails
          },
          tx
        );
@@ -556,15 +555,14 @@ export const ldapConfigServiceFactory = ({
      return newUser;
    });

-    const isUserCompleted = Boolean(user.isAccepted);
-
+    const isUserCompleted = Boolean(user.isAccepted) && userAlias.isEmailVerified;
    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
        hasExchangedPrivateKey: true,
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
+        ...(user.email && { email: user.email, isEmailVerified: userAlias.isEmailVerified }),
        firstName,
        lastName,
        organizationName: organization.name,
@@ -572,6 +570,7 @@ export const ldapConfigServiceFactory = ({
        organizationSlug: organization.slug,
        authMethod: AuthMethod.LDAP,
        authType: UserAliasType.LDAP,
+        aliasId: userAlias.id,
        isUserCompleted,
        ...(relayState
          ? {
@@ -585,10 +584,11 @@ export const ldapConfigServiceFactory = ({
      }
    );

-    if (user.email && !user.isEmailVerified) {
+    if (user.email && !userAlias.isEmailVerified) {
      const token = await tokenService.createTokenForUser({
        type: TokenType.TOKEN_EMAIL_VERIFICATION,
-        userId: user.id
+        userId: user.id,
+        aliasId: userAlias.id
      });

      await smtpService.sendMail({
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@@ -180,7 +180,7 @@ export const oidcConfigServiceFactory = ({
    }

    const appCfg = getConfig();
-    const userAlias = await userAliasDAL.findOne({
+    let userAlias = await userAliasDAL.findOne({
      externalId,
      orgId,
      aliasType: UserAliasType.OIDC
@@ -231,32 +231,29 @@ export const oidcConfigServiceFactory = ({
    } else {
      user = await userDAL.transaction(async (tx) => {
        let newUser: TUsers | undefined;
+        // we prioritize getting the most complete user to create the new alias under
+        newUser = await userDAL.findOne(
+          {
+            email,
+            isEmailVerified: true
+          },
+          tx
+        );

-        if (serverCfg.trustOidcEmails) {
-          // we prioritize getting the most complete user to create the new alias under
+        if (!newUser) {
+          // this fetches user entries created via invites
          newUser = await userDAL.findOne(
            {
-              email,
-              isEmailVerified: true
+              username: email
            },
            tx
          );

-          if (!newUser) {
-            // this fetches user entries created via invites
-            newUser = await userDAL.findOne(
-              {
-                username: email
-              },
-              tx
-            );
-
-            if (newUser && !newUser.isEmailVerified) {
-              // we automatically mark it as email-verified because we've configured trust for OIDC emails
-              newUser = await userDAL.updateById(newUser.id, {
-                isEmailVerified: true
-              });
-            }
+          if (newUser && !newUser.isEmailVerified) {
+            // we automatically mark it as email-verified because we've configured trust for OIDC emails
+            newUser = await userDAL.updateById(newUser.id, {
+              isEmailVerified: serverCfg.trustOidcEmails
+            });
          }
        }

@@ -276,13 +273,14 @@ export const oidcConfigServiceFactory = ({
          );
        }

-        await userAliasDAL.create(
+        userAlias = await userAliasDAL.create(
          {
            userId: newUser.id,
            aliasType: UserAliasType.OIDC,
            externalId,
            emails: email ? [email] : [],
-            orgId
+            orgId,
+            isEmailVerified: serverCfg.trustOidcEmails
          },
          tx
        );
@@ -404,19 +402,20 @@ export const oidcConfigServiceFactory = ({

    await licenseService.updateSubscriptionOrgMemberCount(organization.id);

-    const isUserCompleted = Boolean(user.isAccepted);
+    const isUserCompleted = Boolean(user.isAccepted) && userAlias.isEmailVerified;
    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
+        ...(user.email && { email: user.email, isEmailVerified: userAlias.isEmailVerified }),
        firstName,
        lastName,
        organizationName: organization.name,
        organizationId: organization.id,
        organizationSlug: organization.slug,
        hasExchangedPrivateKey: true,
+        aliasId: userAlias.id,
        authMethod: AuthMethod.OIDC,
        authType: UserAliasType.OIDC,
        isUserCompleted,
@@ -430,10 +429,11 @@ export const oidcConfigServiceFactory = ({

    await oidcConfigDAL.update({ orgId }, { lastUsed: new Date() });

-    if (user.email && !user.isEmailVerified) {
+    if (user.email && !userAlias.isEmailVerified) {
      const token = await tokenService.createTokenForUser({
        type: TokenType.TOKEN_EMAIL_VERIFICATION,
-        userId: user.id
+        userId: user.id,
+        aliasId: userAlias.id
      });

      await smtpService
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -246,7 +246,7 @@ export const samlConfigServiceFactory = ({
      });
    }

-    const userAlias = await userAliasDAL.findOne({
+    let userAlias = await userAliasDAL.findOne({
      externalId,
      orgId,
      aliasType: UserAliasType.SAML
@@ -320,15 +320,13 @@ export const samlConfigServiceFactory = ({

      user = await userDAL.transaction(async (tx) => {
        let newUser: TUsers | undefined;
-        if (serverCfg.trustSamlEmails) {
-          newUser = await userDAL.findOne(
-            {
-              email,
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
+        newUser = await userDAL.findOne(
+          {
+            email,
+            isEmailVerified: true
+          },
+          tx
+        );

        if (!newUser) {
          const uniqueUsername = await normalizeUsername(`${firstName ?? ""}-${lastName ?? ""}`, userDAL);
@@ -346,13 +344,14 @@ export const samlConfigServiceFactory = ({
          );
        }

-        await userAliasDAL.create(
+        userAlias = await userAliasDAL.create(
          {
            userId: newUser.id,
            aliasType: UserAliasType.SAML,
            externalId,
            emails: email ? [email] : [],
-            orgId
+            orgId,
+            isEmailVerified: serverCfg.trustSamlEmails
          },
          tx
        );
@@ -410,13 +409,13 @@ export const samlConfigServiceFactory = ({
    }
    await licenseService.updateSubscriptionOrgMemberCount(organization.id);

-    const isUserCompleted = Boolean(user.isAccepted && user.isEmailVerified);
+    const isUserCompleted = Boolean(user.isAccepted && user.isEmailVerified && userAlias.isEmailVerified);
    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
+        ...(user.email && { email: user.email, isEmailVerified: userAlias.isEmailVerified }),
        firstName,
        lastName,
        organizationName: organization.name,
@@ -424,6 +423,7 @@ export const samlConfigServiceFactory = ({
        organizationSlug: organization.slug,
        authMethod: authProvider,
        hasExchangedPrivateKey: true,
+        aliasId: userAlias.id,
        authType: UserAliasType.SAML,
        isUserCompleted,
        ...(relayState
@@ -440,10 +440,11 @@ export const samlConfigServiceFactory = ({

    await samlConfigDAL.update({ orgId }, { lastUsed: new Date() });

-    if (user.email && !user.isEmailVerified) {
+    if (user.email && !userAlias.isEmailVerified) {
      const token = await tokenService.createTokenForUser({
        type: TokenType.TOKEN_EMAIL_VERIFICATION,
-        userId: user.id
+        userId: user.id,
+        aliasId: userAlias.id
      });

      await smtpService.sendMail({
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@@ -180,7 +180,11 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        tx.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
        tx.ref("allowedSelfApprovals").withSchema(TableName.SecretApprovalPolicy).as("policyAllowedSelfApprovals"),
        tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
-        tx.ref("deletedAt").withSchema(TableName.SecretApprovalPolicy).as("policyDeletedAt")
+        tx.ref("deletedAt").withSchema(TableName.SecretApprovalPolicy).as("policyDeletedAt"),
+        tx
+          .ref("shouldCheckSecretPermission")
+          .withSchema(TableName.SecretApprovalPolicy)
+          .as("policySecretReadAccessCompat")
      );

  const findById = async (id: string, tx?: Knex) => {
@@ -220,7 +224,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            enforcementLevel: el.policyEnforcementLevel,
            envId: el.policyEnvId,
            deletedAt: el.policyDeletedAt,
-            allowedSelfApprovals: el.policyAllowedSelfApprovals
+            allowedSelfApprovals: el.policyAllowedSelfApprovals,
+            shouldCheckSecretPermission: el.policySecretReadAccessCompat
          }
        }),
        childrenMapper: [
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -281,13 +281,22 @@ export const secretApprovalRequestServiceFactory = ({
    ) {
      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }
-    const getHasSecretReadAccess = (environment: string, tags: { slug: string }[], secretPath?: string) => {
-      const canRead = hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
-        environment,
-        secretPath: secretPath || "/",
-        secretTags: tags.map((i) => i.slug)
-      });
-      return canRead;
+    const getHasSecretReadAccess = (
+      shouldCheckSecretPermission: boolean | null | undefined,
+      environment: string,
+      tags: { slug: string }[],
+      secretPath?: string
+    ) => {
+      if (shouldCheckSecretPermission) {
+        const canRead = hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
+          environment,
+          secretPath: secretPath || "/",
+          secretTags: tags.map((i) => i.slug)
+        });
+        return canRead;
+      }
+
+      return true;
    };

    let secrets;
@@ -309,8 +318,18 @@ export const secretApprovalRequestServiceFactory = ({
        version: el.version,
        secretMetadata: el.secretMetadata as ResourceMetadataDTO,
        isRotatedSecret: el.secret?.isRotatedSecret ?? false,
-        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
-        secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+        secretValueHidden: !getHasSecretReadAccess(
+          secretApprovalRequest.policy.shouldCheckSecretPermission,
+          secretApprovalRequest.environment,
+          el.tags,
+          secretPath?.[0]?.path
+        ),
+        secretValue: !getHasSecretReadAccess(
+          secretApprovalRequest.policy.shouldCheckSecretPermission,
+          secretApprovalRequest.environment,
+          el.tags,
+          secretPath?.[0]?.path
+        )
          ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
          : el.secret && el.secret.isRotatedSecret
            ? undefined
@@ -326,11 +345,17 @@ export const secretApprovalRequestServiceFactory = ({
              id: el.secret.id,
              version: el.secret.version,
              secretValueHidden: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
                secretApprovalRequest.environment,
                el.tags,
                secretPath?.[0]?.path
              ),
-              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+              secretValue: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
+                secretApprovalRequest.environment,
+                el.tags,
+                secretPath?.[0]?.path
+              )
                ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                : el.secret.encryptedValue
                  ? secretManagerDecryptor({ cipherTextBlob: el.secret.encryptedValue }).toString()
@@ -346,11 +371,17 @@ export const secretApprovalRequestServiceFactory = ({
              id: el.secretVersion.id,
              version: el.secretVersion.version,
              secretValueHidden: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
                secretApprovalRequest.environment,
                el.tags,
                secretPath?.[0]?.path
              ),
-              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+              secretValue: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
+                secretApprovalRequest.environment,
+                el.tags,
+                secretPath?.[0]?.path
+              )
                ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                : el.secretVersion.encryptedValue
                  ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedValue }).toString()
@@ -368,7 +399,12 @@ export const secretApprovalRequestServiceFactory = ({
      const encryptedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
      secrets = encryptedSecrets.map((el) => ({
        ...el,
-        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
+        secretValueHidden: !getHasSecretReadAccess(
+          secretApprovalRequest.policy.shouldCheckSecretPermission,
+          secretApprovalRequest.environment,
+          el.tags,
+          secretPath?.[0]?.path
+        ),
        ...decryptSecretWithBot(el, botKey),
        secret: el.secret
          ? {
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -726,7 +726,8 @@ export const registerRoutes = async (
    permissionService,
    groupProjectDAL,
    smtpService,
-    projectMembershipDAL
+    projectMembershipDAL,
+    userAliasDAL
  });

  const totpService = totpServiceFactory({
--- a/backend/src/server/routes/v2/user-router.ts
+++ b/backend/src/server/routes/v2/user-router.ts
@@ -18,14 +18,14 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        username: z.string().trim()
+        token: z.string().trim()
      }),
      response: {
        200: z.object({})
      }
    },
    handler: async (req) => {
-      await server.services.user.sendEmailVerificationCode(req.body.username);
+      await server.services.user.sendEmailVerificationCode(req.body.token);
      return {};
    }
  });
--- a/backend/src/services/auth-token/auth-token-service.ts
+++ b/backend/src/services/auth-token/auth-token-service.ts
@@ -75,7 +75,7 @@ export const getTokenConfig = (tokenType: TokenType) => {
 };

 export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAuthTokenServiceFactoryDep) => {
-  const createTokenForUser = async ({ type, userId, orgId }: TCreateTokenForUserDTO) => {
+  const createTokenForUser = async ({ type, userId, orgId, aliasId }: TCreateTokenForUserDTO) => {
    const { token, ...tkCfg } = getTokenConfig(type);
    const appCfg = getConfig();
    const tokenHash = await crypto.hashing().createHash(token, appCfg.SALT_ROUNDS);
@@ -88,7 +88,8 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
          type,
          userId,
          orgId,
-          triesLeft: tkCfg?.triesLeft
+          triesLeft: tkCfg?.triesLeft,
+          aliasId
        },
        tx
      );
--- a/backend/src/services/auth-token/auth-token-types.ts
+++ b/backend/src/services/auth-token/auth-token-types.ts
@@ -14,6 +14,7 @@ export type TCreateTokenForUserDTO = {
  type: TokenType;
  userId: string;
  orgId?: string;
+  aliasId?: string;
 };

 export type TCreateOrgInviteTokenDTO = {
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@@ -453,6 +453,13 @@ export const authLoginServiceFactory = ({

    const selectedOrg = await orgDAL.findById(organizationId);

+    // Check if authEnforced is true, if that's the case, throw an error
+    if (selectedOrg.authEnforced) {
+      throw new BadRequestError({
+        message: "Authentication is required by your organization before you can log in."
+      });
+    }
+
    if (!selectedOrgMembership) {
      throw new ForbiddenRequestError({
        message: `User does not have access to the organization named ${selectedOrg?.name}`
--- a/backend/src/services/org-membership/org-membership-dal.ts
+++ b/backend/src/services/org-membership/org-membership-dal.ts
@@ -124,12 +124,12 @@ export const orgMembershipDALFactory = (db: TDbClient) => {
          void qb
            .whereNull(`${TableName.OrgMembership}.lastInvitedAt`)
            .whereBetween(`${TableName.OrgMembership}.createdAt`, [twelveMonthsAgo, oneWeekAgo]);
-        })
-        .orWhere((qb) => {
          // lastInvitedAt is older than 1 week ago AND createdAt is younger than 1 month ago
-          void qb
-            .where(`${TableName.OrgMembership}.lastInvitedAt`, "<", oneWeekAgo)
-            .where(`${TableName.OrgMembership}.createdAt`, ">", oneMonthAgo);
+          void qb.orWhere((qbInner) => {
+            void qbInner
+              .where(`${TableName.OrgMembership}.lastInvitedAt`, "<", oneWeekAgo)
+              .where(`${TableName.OrgMembership}.createdAt`, ">", oneMonthAgo);
+          });
        });

      return memberships;
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
@@ -1074,12 +1074,22 @@ export const secretV2BridgeServiceFactory = ({
        currentPath: path
      });

-      if (!deepPaths) return { secrets: [], imports: [] };
+      if (!deepPaths?.length) {
+        throw new NotFoundError({
+          message: `Folder with path '${path}' in environment '${environment}' was not found. Please ensure the environment slug and secret path is correct.`,
+          name: "SecretPathNotFound"
+        });
+      }

      paths = deepPaths.map(({ folderId, path: p }) => ({ folderId, path: p }));
    } else {
      const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-      if (!folder) return { secrets: [], imports: [] };
+      if (!folder) {
+        throw new NotFoundError({
+          message: `Folder with path '${path}' in environment '${environment}' was not found. Please ensure the environment slug and secret path is correct.`,
+          name: "SecretPathNotFound"
+        });
+      }

      paths = [{ folderId: folder.id, path }];
    }
--- a/backend/src/services/secret/secret-service.ts
+++ b/backend/src/services/secret/secret-service.ts
@@ -637,7 +637,12 @@ export const secretServiceFactory = ({
        }
      });

-      if (!deepPaths) return { secrets: [], imports: [] };
+      if (!deepPaths?.length) {
+        throw new NotFoundError({
+          message: `Folder with path '${path}' in environment '${environment}' was not found. Please ensure the environment slug and secret path is correct.`,
+          name: "SecretPathNotFound"
+        });
+      }

      paths = deepPaths.map(({ folderId, path: p }) => ({ folderId, path: p }));
    } else {
@@ -647,7 +652,12 @@ export const secretServiceFactory = ({
      });

      const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-      if (!folder) return { secrets: [], imports: [] };
+      if (!folder) {
+        throw new NotFoundError({
+          message: `Folder with path '${path}' in environment '${environment}' was not found. Please ensure the environment slug and secret path is correct.`,
+          name: "SecretPathNotFound"
+        });
+      }

      paths = [{ folderId: folder.id, path }];
    }
--- a/backend/src/services/user/user-service.ts
+++ b/backend/src/services/user/user-service.ts
@@ -2,6 +2,7 @@ import { ForbiddenError } from "@casl/ability";

 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
@@ -9,9 +10,10 @@ import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";

-import { AuthMethod } from "../auth/auth-type";
+import { AuthMethod, AuthTokenType } from "../auth/auth-type";
 import { TGroupProjectDALFactory } from "../group-project/group-project-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
+import { TUserAliasDALFactory } from "../user-alias/user-alias-dal";
 import { TUserDALFactory } from "./user-dal";
 import { TListUserGroupsDTO, TUpdateUserMfaDTO } from "./user-types";

@@ -37,6 +39,7 @@ type TUserServiceFactoryDep = {
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
  smtpService: Pick<TSmtpService, "sendMail">;
  permissionService: TPermissionServiceFactory;
+  userAliasDAL: Pick<TUserAliasDALFactory, "findOne" | "find" | "updateById">;
 };

 export type TUserServiceFactory = ReturnType<typeof userServiceFactory>;
@@ -48,22 +51,38 @@ export const userServiceFactory = ({
  groupProjectDAL,
  tokenService,
  smtpService,
-  permissionService
+  permissionService,
+  userAliasDAL
 }: TUserServiceFactoryDep) => {
-  const sendEmailVerificationCode = async (username: string) => {
+  const sendEmailVerificationCode = async (token: string) => {
+    const { authType, aliasId, username, authTokenType } = crypto.jwt().decode(token) as {
+      authType: string;
+      aliasId?: string;
+      username: string;
+      authTokenType: AuthTokenType;
+    };
+    if (authTokenType !== AuthTokenType.PROVIDER_TOKEN) throw new BadRequestError({ name: "Invalid auth token type" });
+
    // akhilmhdh: case sensitive email resolution
    const users = await userDAL.findUserByUsername(username);
    const user = users?.length > 1 ? users.find((el) => el.username === username) : users?.[0];
    if (!user) throw new NotFoundError({ name: `User with username '${username}' not found` });
+    let { isEmailVerified } = user;
+    if (aliasId) {
+      const userAlias = await userAliasDAL.findOne({ userId: user.id, aliasType: authType, id: aliasId });
+      if (!userAlias) throw new NotFoundError({ name: `User alias with ID '${aliasId}' not found` });
+      isEmailVerified = userAlias.isEmailVerified;
+    }

    if (!user.email)
      throw new BadRequestError({ name: "Failed to send email verification code due to no email on user" });
-    if (user.isEmailVerified)
+    if (isEmailVerified)
      throw new BadRequestError({ name: "Failed to send email verification code due to email already verified" });

-    const token = await tokenService.createTokenForUser({
+    const userToken = await tokenService.createTokenForUser({
      type: TokenType.TOKEN_EMAIL_VERIFICATION,
-      userId: user.id
+      userId: user.id,
+      aliasId
    });

    await smtpService.sendMail({
@@ -71,7 +90,7 @@ export const userServiceFactory = ({
      subjectLine: "Infisical confirmation code",
      recipients: [user.email],
      substitutions: {
-        code: token
+        code: userToken
      }
    });
  };
@@ -95,15 +114,21 @@ export const userServiceFactory = ({
    if (!user) throw new NotFoundError({ name: `User with username '${username}' not found` });
    if (!user.email)
      throw new BadRequestError({ name: "Failed to verify email verification code due to no email on user" });
-    if (user.isEmailVerified)
-      throw new BadRequestError({ name: "Failed to verify email verification code due to email already verified" });

-    await tokenService.validateTokenForUser({
+    const token = await tokenService.validateTokenForUser({
      type: TokenType.TOKEN_EMAIL_VERIFICATION,
      userId: user.id,
      code
    });

+    if (token?.aliasId) {
+      const userAlias = await userAliasDAL.findOne({ userId: user.id, id: token.aliasId });
+      if (!userAlias) throw new NotFoundError({ name: `User alias with ID '${token.aliasId}' not found` });
+      if (userAlias?.isEmailVerified)
+        throw new BadRequestError({ name: "Failed to verify email verification code due to email already verified" });
+
+      await userAliasDAL.updateById(token.aliasId, { isEmailVerified: true });
+    }
    const userEmails = user?.email ? await userDAL.find({ email: user.email }) : [];

    await userDAL.updateById(user.id, {
--- a/docs/integrations/platforms/docker.mdx
+++ b/docs/integrations/platforms/docker.mdx
@@ -6,32 +6,10 @@ description: "Learn how to use Infisical to inject environment variables into a
 This approach allows you to inject secrets from Infisical directly into your application.
 This is achieved by installing the Infisical CLI into your docker image and modifying your start command to execute with Infisical.

-## Add the Infisical CLI to your Dockerfile
+## Install the Infisical CLI to your Dockerfile

-<Tabs>
-	 <Tab title="Alpine">
-		```dockerfile
-    	RUN apk add --no-cache bash curl && curl -1sLf \
-      'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-      && apk add infisical
-    	```
+To install the CLI, follow the instructions for your chosen distribution [here](/cli/overview).

-   </Tab>
-	 <Tab title="RedHat/CentOs/Amazon-linux">
-		```dockerfile
-    RUN curl -1sLf \
-    'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.rpm.sh' | sh \ 
-    && yum install -y infisical
-		```
-   </Tab>
-	 <Tab title="Debian/Ubuntu">
-		```dockerfile
-    RUN apt-get update && apt-get install -y bash curl && curl -1sLf \
-      'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
-      && apt-get update && apt-get install -y infisical
-		```
-   </Tab>
-</Tabs>
 ####
 <Tip>
  We recommend you to set the version of the CLI to a specific version. This will help keep your CLI version consistent across reinstalls. [View versions](https://cloudsmith.io/~infisical/repos/infisical-cli/packages/)
--- a/frontend/src/components/v2/DatePicker/DatePicker.tsx
+++ b/frontend/src/components/v2/DatePicker/DatePicker.tsx
@@ -98,7 +98,7 @@ export const DatePicker = ({
        >
          {value
            ? formatDateTime({ timestamp: value, timezone, dateFormat })
-            : "Pick a date and time"}
+            : `Select Date${hideTime ? "" : " and Time"}`}
        </Button>
      </PopoverTrigger>
      <PopoverContent
@@ -122,7 +122,8 @@ export const DatePicker = ({
              root: `text-mineshaft-300  ${defaultClassNames}`,
              [UI.DayButton]: "p-3 rounded hover:text-mineshaft-100",
              [UI.Weekday]: "px-3 pt-3",
-              [UI.Chevron]: "fill-mineshaft-300"
+              [UI.Chevron]: "fill-mineshaft-300/70 hover:fill-mineshaft-300",
+              disabled: "text-mineshaft-400 pointer-events-none"
            }}
          />
        </div>
--- a/frontend/src/components/v2/SecretInput/SecretInput.tsx
+++ b/frontend/src/components/v2/SecretInput/SecretInput.tsx
@@ -6,20 +6,12 @@ import { useToggle } from "@app/hooks";
 import { HIDDEN_SECRET_VALUE } from "@app/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretItem";

 const REGEX = /(\${([a-zA-Z0-9-_.]+)})/g;
-const replaceContentWithDot = (str: string) => {
-  let finalStr = "";
-  for (let i = 0; i < str.length; i += 1) {
-    const char = str.at(i);
-    finalStr += char === "\n" ? "\n" : "*";
-  }
-  return finalStr;
-};

 const syntaxHighlight = (content?: string | null, isVisible?: boolean, isImport?: boolean) => {
  if (isImport && !content) return "IMPORTED";
  if (content === "") return "EMPTY";
  if (!content) return "EMPTY";
-  if (!isVisible) return replaceContentWithDot(content);
+  if (!isVisible) return HIDDEN_SECRET_VALUE;

  let skipNext = false;
  const formattedContent = content.split(REGEX).flatMap((el, i) => {
--- a/frontend/src/hooks/api/users/mutation.tsx
+++ b/frontend/src/hooks/api/users/mutation.tsx
@@ -26,16 +26,16 @@ export const useAddUserToWsNonE2EE = () => {
  });
 };

-export const sendEmailVerificationCode = async (username: string) => {
+export const sendEmailVerificationCode = async (token: string) => {
  return apiRequest.post("/api/v2/users/me/emails/code", {
-    username
+    token
  });
 };

 export const useSendEmailVerificationCode = () => {
  return useMutation({
-    mutationFn: async (username: string) => {
-      await sendEmailVerificationCode(username);
+    mutationFn: async (token: string) => {
+      await sendEmailVerificationCode(token);
      return {};
    }
  });
--- a/frontend/src/pages/auth/SignUpSsoPage/components/EmailConfirmationStep/EmailConfirmationStep.tsx
+++ b/frontend/src/pages/auth/SignUpSsoPage/components/EmailConfirmationStep/EmailConfirmationStep.tsx
@@ -114,7 +114,16 @@ export const EmailConfirmationStep = ({

  const resendCode = async () => {
    try {
-      await sendEmailVerificationCode(username);
+      const queryParams = new URLSearchParams(window.location.search);
+      const token = queryParams.get("token");
+      if (!token) {
+        createNotification({
+          text: "Failed to resend code, no token found",
+          type: "error"
+        });
+        return;
+      }
+      await sendEmailVerificationCode(token);
      createNotification({
        text: "Successfully resent code",
        type: "success"
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/CreateReminderForm.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/CreateReminderForm.tsx
@@ -396,9 +396,11 @@ export const CreateReminderForm = ({
                        open: isDatePickerOpen,
                        onOpenChange: setIsDatePickerOpen
                      }}
-                      popUpContentProps={{}}
+                      popUpContentProps={{
+                        align: "end"
+                      }}
                      hideTime
-                      hidden={{ before: new Date(Date.now() + ONE_DAY_IN_MILLIS) }}
+                      disabled={{ before: new Date(Date.now() + ONE_DAY_IN_MILLIS) }}
                    />
                  </FormControl>
                )}
@@ -426,9 +428,11 @@ export const CreateReminderForm = ({
                        open: isDatePickerOpen,
                        onOpenChange: setIsDatePickerOpen
                      }}
-                      popUpContentProps={{}}
+                      popUpContentProps={{
+                        align: "start"
+                      }}
                      hideTime
-                      hidden={{ before: new Date(Date.now() + ONE_DAY_IN_MILLIS) }}
+                      disabled={{ before: new Date(Date.now() + ONE_DAY_IN_MILLIS) }}
                    />
                  </FormControl>
                </div>
@@ -479,15 +483,15 @@ export const CreateReminderForm = ({
          />

          {/* Action Buttons */}
-          <div className="flex items-center space-x-4 pt-4">
+          <div className="flex items-center space-x-4">
            <Button
              isDisabled={isSubmitting}
              isLoading={isSubmitting}
-              className=""
+              variant="outline_bg"
              leftIcon={<FontAwesomeIcon icon={faClock} />}
              type="submit"
            >
-              {isEditMode ? "Update" : "Create"} reminder
+              {isEditMode ? "Update" : "Create"} Reminder
            </Button>

            {isEditMode && (
@@ -499,7 +503,7 @@ export const CreateReminderForm = ({
                type="button"
                isDisabled={isSubmitting}
              >
-                Delete reminder
+                Delete Reminder
              </Button>
            )}

--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretItem.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretItem.tsx
@@ -56,7 +56,7 @@ import {
 import { CollapsibleSecretImports } from "./CollapsibleSecretImports";
 import { useBatchModeActions } from "../../SecretMainPage.store";

-export const HIDDEN_SECRET_VALUE = "******";
+export const HIDDEN_SECRET_VALUE = "*****************************";
 export const HIDDEN_SECRET_VALUE_API_MASK = "<hidden-by-infisical>";

 type Props = {
Author	SHA1	Message	Date
Scott Wilson	43dd45de29	improvement: used fix length mask for secrets when unfocused to prevent inference attacks	2025-08-27 18:20:01 -07:00
Maidul Islam	fc6778dd89	fix outdated cli instructions	2025-08-27 17:02:52 -04:00
x032205	2f68ff1629	Merge pull request #4424 from Infisical/fix-daily-invite-users Fix daily re-invite users job logic	2025-08-27 15:10:37 -04:00
Scott Wilson	8884c0e6bd	Merge pull request #4413 from Infisical/improve-secret-reminder-modal improvement(frontend): give secret reminder form some love	2025-08-27 09:38:06 -07:00
Sid	af2f21fe93	feat: allow secret approval reviewers to read secrets (#4411 ) * feat: allow secret approval reviewers to read secrets * feat: allow secret approval reviewers to read secrets * fix: backfill migrations * lint: fix * revert: license file * Update backend/src/db/migrations/20250824192801_backfill-secret-read-compat-flag.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * fix: rename to `shouldCheckSecretPermission` * lint: fix --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-08-27 17:51:14 +05:30
x032205	dcd588007c	Fix daily re-invite users job logic	2025-08-27 05:54:31 -04:00
Daniel Hougaard	bceaac844f	Merge pull request #4419 from Infisical/daniel/throw-on-invalid-env fix(secrets-service): throw on invalid env / path	2025-08-26 20:53:16 +02:00
Daniel Hougaard	2f375d6b65	requested changes	2025-08-26 20:25:41 +02:00
Daniel Hougaard	8f00bab61c	fix(secrets-service): throw on invalid env / path	2025-08-26 19:55:52 +02:00
carlosmonastyrski	ec12acfcdf	Merge pull request #4344 from Infisical/fix/samlDuplicateAccounts Fix SAML duplicate accounts when signing in the first time on an existing account	2025-08-26 23:18:33 +08:00
Carlos Monastyrski	34a8301617	Merge remote-tracking branch 'origin/main' into fix/samlDuplicateAccounts	2025-08-26 09:11:00 -03:00
x032205	8ffff7e779	Merge pull request #4416 from Infisical/fix-github-app-auth Swap away from octokit for GitHub app auth and use gateway	2025-08-26 06:36:06 +08:00
Scott Wilson	2fda307b67	improvement: give secret reminder form some love	2025-08-25 09:13:52 -07:00
Carlos Monastyrski	52bbe25fc5	Add userAlias check	2025-08-19 14:27:26 +08:00
Carlos Monastyrski	bb14231d71	Throw an error when org authEnforced is enabled and user is trying to select org	2025-08-18 11:06:11 +08:00
Carlos Monastyrski	8a72023e80	Improve verification and resend code logic, added oidc and ldap	2025-08-12 18:58:23 -07:00
Carlos Monastyrski	60b3f5c7c6	Improve user alias check logic and header usage on resend code	2025-08-11 13:24:31 -07:00
Carlos Monastyrski	c2cea8cffc	Fix SAML duplicate accounts when signing in the first time on an existing account	2025-08-08 18:20:47 -03:00