fix typo

Update login.mdx
Update tls-cert-auth.mdx
2025-07-22 13:29:55 +00:00 · 2025-07-17 00:20:02 +04:00 · 2025-07-17 00:09:56 +04:00 · 2025-07-17 00:08:34 +04:00
9 changed files with 23 additions and 65 deletions
--- a/backend/src/server/routes/v1/identity-oci-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-oci-auth-router.ts
@ -28,17 +28,7 @@ export const registerIdentityOciAuthRouter = async (server: FastifyZodProvider)
          .object({
            authorization: z.string(),
            host: z.string(),
-            "x-date": z.string().optional(),
-            date: z.string().optional()
-          })
-          .superRefine((val, ctx) => {
-            if (!val.date && !val["x-date"]) {
-              ctx.addIssue({
-                code: z.ZodIssueCode.custom,
-                message: "Either date or x-date must be provided",
-                path: ["headers", "date"]
-              });
-            }
+            "x-date": z.string()
          })
          .describe(OCI_AUTH.LOGIN.headers)
      }),
--- a/backend/src/services/identity-oci-auth/identity-oci-auth-types.ts
+++ b/backend/src/services/identity-oci-auth/identity-oci-auth-types.ts
@ -6,8 +6,7 @@ export type TLoginOciAuthDTO = {
  headers: {
    authorization: string;
    host: string;
-    "x-date"?: string;
-    date?: string;
+    "x-date": string;
  };
 };

--- a/backend/src/services/secret-import/secret-import-fns.ts
+++ b/backend/src/services/secret-import/secret-import-fns.ts
@ -174,7 +174,6 @@ export const fnSecretsV2FromImports = async ({
    skipMultilineEncoding?: boolean | null;
    secretPath: string;
    environment: string;
-    secretKey: string;
  }) => Promise<string | undefined>;
  hasSecretAccess: (environment: string, secretPath: string, secretName: string, secretTagSlugs: string[]) => boolean;
 }) => {
@ -294,8 +293,7 @@ export const fnSecretsV2FromImports = async ({
              value: decryptedSecret.secretValue,
              secretPath: processedImport.secretPath,
              environment: processedImport.environment,
-              skipMultilineEncoding: decryptedSecret.skipMultilineEncoding,
-              secretKey: decryptedSecret.secretKey
+              skipMultilineEncoding: decryptedSecret.skipMultilineEncoding
            });
            // eslint-disable-next-line no-param-reassign
            processedImport.secrets[index].secretValue = expandedSecretValue || "";
--- a/backend/src/services/secret-sync/secret-sync-queue.ts
+++ b/backend/src/services/secret-sync/secret-sync-queue.ts
@ -231,8 +231,7 @@ export const secretSyncQueueFactory = ({
          environment: environment.slug,
          secretPath: folder.path,
          skipMultilineEncoding: secret.skipMultilineEncoding,
-          value: secretValue,
-          secretKey
+          value: secretValue
        });
        secretMap[secretKey] = { value: expandedSecretValue || "" };

--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
@ -614,7 +614,6 @@ export const expandSecretReferencesFactory = ({
    secretPath: string;
    environment: string;
    shouldStackTrace?: boolean;
-    secretKey: string;
  }) => {
    const stackTrace = { ...dto, key: "root", children: [] } as TSecretReferenceTraceNode;

@ -657,7 +656,7 @@ export const expandSecretReferencesFactory = ({
            const referredValue = await fetchSecret(environment, secretPath, secretKey);
            if (!canExpandValue(environment, secretPath, secretKey, referredValue.tags))
              throw new ForbiddenRequestError({
-                message: `You do not have permission to read secret '${secretKey}' in environment '${environment}' at path '${secretPath}', which is referenced by secret '${dto.secretKey}' in environment '${dto.environment}' at path '${dto.secretPath}'.`
+                message: `You are attempting to reference secret named ${secretKey} from environment ${environment} in path ${secretPath} which you do not have access to read value on.`
              });

            const cacheKey = getCacheUniqueKey(environment, secretPath);
@ -676,7 +675,7 @@ export const expandSecretReferencesFactory = ({
            const referedValue = await fetchSecret(secretReferenceEnvironment, secretReferencePath, secretReferenceKey);
            if (!canExpandValue(secretReferenceEnvironment, secretReferencePath, secretReferenceKey, referedValue.tags))
              throw new ForbiddenRequestError({
-                message: `You do not have permission to read secret '${secretReferenceKey}' in environment '${secretReferenceEnvironment}' at path '${secretReferencePath}', which is referenced by secret '${dto.secretKey}' in environment '${dto.environment}' at path '${dto.secretPath}'.`
+                message: `You are attempting to reference secret named ${secretReferenceKey} from environment ${secretReferenceEnvironment} in path ${secretReferencePath} which you do not have access to read value on.`
              });

            const cacheKey = getCacheUniqueKey(secretReferenceEnvironment, secretReferencePath);
@ -693,7 +692,6 @@ export const expandSecretReferencesFactory = ({
            secretPath: referencedSecretPath,
            environment: referencedSecretEnvironmentSlug,
            depth: depth + 1,
-            secretKey: referencedSecretKey,
            trace
          };

@ -728,7 +726,6 @@ export const expandSecretReferencesFactory = ({
    skipMultilineEncoding?: boolean | null;
    secretPath: string;
    environment: string;
-    secretKey: string;
  }) => {
    if (!inputSecret.value) return inputSecret.value;

@ -744,7 +741,6 @@ export const expandSecretReferencesFactory = ({
    value?: string;
    secretPath: string;
    environment: string;
-    secretKey: string;
  }) => {
    const { stackTrace, expandedValue } = await recursivelyExpandSecret({ ...inputSecret, shouldStackTrace: true });
    return { stackTrace, expandedValue };
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
@ -1105,7 +1105,7 @@ export const secretV2BridgeServiceFactory = ({

    if (shouldExpandSecretReferences) {
      const secretsGroupByPath = groupBy(decryptedSecrets, (i) => i.secretPath);
-      const settledPromises = await Promise.allSettled(
+      await Promise.allSettled(
        Object.keys(secretsGroupByPath).map((groupedPath) =>
          Promise.allSettled(
            secretsGroupByPath[groupedPath].map(async (decryptedSecret, index) => {
@ -1113,8 +1113,7 @@ export const secretV2BridgeServiceFactory = ({
                value: decryptedSecret.secretValue,
                secretPath: groupedPath,
                environment,
-                skipMultilineEncoding: decryptedSecret.skipMultilineEncoding,
-                secretKey: decryptedSecret.secretKey
+                skipMultilineEncoding: decryptedSecret.skipMultilineEncoding
              });
              // eslint-disable-next-line no-param-reassign
              secretsGroupByPath[groupedPath][index].secretValue = expandedSecretValue || "";
@ -1122,35 +1121,6 @@ export const secretV2BridgeServiceFactory = ({
          )
        )
      );
-      const errors: { path: string; error: string }[] = [];
-
-      settledPromises.forEach((outerResult: PromiseSettledResult<PromiseSettledResult<void>[]>, outerIndex) => {
-        const groupedPath = Object.keys(secretsGroupByPath)[outerIndex];
-
-        if (outerResult.status === "rejected") {
-          errors.push({
-            path: groupedPath,
-            error: `Failed to process secret group: ${outerResult.reason}`
-          });
-        } else {
-          // Check inner promise results
-          outerResult.value.forEach((innerResult: PromiseSettledResult<void>) => {
-            if (innerResult.status === "rejected") {
-              const reason = innerResult.reason as ForbiddenRequestError;
-              errors.push({
-                path: groupedPath,
-                error: reason.message
-              });
-            }
-          });
-        }
-      });
-      if (errors.length > 0) {
-        throw new ForbiddenRequestError({
-          message: "Failed to expand one or more secret references",
-          details: errors.map((err) => err.error)
-        });
-      }
    }

    if (!includeImports) {
@ -1454,8 +1424,7 @@ export const secretV2BridgeServiceFactory = ({
        environment,
        secretPath: path,
        value: secretValue,
-        skipMultilineEncoding: secret.skipMultilineEncoding,
-        secretKey: secret.key
+        skipMultilineEncoding: secret.skipMultilineEncoding
      });

      secretValue = expandedSecretValue || "";
@ -2753,8 +2722,7 @@ export const secretV2BridgeServiceFactory = ({
    const { expandedValue, stackTrace } = await getExpandedSecretStackTrace({
      environment,
      secretPath,
-      value: decryptedSecretValue,
-      secretKey: secretName
+      value: decryptedSecretValue
    });

    return { tree: stackTrace, value: expandedValue };
--- a/backend/src/services/secret/secret-queue.ts
+++ b/backend/src/services/secret/secret-queue.ts
@ -426,8 +426,7 @@ export const secretQueueFactory = ({
          environment: dto.environment,
          secretPath: dto.secretPath,
          skipMultilineEncoding: secret.skipMultilineEncoding,
-          value: secretValue,
-          secretKey
+          value: secretValue
        });
        content[secretKey] = { value: expandedSecretValue || "" };

--- a/docs/api-reference/endpoints/tls-cert-auth/login.mdx
+++ b/docs/api-reference/endpoints/tls-cert-auth/login.mdx
@ -2,3 +2,8 @@
 title: "Login"
 openapi: "POST /api/v1/auth/tls-cert-auth/login"
 ---
+
+<Warning>
+  Infisical US/EU and dedicated instances are deployed with AWS ALB. TLS Certificate Auth must flow through our ALB mTLS pass-through in order to authenticate.
+  When you are authenticating with TLS Certificate Auth, you must use the port `8443` instead of the default `443`. Example: `https://app.infisical.com:8443/api/v1/auth/tls-cert-auth/login`
+</Warning>
--- a/docs/documentation/platform/identities/tls-cert-auth.mdx
+++ b/docs/documentation/platform/identities/tls-cert-auth.mdx
@ -42,10 +42,14 @@ To be more specific:
  Most of the time, the Infisical server will be behind a load balancer or
  proxy. To propagate the TLS certificate from the load balancer to the
  instance, you can configure the TLS to send the client certificate as a header
-  that is set as an [environment
-  variable](/self-hosting/configuration/envars#param-identity-tls-cert-auth-client-certificate-header-key).
+  that is set as an [environment variable](/self-hosting/configuration/envars#param-identity-tls-cert-auth-client-certificate-header-key).
 </Accordion>

+<Note>
+  Infisical US/EU and dedicated instances are deployed with AWS ALB. TLS Certificate Auth must flow through our ALB mTLS pass-through in order to authenticate.
+  When you are authenticating with TLS Certificate Auth, you must use the port `8443` instead of the default `443`. Example: `https://app.infisical.com:8443/api/v1/auth/tls-cert-auth/login`
+</Note>
+
 ## Guide

 In the following steps, we explore how to create and use identities for your workloads and applications on TLS Certificate to
@ -123,7 +127,7 @@ try {
  const clientCertificate = fs.readFileSync("client-cert.pem", "utf8");
  const clientKeyCertificate = fs.readFileSync("client-key.pem", "utf8");

-  const infisicalUrl = "https://app.infisical.com"; // or your self-hosted Infisical URL
+  const infisicalUrl = "https://app.infisical.com:8443"; // or your self-hosted Infisical URL
  const identityId = "<your-identity-id>";

  // Create HTTPS agent with client certificate and key
Author	SHA1	Message	Date
Daniel Hougaard	32b2f7b0fe	fix typo	2025-07-17 00:20:02 +04:00
Daniel Hougaard	4c2823c480	Update login.mdx	2025-07-17 00:09:56 +04:00
Daniel Hougaard	60438694e4	Update tls-cert-auth.mdx	2025-07-17 00:08:34 +04:00