feat(audit-logs): shared secrets audit logs

misc: add support for array values in OIDC aud field

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -100,10 +100,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
 
       // Filter by date range
       if (startDate) {
-        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
+        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
       }
       if (endDate) {
-        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
+        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
       }
 
       // we timeout long running queries to prevent DB resource issues (2 minutes)

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -31,7 +31,7 @@ export type TListProjectAuditLogDTO = {
 
 export type TCreateAuditLogDTO = {
   event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor;
+  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor | UnknownUserActor;
   orgId?: string;
   projectId?: string;
 } & BaseAuthData;
@@ -229,7 +229,10 @@ export enum EventType {
   GET_APP_CONNECTION = "get-app-connection",
   CREATE_APP_CONNECTION = "create-app-connection",
   UPDATE_APP_CONNECTION = "update-app-connection",
-  DELETE_APP_CONNECTION = "delete-app-connection"
+  DELETE_APP_CONNECTION = "delete-app-connection",
+  CREATE_SHARED_SECRET = "create-shared-secret",
+  DELETE_SHARED_SECRET = "delete-shared-secret",
+  READ_SHARED_SECRET = "read-shared-secret"
 }
 
 interface UserActorMetadata {
@@ -252,6 +255,8 @@ interface ScimClientActorMetadata {}
 
 interface PlatformActorMetadata {}
 
+interface UnknownUserActorMetadata {}
+
 export interface UserActor {
   type: ActorType.USER;
   metadata: UserActorMetadata;
@@ -267,6 +272,11 @@ export interface PlatformActor {
   metadata: PlatformActorMetadata;
 }
 
+export interface UnknownUserActor {
+  type: ActorType.UNKNOWN_USER;
+  metadata: UnknownUserActorMetadata;
+}
+
 export interface IdentityActor {
   type: ActorType.IDENTITY;
   metadata: IdentityActorMetadata;
@@ -1907,6 +1917,35 @@ interface DeleteAppConnectionEvent {
   };
 }
 
+interface CreateSharedSecretEvent {
+  type: EventType.CREATE_SHARED_SECRET;
+  metadata: {
+    id: string;
+    accessType: string;
+    name?: string;
+    expiresAfterViews?: number;
+    usingPassword: boolean;
+    expiresAt: string;
+  };
+}
+
+interface DeleteSharedSecretEvent {
+  type: EventType.DELETE_SHARED_SECRET;
+  metadata: {
+    id: string;
+    name?: string;
+  };
+}
+
+interface ReadSharedSecretEvent {
+  type: EventType.READ_SHARED_SECRET;
+  metadata: {
+    id: string;
+    name?: string;
+    accessType: string;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2083,4 +2122,7 @@ export type Event =
   | GetAppConnectionEvent
   | CreateAppConnectionEvent
   | UpdateAppConnectionEvent
-  | DeleteAppConnectionEvent;
+  | DeleteAppConnectionEvent
+  | CreateSharedSecretEvent
+  | DeleteSharedSecretEvent
+  | ReadSharedSecretEvent;

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -34,6 +34,8 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
     const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
+    const isMsSQLClient = providerInputs.client === SqlProviders.MsSQL;
+
     const db = knex({
       client: providerInputs.client,
       connection: {
@@ -43,7 +45,16 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
         user: providerInputs.username,
         password: providerInputs.password,
         ssl,
-        pool: { min: 0, max: 1 }
+        pool: { min: 0, max: 1 },
+        // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
+        // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
+        // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
+        options: isMsSQLClient
+          ? {
+              trustServerCertificate: !providerInputs.ca,
+              cryptoCredentialsDetails: providerInputs.ca ? { ca: providerInputs.ca } : {}
+            }
+          : undefined
       },
       acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
     });

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -180,6 +180,8 @@ export const secretRotationQueueFactory = ({
           provider.template.client === TDbProviderClients.MsSqlServer
             ? ({
                 encrypt: appCfg.ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT,
+                // when ca is provided use that
+                trustServerCertificate: !ca,
                 cryptoCredentialsDetails: ca ? { ca } : {}
               } as Record<string, unknown>)
             : undefined;

backend/src/server/plugins/audit-log.ts

@@ -32,13 +32,21 @@ export const getUserAgentType = (userAgent: string | undefined) => {
 export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
   server.decorateRequest("auditLogInfo", null);
   server.addHook("onRequest", async (req) => {
-    if (!req.auth) return;
     const userAgent = req.headers["user-agent"] ?? "";
     const payload = {
       ipAddress: req.realIp,
       userAgent,
       userAgentType: getUserAgentType(userAgent)
     } as typeof req.auditLogInfo;
+
+    if (!req.auth) {
+      payload.actor = {
+        type: ActorType.UNKNOWN_USER,
+        metadata: {}
+      };
+      req.auditLogInfo = payload;
+      return;
+    }
     if (req.auth.actor === ActorType.USER) {
       payload.actor = {
         type: ActorType.USER,

backend/src/server/routes/v1/integration-router.ts

@@ -131,7 +131,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         app: z.string().trim().optional().describe(INTEGRATION.UPDATE.app),
         appId: z.string().trim().optional().describe(INTEGRATION.UPDATE.appId),
-        isActive: z.boolean().describe(INTEGRATION.UPDATE.isActive),
+        isActive: z.boolean().optional().describe(INTEGRATION.UPDATE.isActive),
         secretPath: z
           .string()
           .trim()

backend/src/server/routes/v1/secret-sharing-router.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { SecretSharingSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SecretSharingAccessType } from "@app/lib/types";
 import {
   publicEndpointLimit,
@@ -88,6 +89,21 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         orgId: req.permission?.orgId
       });
 
+      if (sharedSecret.secret?.orgId) {
+        await server.services.auditLog.createAuditLog({
+          orgId: sharedSecret.secret.orgId,
+          ...req.auditLogInfo,
+          event: {
+            type: EventType.READ_SHARED_SECRET,
+            metadata: {
+              id: req.params.id,
+              name: sharedSecret.secret.name || undefined,
+              accessType: sharedSecret.secret.accessType
+            }
+          }
+        });
+      }
+
       return sharedSecret;
     }
   });
@@ -151,6 +167,23 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         actorOrgId: req.permission.orgId,
         ...req.body
       });
+
+      await server.services.auditLog.createAuditLog({
+        orgId: req.permission.orgId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.CREATE_SHARED_SECRET,
+          metadata: {
+            accessType: req.body.accessType,
+            expiresAt: req.body.expiresAt,
+            expiresAfterViews: req.body.expiresAfterViews,
+            name: req.body.name,
+            id: sharedSecret.id,
+            usingPassword: !!req.body.password
+          }
+        }
+      });
+
       return { id: sharedSecret.id };
     }
   });
@@ -181,6 +214,18 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         sharedSecretId
       });
 
+      await server.services.auditLog.createAuditLog({
+        orgId: req.permission.orgId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.DELETE_SHARED_SECRET,
+          metadata: {
+            id: sharedSecretId,
+            name: deletedSharedSecret.name || undefined
+          }
+        }
+      });
+
       return { ...deletedSharedSecret };
     }
   });

backend/src/services/auth/auth-type.ts

@@ -39,7 +39,8 @@ export enum ActorType { // would extend to AWS, Azure, ...
   SERVICE = "service",
   IDENTITY = "identity",
   Machine = "machine",
-  SCIM_CLIENT = "scimClient"
+  SCIM_CLIENT = "scimClient",
+  UNKNOWN_USER = "unknownUser"
 }
 
 // This will be null unless the token-type is JWT

backend/src/services/identity-oidc-auth/identity-oidc-auth-fns.ts

@@ -2,3 +2,11 @@ import picomatch from "picomatch";
 
 export const doesFieldValueMatchOidcPolicy = (fieldValue: string, policyValue: string) =>
   policyValue === fieldValue || picomatch.isMatch(fieldValue, policyValue);
+
+export const doesAudValueMatchOidcPolicy = (fieldValue: string | string[], policyValue: string) => {
+  if (Array.isArray(fieldValue)) {
+    return fieldValue.some((entry) => entry === policyValue || picomatch.isMatch(entry, policyValue));
+  }
+
+  return policyValue === fieldValue || picomatch.isMatch(fieldValue, policyValue);
+};

backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts

@@ -27,7 +27,7 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
 import { TOrgBotDALFactory } from "../org/org-bot-dal";
 import { TIdentityOidcAuthDALFactory } from "./identity-oidc-auth-dal";
-import { doesFieldValueMatchOidcPolicy } from "./identity-oidc-auth-fns";
+import { doesAudValueMatchOidcPolicy, doesFieldValueMatchOidcPolicy } from "./identity-oidc-auth-fns";
 import {
   TAttachOidcAuthDTO,
   TGetOidcAuthDTO,
@@ -148,7 +148,7 @@ export const identityOidcAuthServiceFactory = ({
       if (
         !identityOidcAuth.boundAudiences
           .split(", ")
-          .some((policyValue) => doesFieldValueMatchOidcPolicy(tokenData.aud, policyValue))
+          .some((policyValue) => doesAudValueMatchOidcPolicy(tokenData.aud, policyValue))
       ) {
         throw new UnauthorizedError({
           message: "Access denied: OIDC audience not allowed."

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -1289,7 +1289,10 @@ const syncSecretsAWSSecretManager = async ({
 
   if (metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE) {
     for await (const [key, value] of Object.entries(secrets)) {
-      await processAwsSecret(key, value.value, value.secretMetadata);
+      await processAwsSecret(key, value.value, value.secretMetadata).catch((error) => {
+        error.secretKey = key;
+        throw error;
+      });
     }
   } else {
     await processAwsSecret(integration.app as string, getSecretKeyValuePair(secrets));

backend/src/services/secret-sharing/secret-sharing-service.ts

@@ -206,8 +206,13 @@ export const secretSharingServiceFactory = ({
 
     const orgName = sharedSecret.orgId ? (await orgDAL.findOrgById(sharedSecret.orgId))?.name : "";
 
-    if (accessType === SecretSharingAccessType.Organization && orgId !== sharedSecret.orgId)
+    if (accessType === SecretSharingAccessType.Organization && orgId === undefined) {
+      throw new UnauthorizedError();
+    }
+
+    if (accessType === SecretSharingAccessType.Organization && orgId !== sharedSecret.orgId) {
       throw new ForbiddenRequestError();
+    }
 
     // all secrets pass through here, meaning we check if its expired first and then check if it needs verification
     // or can be safely sent to the client.

backend/src/services/secret/secret-queue.ts

@@ -971,6 +971,8 @@ export const secretQueueFactory = ({
               });
             }
 
+            const { secretKey } = (err as { secretKey: string }) || {};
+
             const message =
               // eslint-disable-next-line no-nested-ternary
               (err instanceof AxiosError
@@ -979,6 +981,8 @@ export const secretQueueFactory = ({
                   : err?.message
                 : (err as Error)?.message) || "Unknown error occurred.";
 
+            const errorLog = `${secretKey ? `[Secret Key: ${secretKey}] ` : ""}${message}`;
+
             await auditLogService.createAuditLog({
               projectId,
               actor: await $generateActor(actorId, isManual),
@@ -989,7 +993,7 @@ export const secretQueueFactory = ({
                   isSynced: false,
                   lastSyncJobId: job?.id ?? "",
                   lastUsed: new Date(),
-                  syncMessage: message
+                  syncMessage: errorLog
                 }
               }
             });
@@ -1001,13 +1005,13 @@ export const secretQueueFactory = ({
 
             await integrationDAL.updateById(integration.id, {
               lastSyncJobId: job.id,
-              syncMessage: message,
+              syncMessage: errorLog,
               isSynced: false
             });
 
             integrationsFailedToSync.push({
               integrationId: integration.id,
-              syncMessage: message
+              syncMessage: errorLog
             });
           }
         }

docs/integrations/platforms/kubernetes/infisical-dynamic-secret-crd.mdx

@@ -11,7 +11,7 @@ This means any Pod, Deployment, or other Kubernetes resource can make use of dyn
 This CRD offers the following features:
 - **Generate a dynamic secret lease** in Infisical and track its lifecycle.
 - **Write** the dynamic secret from Infisical to your cluster as native Kubernetes secret.
-- **Automatically rotate** the dyanmic secret value before it expires to make sure your cluster always has valid credentials.
+- **Automatically rotate** the dynamic secret value before it expires to make sure your cluster always has valid credentials.
 - **Optionally trigger redeployments** of any workloads that consume the secret if you enable auto-reload.
 
 ### Prerequisites

frontend/src/const.ts

@@ -58,7 +58,8 @@ export const leaveConfirmDefaultMessage =
   "Your changes will be lost if you leave the page. Are you sure you want to continue?";
 
 export enum SessionStorageKeys {
-  CLI_TERMINAL_TOKEN = "CLI_TERMINAL_TOKEN"
+  CLI_TERMINAL_TOKEN = "CLI_TERMINAL_TOKEN",
+  ORG_LOGIN_SUCCESS_REDIRECT_URL = "ORG_LOGIN_SUCCESS_REDIRECT_URL"
 }
 
 export const secretTagsColors = [

frontend/src/hooks/api/auditLogs/constants.tsx

@@ -3,6 +3,7 @@ import { EventType, UserAgentType } from "./enums";
 export const eventToNameMap: { [K in EventType]: string } = {
   [EventType.GET_SECRETS]: "List secrets",
   [EventType.GET_SECRET]: "Read secret",
+  [EventType.DELETE_SECRETS]: "Delete secrets",
   [EventType.CREATE_SECRET]: "Create secret",
   [EventType.UPDATE_SECRET]: "Update secret",
   [EventType.DELETE_SECRET]: "Delete secret",
@@ -81,7 +82,10 @@ export const eventToNameMap: { [K in EventType]: string } = {
     "Update certificate template EST configuration",
   [EventType.UPDATE_PROJECT_SLACK_CONFIG]: "Update project slack configuration",
   [EventType.GET_PROJECT_SLACK_CONFIG]: "Get project slack configuration",
-  [EventType.INTEGRATION_SYNCED]: "Integration sync"
+  [EventType.INTEGRATION_SYNCED]: "Integration sync",
+  [EventType.CREATE_SHARED_SECRET]: "Create shared secret",
+  [EventType.DELETE_SHARED_SECRET]: "Delete shared secret",
+  [EventType.READ_SHARED_SECRET]: "Read shared secret"
 };
 
 export const userAgentTTypeoNameMap: { [K in UserAgentType]: string } = {

frontend/src/hooks/api/auditLogs/enums.tsx

@@ -2,7 +2,8 @@ export enum ActorType {
   PLATFORM = "platform",
   USER = "user",
   SERVICE = "service",
-  IDENTITY = "identity"
+  IDENTITY = "identity",
+  UNKNOWN_USER = "unknownUser"
 }
 
 export enum UserAgentType {
@@ -17,6 +18,7 @@ export enum UserAgentType {
 
 export enum EventType {
   GET_SECRETS = "get-secrets",
+  DELETE_SECRETS = "delete-secrets",
   GET_SECRET = "get-secret",
   CREATE_SECRET = "create-secret",
   UPDATE_SECRET = "update-secret",
@@ -94,5 +96,8 @@ export enum EventType {
   GET_CERTIFICATE_TEMPLATE_EST_CONFIG = "get-certificate-template-est-config",
   UPDATE_PROJECT_SLACK_CONFIG = "update-project-slack-config",
   GET_PROJECT_SLACK_CONFIG = "get-project-slack-config",
-  INTEGRATION_SYNCED = "integration-synced"
+  INTEGRATION_SYNCED = "integration-synced",
+  CREATE_SHARED_SECRET = "create-shared-secret",
+  DELETE_SHARED_SECRET = "delete-shared-secret",
+  READ_SHARED_SECRET = "read-shared-secret"
 }

frontend/src/hooks/api/auditLogs/types.tsx

@@ -50,7 +50,11 @@ export interface PlatformActor {
   metadata: object;
 }
 
-export type Actor = UserActor | ServiceActor | IdentityActor | PlatformActor;
+export interface UnknownUserActor {
+  type: ActorType.UNKNOWN_USER;
+}
+
+export type Actor = UserActor | ServiceActor | IdentityActor | PlatformActor | UnknownUserActor;
 
 interface GetSecretsEvent {
   type: EventType.GET_SECRETS;

frontend/src/hooks/api/auth/queries.tsx

@@ -2,6 +2,7 @@ import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
 
 import SecurityClient from "@app/components/utilities/SecurityClient";
 import { apiRequest } from "@app/config/request";
+import { SessionStorageKeys } from "@app/const";
 
 import { organizationKeys } from "../organization/queries";
 import { setAuthToken } from "../reactQuery";
@@ -86,6 +87,21 @@ export const useSelectOrganization = () => {
         SecurityClient.setProviderAuthToken("");
       }
 
+      if (data.token && !data.isMfaEnabled) {
+        // We check if there is a pending callback after organization login success and redirect to it if valid
+        const loginRedirectInfo = sessionStorage.getItem(
+          SessionStorageKeys.ORG_LOGIN_SUCCESS_REDIRECT_URL
+        );
+        sessionStorage.removeItem(SessionStorageKeys.ORG_LOGIN_SUCCESS_REDIRECT_URL);
+
+        if (loginRedirectInfo) {
+          const { expiry, data: redirectUrl } = JSON.parse(loginRedirectInfo);
+          if (new Date() < new Date(expiry)) {
+            window.location.assign(redirectUrl);
+          }
+        }
+      }
+
       return data;
     },
     onSuccess: () => {

frontend/src/pages/organization/AuditLogsPage/components/LogsFilter.tsx

@@ -1,5 +1,5 @@
 /* eslint-disable no-nested-ternary */
-import { useEffect, useState } from "react";
+import { useState } from "react";
 import { Control, Controller, UseFormReset, UseFormSetValue, UseFormWatch } from "react-hook-form";
 import { faCaretDown, faCheckCircle, faFilterCircleXmark } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
@@ -49,7 +49,6 @@ export const LogsFilter = ({
   isOrgAuditLogs,
   className,
   control,
-  setValue,
   reset,
   watch
 }: Props) => {
@@ -63,12 +62,6 @@ export const LogsFilter = ({
 
   const { data, isPending } = useGetAuditLogActorFilterOpts(workspaces?.[0]?.id ?? "");
 
-  useEffect(() => {
-    if (workspacesInOrg.length) {
-      setValue("project", workspacesInOrg[0]);
-    }
-  }, [workspaces]);
-
   const renderActorSelectItem = (actor: Actor) => {
     switch (actor.type) {
       case ActorType.USER:
@@ -129,6 +122,7 @@ export const LogsFilter = ({
             >
               <FilterableSelect
                 value={value}
+                isClearable
                 onChange={onChange}
                 placeholder="Select a project..."
                 options={workspacesInOrg.map(({ name, id }) => ({ name, id }))}

frontend/src/pages/organization/AuditLogsPage/components/LogsTableRow.tsx

@@ -1,4 +1,7 @@
-import { Td, Tr } from "@app/components/v2";
+import { faQuestionCircle } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import { Td, Tooltip, Tr } from "@app/components/v2";
 import { eventToNameMap, userAgentTTypeoNameMap } from "@app/hooks/api/auditLogs/constants";
 import { ActorType, EventType } from "@app/hooks/api/auditLogs/enums";
 import { Actor, AuditLog } from "@app/hooks/api/auditLogs/types";
@@ -37,6 +40,17 @@ export const LogsTableRow = ({ auditLog, isOrgAuditLogs, showActorColumn }: Prop
             <p>Machine Identity</p>
           </Td>
         );
+      case ActorType.UNKNOWN_USER:
+        return (
+          <Td>
+            <div className="flex items-center gap-2">
+              <p>Unknown User</p>
+              <Tooltip content="This action was performed by a user who was not authenticated at the time.">
+                <FontAwesomeIcon className="text-mineshaft-400" icon={faQuestionCircle} />
+              </Tooltip>
+            </div>
+          </Td>
+        );
       default:
         return <Td />;
     }

frontend/src/pages/public/ViewSharedSecretByIDPage/ViewSharedSecretByIDPage.tsx

@@ -1,10 +1,13 @@
-import { useState } from "react";
+import { useEffect, useState } from "react";
 import { Helmet } from "react-helmet";
 import { faArrowRight } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-import { useParams, useSearch } from "@tanstack/react-router";
+import { useNavigate, useParams, useSearch } from "@tanstack/react-router";
 import { AxiosError } from "axios";
+import { addSeconds, formatISO } from "date-fns";
 
+import { createNotification } from "@app/components/notifications";
+import { SessionStorageKeys } from "@app/const";
 import { ROUTE_PATHS } from "@app/const/routes";
 import { useGetActiveSharedSecretById } from "@app/hooks/api/secretSharing";
 
@@ -36,7 +39,6 @@ export const ViewSharedSecretByIDPage = () => {
     select: (el) => el.key
   });
   const [password, setPassword] = useState<string>();
-
   const { hashedHex, key } = extractDetailsFromUrl(urlEncodedKey);
 
   const {
@@ -50,10 +52,47 @@ export const ViewSharedSecretByIDPage = () => {
     password
   });
 
+  const navigate = useNavigate();
+
+  const isUnauthorized =
+    ((error as AxiosError)?.response?.data as { statusCode: number })?.statusCode === 401;
+
+  const isForbidden =
+    ((error as AxiosError)?.response?.data as { statusCode: number })?.statusCode === 403;
+
   const isInvalidCredential =
     ((error as AxiosError)?.response?.data as { message: string })?.message ===
     "Invalid credentials";
 
+  useEffect(() => {
+    if (isUnauthorized && !isInvalidCredential) {
+      // persist current URL in session storage so that we can come back to this after successful login
+      sessionStorage.setItem(
+        SessionStorageKeys.ORG_LOGIN_SUCCESS_REDIRECT_URL,
+        JSON.stringify({
+          expiry: formatISO(addSeconds(new Date(), 60)),
+          data: window.location.href
+        })
+      );
+
+      createNotification({
+        type: "info",
+        text: "Login is required in order to access the shared secret."
+      });
+
+      navigate({
+        to: "/login"
+      });
+    }
+
+    if (isForbidden) {
+      createNotification({
+        type: "error",
+        text: "You do not have access to this shared secret."
+      });
+    }
+  }, [error]);
+
   const shouldShowPasswordPrompt =
     isInvalidCredential || (fetchSecret?.isPasswordProtected && !fetchSecret.secret);
   const isValidatingPassword = Boolean(password) && isFetching;
@@ -111,7 +150,7 @@ export const ViewSharedSecretByIDPage = () => {
               {!error && fetchSecret?.secret && (
                 <SecretContainer secret={fetchSecret.secret} secretKey={key} />
               )}
-              {error && !isInvalidCredential && <SecretErrorContainer />}
+              {error && !isInvalidCredential && !isUnauthorized && <SecretErrorContainer />}
             </>
           )}
           <div className="m-auto my-8 flex w-full">

frontend/src/pages/public/ViewSharedSecretByIDPage/route.tsx

@@ -2,6 +2,8 @@ import { createFileRoute, stripSearchParams } from "@tanstack/react-router";
 import { zodValidator } from "@tanstack/zod-adapter";
 import { z } from "zod";
 
+import { authKeys, fetchAuthToken } from "@app/hooks/api/auth/queries";
+
 import { ViewSharedSecretByIDPage } from "./ViewSharedSecretByIDPage";
 
 const SharedSecretByIDPageQuerySchema = z.object({
@@ -9,9 +11,18 @@ const SharedSecretByIDPageQuerySchema = z.object({
 });
 
 export const Route = createFileRoute("/shared/secret/$secretId")({
-  component: ViewSharedSecretByIDPage,
   validateSearch: zodValidator(SharedSecretByIDPageQuerySchema),
+  component: ViewSharedSecretByIDPage,
   search: {
     middlewares: [stripSearchParams({ key: "" })]
+  },
+  beforeLoad: async ({ context }) => {
+    // we load the auth token because the view shared secret screen serves both public and authenticated users
+    await context.queryClient
+      .ensureQueryData({
+        queryKey: authKeys.getAuthToken,
+        queryFn: fetchAuthToken
+      })
+      .catch(() => undefined);
   }
 });