fix: added organization id flag and prompt for non-browser login

[victorvhs017]

• Added support for organization ID in the login command, allowing users to specify their organization during login.
• Updated the cliDefaultLogin function to handle organization ID and modified related functions to accommodate this change.
• Improved error handling and user prompts for multi-factor authentication (MFA) during the login process.
• Introduced a new flag for organization ID in the command line interface.

Description 📣

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

• Run the login command using the email, password, and organization-id flags and test the token.
• Run the login command using -i flag

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds support for specifying organization ID during non-browser login via the --organization-id flag or INFISICAL_ORGANIZATION_ID environment variable.

Key changes:

• Refactored cliDefaultLogin to accept and use organization ID parameter
• Modified GetJwtTokenWithOrganizationId to skip interactive org selection when org ID is provided
• Added new flag and environment variable for organization ID
• Restructured authentication flow to support both V3 and SRP login paths

Critical issues found:

• Users authenticating with SRP (fallback auth) without MFA will experience broken org selection due to missing token assignment
• The validation logic incorrectly requires organization ID alongside email/password, breaking existing workflows where users select org interactively

Confidence Score: 2/5

• This PR has critical logical errors that will break authentication for some users
• Two critical bugs prevent successful authentication: (1) SRP auth without MFA fails to assign access token, causing empty token to be passed downstream, and (2) org ID is incorrectly required for direct login, breaking backward compatibility
• packages/cmd/login.go requires immediate attention for token assignment and validation logic fixes

Important Files Changed

File Analysis

Filename	Score	Overview
packages/cmd/login.go	2/5	Added organization ID support for non-browser login, but has critical bugs: missing token assignment for non-MFA SRP auth users, and incorrectly requires org ID flag for direct login validation
packages/util/constants.go	5/5	Added INFISICAL_ORGANIZATION_ID constant with proper formatting - safe change

Sequence Diagram

sequenceDiagram
    participant User
    participant CLI
    participant LoginV3
    participant SRP
    participant MFA
    participant OrgAPI

    User->>CLI: login with email, password, org-id flags
    CLI->>LoginV3: getFreshUserCredentials()
    
    alt V3 Login Success
        LoginV3-->>CLI: Returns access token
        Note over CLI: Token stored in variable
    else V3 Login Fails
        CLI->>SRP: getFreshUserCredentialsWithSrp()
        SRP-->>CLI: loginTwoResponse with auth token
        Note over CLI: BUG: Token not assigned if MFA disabled
        
        alt MFA Enabled
            loop Up to 5 attempts
                CLI->>User: askForMFACode()
                User-->>CLI: MFA Code
                CLI->>MFA: CallVerifyMfaToken()
                alt MFA Valid
                    MFA-->>CLI: Returns verified token
                    Note over CLI: Token properly assigned
                else MFA Invalid/Expired
                    MFA-->>CLI: Error response
                end
            end
        else MFA Not Enabled
            Note over CLI: CRITICAL: Token variable remains empty!
        end
    end
    
    CLI->>OrgAPI: GetJwtTokenWithOrganizationId(token, email, orgId)
    
    alt Organization ID Provided
        OrgAPI->>OrgAPI: CallSelectOrganization(orgId)
    else No Organization ID
        OrgAPI->>OrgAPI: CallGetAllOrganizations()
        OrgAPI->>User: Prompt to select org
        User-->>OrgAPI: Selected org
        OrgAPI->>OrgAPI: CallSelectOrganization(selectedOrgId)
    end
    
    OrgAPI-->>CLI: Returns final JWT
    CLI->>CLI: Store credentials in keyring

Loading

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[victorvhs017]

@greptileai

[greptile-apps]

Greptile Overview

Greptile Summary

Added support for organization ID in non-browser login flow, allowing users to specify their organization via --organization-id flag or INFISICAL_ORGANIZATION_ID environment variable. The cliDefaultLogin and GetJwtTokenWithOrganizationId functions were updated to handle organization ID parameter, with interactive prompts shown only when organization ID is not provided.

Key changes:

• Added --organization-id flag for user login method
• Updated cliDefaultLogin to accept and pass organization ID parameter
• Modified GetJwtTokenWithOrganizationId to skip organization selection prompt when ID is provided
• Fixed token assignment issue where getOrganizationIdAccessToken is now properly set after SRP auth

Issues found:

• organization-id still incorrectly treated as required in validateDirectUserLoginFlagsAndEnvsSet, blocking users who want to provide only email/password and select org interactively

Confidence Score: 2/5

• PR has one critical logic issue that breaks the intended user experience
• While the implementation correctly adds organization ID support and fixes the token assignment bug from previous comments, the validation logic still incorrectly treats organization-id as a required flag. This prevents the primary use case of users providing only email/password and selecting organization interactively, defeating the purpose of making organization ID optional
• packages/cmd/login.go lines 981-985 require attention to fix the validation logic

Important Files Changed

File Analysis

Filename	Score	Overview
packages/cmd/login.go	2/5	Added organization ID support for non-browser login, but previous issue about organization-id being required for direct login remains unaddressed

Sequence Diagram

sequenceDiagram
    participant User
    participant CLI as Login Command
    participant Auth as Authentication
    participant Org as Organization Service

    User->>CLI: Invoke login with flags
    CLI->>CLI: Validate flags present
    
    alt All required flags set
        CLI->>CLI: Enable direct mode
    else Flags incomplete
        CLI->>User: Show error and exit
    end
    
    CLI->>Auth: Perform authentication
    
    alt V3 auth works
        Auth-->>CLI: Return JWT
    else V3 fails, use SRP
        Auth-->>CLI: Fallback to SRP
        
        alt User has MFA
            loop Up to 5 tries
                CLI->>User: Ask for MFA code
                User-->>CLI: Enter code
                CLI->>Auth: Verify code
                Auth-->>CLI: Return result
            end
        end
    end
    
    CLI->>Org: Get organization JWT
    
    alt Org ID provided
        Org->>Org: Skip selection
    else No Org ID
        Org->>Org: List organizations
        Org->>User: Show selection prompt
        User-->>Org: Choose organization
    end
    
    Org->>Org: Call select API
    
    alt Org has MFA
        loop Up to 5 tries
            Org->>User: Ask for MFA code
            User-->>Org: Enter code
            Org->>Auth: Verify code
        end
    end
    
    Org-->>CLI: Return final JWT
    CLI->>User: Success message

Loading

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}