feat(relay): add resource auth enrollment for relays #237
Claude / Claude Code Review
completed
May 18, 2026 in 13m 10s
Code review found 1 important issue
Found 7 candidates, confirmed 6. See review comments for details.
Details
| Severity | Count |
|---|---|
| π΄ Important | 1 |
| π‘ Nit | 1 |
| π£ Pre-existing | 0 |
| Severity | File:Line | Issue |
|---|---|---|
| π΄ Important | packages/cmd/relay.go:125-129 |
Token re-enrollment ignores stored domain |
| π‘ Nit | packages/cmd/relay.go:44-51 |
Invalid --enroll-method value silently falls through |
Annotations
Check failure on line 129 in packages/cmd/relay.go
claude / Claude Code Review
Token re-enrollment ignores stored domain
The token-enrollment path at lines 125-129 only honors `--domain` from the flag and does not fall back to `LoadStoredDomain` the way the AWS path at lines 75-80 does. As a result, a self-hosted user who initially enrolled with `--domain=https://corp.infisical.io` and later re-runs with a new enrollment token but no `--domain` will hit the default `https://app.infisical.com` at `CallRelayLogin` (line 137) and get a confusing `enrollment failed` error against the wrong backend. Fix: mirror the AWS
Check warning on line 51 in packages/cmd/relay.go
claude / Claude Code Review
Invalid --enroll-method value silently falls through
Invalid `--enroll-method` values (e.g. a typo like `tokn`) silently bypass the host requirement at line 50, skip both enrollment branches, and fall through to the legacy machine-identity path, where the user sees a cryptic `no access token found` error far from the actual mistake. Since the flag help advertises `[token, aws]`, consider validating that a non-empty value is one of those two and erroring out early with a clear message.
Loading