nestjs-infisical 2.0.0 → 2.2.0

package/dist/infisical.auth.d.ts

@@ -0,0 +1,5 @@
+export declare function fetchUniversalAuthToken(options: {
+    baseUrl: string;
+    clientId: string;
+    clientSecret: string;
+}): Promise<string>;

package/dist/infisical.auth.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchUniversalAuthToken = fetchUniversalAuthToken;
+async function fetchUniversalAuthToken(options) {
+    const response = await fetch(`${options.baseUrl}/api/v1/auth/universal-auth/login`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+        },
+        body: JSON.stringify({
+            clientId: options.clientId,
+            clientSecret: options.clientSecret,
+        }),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Infisical Universal Auth failed (${response.status}): ${text}`);
+    }
+    const json = (await response.json());
+    if (!json.accessToken) {
+        throw new Error('Infisical Universal Auth response missing accessToken');
+    }
+    return json.accessToken;
+}

package/dist/infisical.http.d.ts

@@ -1,6 +1,6 @@
 export declare function fetchInfisicalSecrets(options: {
     baseUrl: string;
-    token: string;
+    accessToken: string;
     projectId: string;
     environment: string;
     debug?: boolean;

package/dist/infisical.http.js

@@ -7,13 +7,13 @@ async function fetchInfisicalSecrets(options) {
     const timeout = setTimeout(() => controller.abort(), 5000);
     try {
         (0, infisical_logger_1.debugLog)(options.debug, 'Calling Infisical HTTP API');
-        const url = new URL(`${options.baseUrl}/api/v3/secrets/raw`);
+        const url = new URL(`${options.baseUrl}/api/v4/secrets`);
         url.searchParams.set('projectId', options.projectId);
         url.searchParams.set('environment', options.environment);
         const response = await fetch(url.toString(), {
             method: 'GET',
             headers: {
-                Authorization: `Bearer ${options.token}`,
+                Authorization: `Bearer ${options.accessToken}`,
                 Accept: 'application/json',
             },
             signal: controller.signal,

package/dist/infisical.types.d.ts

@@ -2,6 +2,8 @@ import { DotenvConfigOptions } from 'dotenv';
 export interface InfisicalOptions {
     baseUrl?: string;
     token?: string;
+    clientId?: string;
+    clientSecret?: string;
     projectId?: string;
     environment?: string;
     dotenv?: DotenvConfigOptions | false;

package/dist/load-infisical.js

@@ -6,11 +6,12 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.loadInfisical = loadInfisical;
 const dotenv_1 = __importDefault(require("dotenv"));
 const infisical_http_1 = require("./infisical.http");
+const infisical_auth_1 = require("./infisical.auth");
 const infisical_logger_1 = require("./infisical.logger");
 const LOG_PREFIX = '[nestjs-infisical]';
 async function loadInfisical(options = {}) {
     const { dotenv: dotenvOptions, override = true, failFast = true, debug = false, } = options;
-    // 1️⃣ Load dotenv FIRST
+    // 1️⃣ dotenv first
     if (dotenvOptions !== false) {
         (0, infisical_logger_1.debugLog)(debug, 'Loading dotenv configuration');
         dotenv_1.default.config(dotenvOptions);
@@ -21,30 +22,50 @@ async function loadInfisical(options = {}) {
             process.env.INFISICAL_BASE_URL ??
             'https://app.infisical.com',
         token: options.token ?? process.env.INFISICAL_TOKEN,
+        clientId: options.clientId ?? process.env.INFISICAL_CLIENT_ID,
+        clientSecret: options.clientSecret ??
+            process.env.INFISICAL_CLIENT_SECRET,
         projectId: options.projectId ?? process.env.INFISICAL_PROJECT_ID,
-        environment: options.environment ?? process.env.INFISICAL_ENVIRONMENT,
+        environment: options.environment ??
+            process.env.INFISICAL_ENVIRONMENT,
     };
     const providedCount = Object.values(resolved).filter(Boolean).length;
     (0, infisical_logger_1.debugLog)(debug, `Infisical config resolved: ${providedCount === 0
         ? 'none'
-        : providedCount === 4
+        : providedCount >= 4
             ? 'complete'
             : 'partial'}`);
-    // 3️⃣ No config → silently skip
     if (providedCount === 0) {
         (0, infisical_logger_1.debugLog)(debug, 'No Infisical configuration provided. Skipping.');
         return;
     }
-    // 4️⃣ Partial config → warn & skip
-    if (providedCount !== 4) {
-        console.warn(`${LOG_PREFIX} Partial Infisical configuration detected. Secrets will not be loaded.`);
+    if (!resolved.projectId || !resolved.environment) {
+        console.warn(`${LOG_PREFIX} Missing projectId or environment. Secrets will not be loaded.`);
         return;
     }
     try {
-        (0, infisical_logger_1.debugLog)(debug, 'Fetching Infisical secrets');
+        // 3️⃣ Resolve authentication
+        let accessToken;
+        if (resolved.token) {
+            (0, infisical_logger_1.debugLog)(debug, 'Using Infisical service token');
+            accessToken = resolved.token.trim();
+        }
+        else if (resolved.clientId && resolved.clientSecret) {
+            (0, infisical_logger_1.debugLog)(debug, 'Using Infisical Universal Authentication');
+            accessToken = await (0, infisical_auth_1.fetchUniversalAuthToken)({
+                baseUrl: resolved.baseUrl,
+                clientId: resolved.clientId,
+                clientSecret: resolved.clientSecret,
+            });
+        }
+        else {
+            console.warn(`${LOG_PREFIX} No valid Infisical authentication provided. Skipping.`);
+            return;
+        }
+        // 4️⃣ Fetch secrets
         const secrets = await (0, infisical_http_1.fetchInfisicalSecrets)({
             baseUrl: resolved.baseUrl,
-            token: resolved.token.trim(),
+            accessToken,
             projectId: resolved.projectId,
             environment: resolved.environment,
             debug,

package/package.json

@@ -1,28 +1,30 @@
 {
   "name": "nestjs-infisical",
-  "version": "2.0.0",
-  "description": "CLI-free Infisical HTTP integration for NestJS",
+  "version": "2.2.0",
+  "description": "CLI-free Infisical secrets loader for NestJS that fetches secrets via the HTTP API before application bootstrap and injects them into process.env.",
   "license": "MIT",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "files": [
     "dist"
   ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/kgoel085/nest-js-infisical-module"
+  },
+  "homepage": "https://github.com/kgoel085/nest-js-infisical-module#readme",
+  "bugs": {
+    "url": "https://github.com/kgoel085/nest-js-infisical-module/issues"
+  },
   "scripts": {
     "build": "tsc",
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
-    "dotenv": "^16.4.5",
-    "typescript": "^5.9.3"
+    "dotenv": "^16.4.5"
   },
   "peerDependencies": {
-    "@nestjs/common": ">=9.0.0"
-  },
-  "peerDependenciesMeta": {
-    "@nestjs/common": {
-      "optional": false
-    }
+    "@nestjs/common": "^9.0.0 || ^10.0.0 || ^11.0.0"
   },
   "engines": {
     "node": ">=18"
@@ -31,14 +33,22 @@
     "access": "public"
   },
   "devDependencies": {
+    "typescript": "^5.9.3",
     "@types/node": "^25.0.3"
   },
   "keywords": [
     "nestjs",
     "infisical",
     "secrets",
+    "secret-management",
+    "environment-variables",
     "configuration",
+    "config",
     "dotenv",
-    "http"
+    "http",
+    "ci-cd",
+    "bootstrap",
+    "nodejs",
+    "typescript"
   ]
 }

package/readme.md

@@ -1,65 +1,96 @@
 # nestjs-infisical
 
-CLI-free Infisical secrets loader for NestJS applications.
+CLI-free Infisical secrets loader for NestJS.
 
-This package loads secrets from Infisical **before** your NestJS application boots,
-injects them into `process.env`, and then hands control back to NestJS.
-It is intentionally boring, deterministic, and production-safe.
+Loads secrets from Infisical via the HTTP API **before application bootstrap**,
+injects them into `process.env`, and works seamlessly with `@nestjs/config`.
 
----
+![npm](https://img.shields.io/npm/v/nestjs-infisical)
+![node](https://img.shields.io/node/v/nestjs-infisical)
+![license](https://img.shields.io/npm/l/nestjs-infisical)
 
-## Why this package exists
 
-Earlier versions attempted to integrate Infisical directly inside NestJS modules.
-While technically possible, this approach is **not deterministic** because:
+---
 
-- NestJS does not guarantee global ordering of module side-effects
-- Async work inside modules can interleave with bootstrap
-- Debugging startup order becomes extremely difficult
+## Why nestjs-infisical exists
 
 Secrets loading is **global, side-effectful, and order-sensitive**.
-The correct place for it is **before NestJS starts**.
 
-This package now follows the same pattern used by:
-- AWS Parameter Store loaders
-- Vault integrations
-- Remote config systems
-- Feature flag bootstrappers
+Running Infisical logic inside NestJS modules, providers, or lifecycle hooks leads to:
+- Non-deterministic startup order
+- Race conditions between modules
+- Hard-to-debug configuration issues
+
+`nestjs-infisical` follows the same approach used by mature infrastructure tooling:
+**load secrets before the framework starts**.
+
+This guarantees predictable startup behavior across:
+- Local development
+- Docker
+- CI/CD
+- Production environments
 
 ---
 
-## Architecture (Current)
+## Architecture (pre-bootstrap loader)
 
 Startup flow:
 
 1. Optional dotenv load
-2. Infisical HTTP API call
-3. Inject secrets into `process.env`
-4. NestJS application bootstrap
-5. `@nestjs/config` reads from `process.env`
+2. Resolve configuration (options → environment variables)
+3. Authenticate with Infisical
+4. Fetch secrets via Infisical HTTP API
+5. Inject secrets into `process.env`
+6. Bootstrap NestJS
+7. `@nestjs/config` reads from `process.env`
 
 Diagram:
 
-dotenv → Infisical HTTP API → process.env → NestJS → ConfigModule
+dotenv → Infisical Auth → Infisical HTTP API → process.env → NestJS → ConfigModule
 
 ---
 
-## What changed from v1 to v2
+## Authentication modes
+
+This package supports **two Infisical authentication methods**.
+
+### Recommended: Universal Authentication
 
-### Old approach (v1 – deprecated)
+Uses a short-lived access token generated from a client ID and client secret.
 
-- Dynamic NestJS module
-- Async logic inside providers
-- Relied on NestJS lifecycle ordering
-- Hard to debug, non-deterministic
+Best suited for:
+- Production
+- CI/CD pipelines
+- Docker / Kubernetes
+- Machine-to-machine access
 
-### New approach (v2 – current)
+Environment variables:
 
-- Explicit async loader
-- Called from `main.ts`
-- Fully deterministic
-- No NestJS lifecycle coupling
-- Easier to reason about and debug
+INFISICAL_CLIENT_ID  
+INFISICAL_CLIENT_SECRET  
+
+---
+
+### Service / Personal Token (supported)
+
+Uses a long-lived Infisical token.
+
+Best suited for:
+- Local development
+- Prototyping
+- Backward compatibility
+
+Environment variable:
+
+INFISICAL_TOKEN  
+
+---
+
+### Authentication priority
+
+If both authentication methods are provided:
+- Service token is used
+- A warning is logged
 
 ---
 
@@ -69,13 +100,12 @@ dotenv → Infisical HTTP API → process.env → NestJS → ConfigModule
 npm install nestjs-infisical
 ```
 
-Node.js version requirement:
-
-- Node 18 or newer
+Requirements:
+- Node.js 18 or newer
 
 ---
 
-## Basic usage (recommended)
+## Usage (recommended)
 
 ### main.ts
 
@@ -108,27 +138,34 @@ Configuration is resolved in this order:
 2. Explicit options passed to `loadInfisical`
 3. Environment variables (`process.env`)
 
-Required environment variables:
+Required configuration:
 
-- `INFISICAL_BASE_URL` (optional, defaults to Infisical Cloud)
-- `INFISICAL_TOKEN`
-- `INFISICAL_PROJECT_ID`
-- `INFISICAL_ENVIRONMENT`
+INFISICAL_PROJECT_ID  
+INFISICAL_ENVIRONMENT  
+
+Authentication (choose one):
+
+INFISICAL_TOKEN  
+or  
+INFISICAL_CLIENT_ID + INFISICAL_CLIENT_SECRET  
+
+Optional:
+
+INFISICAL_BASE_URL (defaults to Infisical Cloud)
 
 ---
 
 ## Zero-config usage
 
-If all configuration is present in `.env`:
+If everything is defined in `.env`:
 
-```
-INFISICAL_TOKEN=xxx
-INFISICAL_PROJECT_ID=yyy
+```env
+INFISICAL_CLIENT_ID=xxx
+INFISICAL_CLIENT_SECRET=yyy
+INFISICAL_PROJECT_ID=zzz
 INFISICAL_ENVIRONMENT=dev
 ```
 
-You can simply call:
-
 ```ts
 await loadInfisical();
 ```
@@ -144,7 +181,7 @@ await loadInfisical({
 });
 ```
 
-Missing values are automatically read from `process.env`.
+Missing values are automatically resolved from `process.env`.
 
 ---
 
@@ -160,46 +197,52 @@ await loadInfisical({
 
 ## Failure behavior
 
-- `failFast: true` (default)
-  - Application crashes if Infisical fails
-- `failFast: false`
-  - Logs warning and continues without secrets
+- **failFast: true** (default)  
+  Application startup fails if Infisical cannot be reached
+
+- **failFast: false**  
+  Logs a warning and continues without secrets
+
+---
+
+## Compatibility with @nestjs/config
+
+Because secrets are loaded **before NestJS starts**,
+`@nestjs/config` works automatically with no special integration.
+
+```ts
+ConfigModule.forRoot({
+  isGlobal: true
+});
+```
 
 ---
 
 ## What this package does NOT do
 
 - No Infisical CLI usage
-- No secret rotation
+- No token rotation or refresh
 - No background polling
 - No caching
 - No retries
-- No NestJS module mutation
+- No NestJS lifecycle hooks
 - No decorators
 - No health checks
 
 ---
 
-## Compatibility with @nestjs/config
-
-Because secrets are loaded **before** NestJS starts,
-`@nestjs/config` works automatically without any integration.
-
-```ts
-ConfigModule.forRoot({
-  isGlobal: true
-});
-```
+## Versioning note
 
-All secrets are already present in `process.env`.
+v2.x introduces a **pre-bootstrap loader architecture**.
+If you were using a module-based approach, migrate by moving Infisical loading
+into `main.ts`.
 
 ---
 
-## Versioning note
+## Repository
 
-This architecture change is released as **v2.x**.
-If you were using the old module-based integration,
-migrate by moving Infisical loading to `main.ts`.
+GitHub:  
+https://github.com/kgoel085/nest-js-infisical-module
 
 ---