Skip to content

fix: Prevent intermittent “Missing project data key” errors under par… #4957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: Prevent intermittent “Missing project data key” errors under par… #4957

wants to merge 2 commits into from
+49 −84

Conversation

@hemantmm
Copy link

@hemantmm hemantmm commented Nov 27, 2025

closes: #4611

Description 📣

This PR resolves an issue where Infisical occasionally fails to read projectId from the request payload during high-volume parallel requests. The backend attempted to access payload fields before properly validating the request body, causing undefined access and unexpected 400 responses.

Key Changes:

  • Added null and existence checks on the request payload before reading project-related fields.
  • Improved BadRequest responses with clear messaging when expected keys are missing.
  • Prevents transient undefined behaviour on concurrent/fast POST requests.

Type ✨

@maidul98
Copy link
Collaborator

maidul98 commented Nov 27, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Nov 27, 2025

Greptile Overview

Greptile Summary

This PR attempts to fix intermittent "Missing project data key" errors under parallel POST requests by adding manual validation checks for projectId and environment fields. However, the fix doesn't address the actual root cause.

Key Issues:

  • Redundant validation: The manual null checks (lines 417-429) are unnecessary because Zod schema validation already guarantees these required fields exist before the handler runs. If validation fails, Fastify returns 422 and the handler never executes.

  • Fragile parameter mapping: The refactored service call uses incorrect parameter names (path instead of secretPath, secretKey instead of secretName), which are accidentally "fixed" by spreading ...req.body afterward. This makes the code confusing and brittle - it only works because of the spread order.

  • Removed transformations: The schema changes removed important transformations from secretValue (trimming + preserving trailing newlines) and secretComment (trimming), which may cause behavior changes for existing clients.

  • Root cause unaddressed: The actual error "Missing project data key" is thrown from the KMS service (kms-service.ts:806) when project.kmsSecretManagerEncryptedDataKey is missing during concurrent access. This is a race condition in KMS key initialization, not a request validation issue. The manual checks in the router won't prevent this error.

What actually happened: The intermittent failures under parallel requests are likely due to concurrent KMS data key creation attempts, where the lock/wait mechanism in $getProjectSecretManagerKmsDataKey may not properly handle all edge cases. The fix appears to work coincidentally, not because of the validation checks.

Confidence Score: 2/5

  • This PR has significant issues with the implementation approach and may not actually fix the reported bug
  • The score reflects multiple concerns: (1) redundant validation that adds no value, (2) fragile parameter mapping that works accidentally due to object spread order, (3) removed transformations that may break existing behavior, and (4) most critically, the fix doesn't address the actual root cause (KMS race condition) described in the error message. The manual validation checks for projectId and environment cannot prevent the "Missing project data key" error which originates from the KMS service during concurrent data key initialization.
  • backend/src/server/routes/v4/secret-router.ts requires attention - the parameter mapping in the service call needs to be corrected, and the removed Zod transformations should be evaluated for impact on existing clients

Important Files Changed

File Analysis

Filename Score Overview
backend/src/server/routes/v4/secret-router.ts 2/5 Added redundant manual validation checks that don't address the root cause. The manual checks for projectId and environment (lines 417-429) are unnecessary since Zod schema already guarantees these required fields exist. The refactored service call uses object spread that accidentally "fixes" incorrect parameter names (secretKey/path vs secretName/secretPath), making the code fragile and confusing.

greptile-apps[bot]
greptile-apps bot reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, 3 comments

Edit Code Review Agent Settings | Greptile

@hemantmm
fix: suggestion
2eb42c5 
Signed-off-by: Hemant M Mehta <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Infisical cannot read projectId from request payload

2 participants

@hemantmm @maidul98