feat: srp removal

[varonix0]

Description 📣

This long awaited PR fully removes SRP usage! We are keeping the SRP functionality for logging in, so older users can keep using Infisical.

CLI PR: Infisical/cli#6

1. SRP auth is fully removed, but if the new login fails it will fall back to SRP on both the UI and CLI.
2. Key sharing for projects is removed and ghost users are no more (for new projects)
   a. Things will keep working for existing legacy projects because we keep the project keys, we aren't removing any data.
3. The private key no longer exists on the frontend!
4. All the encryption key fields in the user encryption key table are now nullable, as they aren't needed anymore.

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[maidul98]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[greptile-apps]

Greptile Summary

This PR implements a major architectural shift to remove SRP (Secure Remote Password) authentication from Infisical while maintaining backward compatibility. The changes introduce a new simplified authentication flow (LoginV3) that uses direct email/password verification instead of the complex SRP protocol, while keeping SRP as a fallback for existing users.

Key changes include:

Authentication Modernization: The frontend and CLI now use a new LoginV3 endpoint that performs server-side password verification, eliminating the need for complex client-side cryptographic operations. When this fails with a 'LegacyEncryptionScheme' error, the system gracefully falls back to SRP authentication.

Database Schema Changes: User encryption key fields (publicKey, encryptedPrivateKey, iv, tag, salt, verifier) are now nullable through migration 20250723220500_remove-srp.ts, allowing new users to exist without SRP-specific encryption keys while preserving legacy users' data.

Frontend Simplification: The signup and password management flows have been dramatically simplified, removing complex cryptographic operations including key pair generation, Argon2 key derivation, and AES-256-GCM encryption. Private keys are no longer stored in localStorage or managed on the frontend.

Project Key Sharing Removal: New projects (V3+) no longer use the legacy ghost user and project key sharing mechanism. The system now skips complex key distribution for newer projects while maintaining backward compatibility for V1/V2 legacy projects.

API Schema Updates: Response schemas across multiple endpoints have been updated to make publicKey and other encryption-related fields nullable/optional, reflecting the new architecture where these fields may not exist for new users.

Service Layer Refactoring: Dependencies on projectBotDAL, projectKeyDAL, and complex encryption services have been removed from various service factories, while defensive null checks have been added throughout the codebase to handle the new nullable encryption fields.

The changes maintain full backward compatibility by preserving all existing data and keeping SRP login functionality intact, ensuring no users are locked out during this transition.

Confidence score: 2/5

• This PR introduces significant breaking changes and type inconsistencies that could cause runtime failures
• Multiple files have type mismatches where nullable fields are still expected to be non-null in the implementation
• The removal of critical utility functions like saveTokenToLocalStorage and fetchMyPrivateKey without updating all dependent code creates potential runtime errors

_{68 files reviewed, 16 comments}

_{Edit Code Review Bot Settings | Greptile}