coder
diff --git a/‎Makefile
Lines changed: 2 additions & 1 deletion b/‎Makefile
Lines changed: 2 additions & 1 deletion
diff --git a/‎agent/agent.go
Lines changed: 5 additions & 2 deletions b/‎agent/agent.go
Lines changed: 5 additions & 2 deletions
diff --git a/‎agent/agent_test.go
Lines changed: 5 additions & 5 deletions b/‎agent/agent_test.go
Lines changed: 5 additions & 5 deletions
diff --git a/‎cli/deployment/config.go
Lines changed: 13 additions & 1 deletion b/‎cli/deployment/config.go
Lines changed: 13 additions & 1 deletion
diff --git a/‎cli/ssh.go
Lines changed: 2 additions & 2 deletions b/‎cli/ssh.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 18 additions & 2 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 18 additions & 2 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/apikey.go
Lines changed: 7 additions & 2 deletions b/‎coderd/apikey.go
Lines changed: 7 additions & 2 deletions
diff --git a/‎coderd/apikey_test.go
Lines changed: 57 additions & 0 deletions b/‎coderd/apikey_test.go
Lines changed: 57 additions & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 18 additions & 13 deletions b/‎coderd/coderd.go
Lines changed: 18 additions & 13 deletions
@@ -610,7 +610,8 @@ test-postgres-docker:
 		-c max_connections=1000 \
 		-c fsync=off \
 		-c synchronous_commit=off \
-		-c full_page_writes=off
+		-c full_page_writes=off \
+		-c log_statement=all
 	while ! pg_isready -h 127.0.0.1
 	do
 		echo "$(date) - waiting for database to start"
 
@@ -268,10 +268,13 @@ func (a *agent) run(ctx context.Context) error {
 
 		scriptDone := make(chan error, 1)
 		scriptStart := time.Now()
-		go func() {
+		err := a.trackConnGoroutine(func() {
 			defer close(scriptDone)
 			scriptDone <- a.runStartupScript(ctx, metadata.StartupScript)
-		}()
+		})
+		if err != nil {
+			return xerrors.Errorf("track startup script: %w", err)
+		}
 		go func() {
 			var timeout <-chan time.Time
 			// If timeout is zero, an older version of the coder
 
@@ -305,7 +305,7 @@ func TestAgent_TCPLocalForwarding(t *testing.T) {
 		}
 	}()
 
-	cmd := setupSSHCommand(t, []string{"-L", fmt.Sprintf("%d:127.0.0.1:%d", randomPort, remotePort)}, []string{"sleep", "10"})
+	cmd := setupSSHCommand(t, []string{"-L", fmt.Sprintf("%d:127.0.0.1:%d", randomPort, remotePort)}, []string{"sleep", "5"})
 	err = cmd.Start()
 	require.NoError(t, err)
 
@@ -372,7 +372,7 @@ func TestAgent_TCPRemoteForwarding(t *testing.T) {
 		}
 	}()
 
-	cmd := setupSSHCommand(t, []string{"-R", fmt.Sprintf("127.0.0.1:%d:127.0.0.1:%d", randomPort, localPort)}, []string{"sleep", "10"})
+	cmd := setupSSHCommand(t, []string{"-R", fmt.Sprintf("127.0.0.1:%d:127.0.0.1:%d", randomPort, localPort)}, []string{"sleep", "5"})
 	err = cmd.Start()
 	require.NoError(t, err)
 
@@ -437,7 +437,7 @@ func TestAgent_UnixLocalForwarding(t *testing.T) {
 		}
 	}()
 
-	cmd := setupSSHCommand(t, []string{"-L", fmt.Sprintf("%s:%s", localSocketPath, remoteSocketPath)}, []string{"sleep", "10"})
+	cmd := setupSSHCommand(t, []string{"-L", fmt.Sprintf("%s:%s", localSocketPath, remoteSocketPath)}, []string{"sleep", "5"})
 	err = cmd.Start()
 	require.NoError(t, err)
 
@@ -495,7 +495,7 @@ func TestAgent_UnixRemoteForwarding(t *testing.T) {
 		}
 	}()
 
-	cmd := setupSSHCommand(t, []string{"-R", fmt.Sprintf("%s:%s", remoteSocketPath, localSocketPath)}, []string{"sleep", "10"})
+	cmd := setupSSHCommand(t, []string{"-R", fmt.Sprintf("%s:%s", remoteSocketPath, localSocketPath)}, []string{"sleep", "5"})
 	err = cmd.Start()
 	require.NoError(t, err)
 
@@ -703,7 +703,7 @@ func TestAgent_Lifecycle(t *testing.T) {
 		t.Parallel()
 
 		_, client, _, _ := setupAgent(t, agentsdk.Metadata{
-			StartupScript:        "sleep 10",
+			StartupScript:        "sleep 5",
 			StartupScriptTimeout: time.Nanosecond,
 		}, 0)
 
 
@@ -486,7 +486,7 @@ func newConfig() *codersdk.DeploymentConfig {
 		},
 		MaxTokenLifetime: &codersdk.DeploymentConfigField[time.Duration]{
 			Name:    "Max Token Lifetime",
-			Usage:   "The maximum lifetime duration for any user creating a token.",
+			Usage:   "The maximum lifetime duration users can specify when creating an API token.",
 			Flag:    "max-token-lifetime",
 			Default: 24 * 30 * time.Hour,
 		},
@@ -538,6 +538,18 @@ func newConfig() *codersdk.DeploymentConfig {
 			Flag:    "disable-path-apps",
 			Default: false,
 		},
+		SessionDuration: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Session Duration",
+			Usage:   "The token expiry duration for browser sessions. Sessions may last longer if they are actively making requests, but this functionality can be disabled via --disable-session-expiry-refresh.",
+			Flag:    "session-duration",
+			Default: 24 * time.Hour,
+		},
+		DisableSessionExpiryRefresh: &codersdk.DeploymentConfigField[bool]{
+			Name:    "Disable Session Expiry Refresh",
+			Usage:   "Disable automatic session expiry bumping due to activity. This forces all sessions to become invalid after the session expiry duration has been reached.",
+			Flag:    "disable-session-expiry-refresh",
+			Default: false,
+		},
 		DisablePasswordAuth: &codersdk.DeploymentConfigField[bool]{
 			Name:    "Disable Password Authentication",
 			Usage:   "Disable password authentication. This is recommended for security purposes in production deployments that rely on an identity provider. Any user with the owner role will be able to sign in with their password regardless of this setting to avoid potential lock out. If you are locked out of your account, you can use the `coder server create-admin` command to create a new admin user directly in the database.",
 
@@ -458,7 +458,7 @@ func uploadGPGKeys(ctx context.Context, sshClient *gossh.Client) error {
 	//
 	// Note: we sleep after killing the agent because it doesn't always die
 	//       immediately.
-	agentSocketBytes, err := runRemoteSSH(sshClient, nil, `
+	agentSocketBytes, err := runRemoteSSH(sshClient, nil, `sh -c '
 set -eux
 agent_socket=$(gpgconf --list-dir agent-socket)
 echo "$agent_socket"
@@ -470,7 +470,7 @@ if [ -S "$agent_socket" ]; then
 fi
 
 test ! -S "$agent_socket"
-`)
+'`)
 	agentSocket := strings.TrimSpace(string(agentSocketBytes))
 	if err != nil {
 		return xerrors.Errorf("check if agent socket is running (check if %q exists): %w", agentSocket, err)
 
@@ -116,6 +116,13 @@ Flags:
                                                           security purposes if a
                                                           --wildcard-access-url is configured.
                                                           Consumes $CODER_DISABLE_PATH_APPS
+      --disable-session-expiry-refresh                    Disable automatic session expiry
+                                                          bumping due to activity. This forces
+                                                          all sessions to become invalid after
+                                                          the session expiry duration has been
+                                                          reached.
+                                                          Consumes
+                                                          $CODER_DISABLE_SESSION_EXPIRY_REFRESH
       --experiments strings                               Enable one or more experiments.
                                                           These are not ready for production.
                                                           Separate multiple experiments with
@@ -136,8 +143,9 @@ Flags:
       --log-stackdriver string                            Output Stackdriver compatible logs
                                                           to a given file.
                                                           Consumes $CODER_LOGGING_STACKDRIVER
-      --max-token-lifetime duration                       The maximum lifetime duration for
-                                                          any user creating a token.
+      --max-token-lifetime duration                       The maximum lifetime duration users
+                                                          can specify when creating an API
+                                                          token.
                                                           Consumes $CODER_MAX_TOKEN_LIFETIME
                                                           (default 720h0m0s)
       --oauth2-github-allow-everyone                      Allow all logins, setting this
@@ -259,6 +267,14 @@ Flags:
       --secure-auth-cookie                                Controls if the 'Secure' property is
                                                           set on browser session cookies.
                                                           Consumes $CODER_SECURE_AUTH_COOKIE
+      --session-duration duration                         The token expiry duration for
+                                                          browser sessions. Sessions may last
+                                                          longer if they are actively making
+                                                          requests, but this functionality can
+                                                          be disabled via
+                                                          --disable-session-expiry-refresh.
+                                                          Consumes $CODER_MAX_SESSION_EXPIRY
+                                                          (default 24h0m0s)
       --ssh-keygen-algorithm string                       The algorithm to use for generating
                                                           ssh keys. Accepted values are
                                                           "ed25519", "ecdsa", or "rsa4096".
 
@@ -288,14 +288,19 @@ func (api *API) createAPIKey(ctx context.Context, params createAPIKeyParams) (*h
 	}
 	hashed := sha256.Sum256([]byte(keySecret))
 
-	// Default expires at to now+lifetime, or just 24hrs if not set
+	// Default expires at to now+lifetime, or use the configured value if not
+	// set.
 	if params.ExpiresAt.IsZero() {
 		if params.LifetimeSeconds != 0 {
 			params.ExpiresAt = database.Now().Add(time.Duration(params.LifetimeSeconds) * time.Second)
 		} else {
-			params.ExpiresAt = database.Now().Add(24 * time.Hour)
+			params.ExpiresAt = database.Now().Add(api.DeploymentConfig.SessionDuration.Value)
+			params.LifetimeSeconds = int64(api.DeploymentConfig.SessionDuration.Value.Seconds())
 		}
 	}
+	if params.LifetimeSeconds == 0 {
+		params.LifetimeSeconds = int64(time.Until(params.ExpiresAt).Seconds())
+	}
 
 	ip := net.ParseIP(params.RemoteAddr)
 	if ip == nil {
 
@@ -2,12 +2,17 @@ package coderd_test
 
 import (
 	"context"
+	"net/http"
+	"strings"
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/dbtestutil"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/testutil"
 )
@@ -109,6 +114,58 @@ func TestTokenMaxLifetime(t *testing.T) {
 	require.ErrorContains(t, err, "lifetime must be less")
 }
 
+func TestSessionExpiry(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	dc := coderdtest.DeploymentConfig(t)
+
+	db, pubsub := dbtestutil.NewDB(t)
+	adminClient := coderdtest.New(t, &coderdtest.Options{
+		DeploymentConfig: dc,
+		Database:         db,
+		Pubsub:           pubsub,
+	})
+	adminUser := coderdtest.CreateFirstUser(t, adminClient)
+
+	// This is a hack, but we need the admin account to have a long expiry
+	// otherwise the test will flake, so we only update the expiry config after
+	// the admin account has been created.
+	//
+	// We don't support updating the deployment config after startup, but for
+	// this test it works because we don't copy the value (and we use pointers).
+	dc.SessionDuration.Value = time.Second
+
+	userClient := coderdtest.CreateAnotherUser(t, adminClient, adminUser.OrganizationID)
+
+	// Find the session cookie, and ensure it has the correct expiry.
+	token := userClient.SessionToken()
+	apiKey, err := db.GetAPIKeyByID(ctx, strings.Split(token, "-")[0])
+	require.NoError(t, err)
+
+	require.EqualValues(t, dc.SessionDuration.Value.Seconds(), apiKey.LifetimeSeconds)
+	require.WithinDuration(t, apiKey.CreatedAt.Add(dc.SessionDuration.Value), apiKey.ExpiresAt, 2*time.Second)
+
+	// Update the session token to be expired so we can test that it is
+	// rejected for extra points.
+	err = db.UpdateAPIKeyByID(ctx, database.UpdateAPIKeyByIDParams{
+		ID:        apiKey.ID,
+		LastUsed:  apiKey.LastUsed,
+		ExpiresAt: database.Now().Add(-time.Hour),
+		IPAddress: apiKey.IPAddress,
+	})
+	require.NoError(t, err)
+
+	_, err = userClient.User(ctx, codersdk.Me)
+	require.Error(t, err)
+	var sdkErr *codersdk.Error
+	if assert.ErrorAs(t, err, &sdkErr) {
+		require.Equal(t, http.StatusUnauthorized, sdkErr.StatusCode())
+		require.Contains(t, sdkErr.Message, "session has expired")
+	}
+}
+
 func TestAPIKey(t *testing.T) {
 	t.Parallel()
 	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 
@@ -252,17 +252,19 @@ func New(options *Options) *API {
 	}
 
 	apiKeyMiddleware := httpmw.ExtractAPIKey(httpmw.ExtractAPIKeyConfig{
-		DB:              options.Database,
-		OAuth2Configs:   oauthConfigs,
-		RedirectToLogin: false,
-		Optional:        false,
+		DB:                          options.Database,
+		OAuth2Configs:               oauthConfigs,
+		RedirectToLogin:             false,
+		DisableSessionExpiryRefresh: options.DeploymentConfig.DisableSessionExpiryRefresh.Value,
+		Optional:                    false,
 	})
 	// Same as above but it redirects to the login page.
 	apiKeyMiddlewareRedirect := httpmw.ExtractAPIKey(httpmw.ExtractAPIKeyConfig{
-		DB:              options.Database,
-		OAuth2Configs:   oauthConfigs,
-		RedirectToLogin: true,
-		Optional:        false,
+		DB:                          options.Database,
+		OAuth2Configs:               oauthConfigs,
+		RedirectToLogin:             true,
+		DisableSessionExpiryRefresh: options.DeploymentConfig.DisableSessionExpiryRefresh.Value,
+		Optional:                    false,
 	})
 
 	// API rate limit middleware. The counter is local and not shared between
@@ -287,8 +289,9 @@ func New(options *Options) *API {
 				OAuth2Configs: oauthConfigs,
 				// The code handles the the case where the user is not
 				// authenticated automatically.
-				RedirectToLogin: false,
-				Optional:        true,
+				RedirectToLogin:             false,
+				DisableSessionExpiryRefresh: options.DeploymentConfig.DisableSessionExpiryRefresh.Value,
+				Optional:                    true,
 			}),
 			httpmw.ExtractUserParam(api.Database, false),
 			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
@@ -314,8 +317,9 @@ func New(options *Options) *API {
 				// Optional is true to allow for public apps. If an
 				// authorization check fails and the user is not authenticated,
 				// they will be redirected to the login page by the app handler.
-				RedirectToLogin: false,
-				Optional:        true,
+				RedirectToLogin:             false,
+				DisableSessionExpiryRefresh: options.DeploymentConfig.DisableSessionExpiryRefresh.Value,
+				Optional:                    true,
 			}),
 			// Redirect to the login page if the user tries to open an app with
 			// "me" as the username and they are not logged in.
@@ -675,7 +679,8 @@ type API struct {
 	WorkspaceClientCoordinateOverride atomic.Pointer[func(rw http.ResponseWriter) bool]
 	TailnetCoordinator                atomic.Pointer[tailnet.Coordinator]
 	QuotaCommitter                    atomic.Pointer[proto.QuotaCommitter]
-	HTTPAuth                          *HTTPAuthorizer
+
+	HTTPAuth *HTTPAuthorizer
 
 	// APIHandler serves "/api/v2"
 	APIHandler chi.Router