Skip to content

Coder tokens erase when session expired, token don't persist with lifetime flag #8169

New issue
New issue
Closed
#8275
Closed
Coder tokens erase when session expired, token don't persist with lifetime flag#8169
#8275
Assignees
Emyrk
Labels
must-doIssues that must be completed by the end of the Sprint. Or else. Only humans may set this.s1Bugs that break core workflows. Only humans may set this.
@francisco-mata

Description

@francisco-mata
francisco-mata
opened on Jun 22, 2023

Hi there, are tokens related to a session cookie specific. How can I create a persistent token, to login as user, without having an open session?

Follow this steps:

  1. Login Coder

coder login URL

> Welcome to Coder, coder! You're authenticated.

  1. Create a token for ~6 years
    coder tokens create --lifetime 50000h

  2. Check tokens
    coder tokens list

ID          NAME           LAST USED             EXPIRES AT            CREATED AT            
****     *****  0001-01-01T00:00:00Z  2029-03-06T03:32:19Z  2023-06-22T19:32:19Z

  1. Logout Coder
    coder logout

  2. Login again
    coder login --token **** URL

> Welcome to Coder, coder! You're authenticated.

  1. Logout Again
    coder logout

  2. Login again
    coder login --token **** URL

You are signed out or your session has expired. Please sign in again to continue.
Try logging in using 'coder login <url>'.

  1. Login without token, to create a new session
    coder login URL

  2. Chek tokens
    coder tokens list

No tokens found.
                
ID  NAME  LAST USED  EXPIRES AT  CREATED AT`

Activity

cdr-bot
added
bug
on Jun 22, 2023
ericpaulsen

ericpaulsen commented on Jun 23, 2023

@ericpaulsen
ericpaulsen
on Jun 23, 2023 · edited by ericpaulsen
Member

hi @francisco-mata - thank you for submitting this issue.

i've reproduced the behavior on our latest version, 0.24.1. it's unclear to me whether this is the intended behavior, or a bug. i'm following up with engineering and will reach out when I learn more.

update: i've confirmed with product that this is a bug.

bpmct
added
s1Bugs that break core workflows. Only humans may set this.
on Jun 23, 2023
francisco-mata

francisco-mata commented on Jun 23, 2023

@francisco-mata
francisco-mata
on Jun 23, 2023
Author

Thanks for the quick response @ericpaulsen. I'm glad to know its a bug and not the intended behaviour.

Emyrk

Emyrk commented on Jun 26, 2023

@Emyrk
Emyrk
on Jun 26, 2023
Member

The issue is that /logout deletes the API token being used:

coder/coderd/userauth.go

Line 203 in 1406838

err := api.Database.DeleteAPIKeyByID(ctx, apiKey.ID)

We should not delete the token being used if the token was created via the token create command.

Emyrk
self-assigned this
on Jun 26, 2023
Emyrk

Emyrk commented on Jun 26, 2023

@Emyrk
Emyrk
on Jun 26, 2023
Member

What I will implement is /logout will fail with tokens. I will print a message to use coder token delete if the user tries to use /logout.

francisco-mata

francisco-mata commented on Jun 26, 2023

@francisco-mata
francisco-mata
on Jun 26, 2023
Author

@Emyrk but the token should survive to an user logout, don't they? If you create a token, is because you want to log as user using the token instead of credentials. And this token will life till lifetime duration expire or user wants to delete the token. I dont see why it should failed if user logouts or the token will be delete if user logouts.

spikecurtis

spikecurtis commented on Jun 27, 2023

@spikecurtis
spikecurtis
on Jun 27, 2023
Contributor

@Emyrk I suggest that instead, coder login --token should create a new session token with the usual session token semantics & expiry. We should not persist the token given on the command line as their session.

Emyrk

Emyrk commented on Jun 27, 2023

@Emyrk
Emyrk
on Jun 27, 2023
Member

@spikecurtis would that not be a bit confusing?

This works because "token" is a global level flag.

coder/cli/root.go

Lines 303 to 309 in 1406838

{
Flag: varToken,
Env: envSessionToken,
Description: fmt.Sprintf("Specify an authentication token. For security reasons setting %s is preferred.", envSessionToken),
Value: clibase.StringOf(&r.token),
Group: globalGroup,
},

So all commands allow the --token flag, which makes sense for one off commands. I don't think coder ls --token should create a new session.

I do see value in having a command to use a provided token. Would it not be confusing if coder login --token=<token> didn't use the provided token? I am guessing we would just use the token to make an api key rather than redirecting to the UI.

--

@francisco-mata

@Emyrk but the token should survive to an user logout, don't they?

When you hit the /logout route, the server deletes that session token. It does this because it is the other half of /login.

What you are trying to do I believe, is have the cli delete the credentials on the local disk. I think we make another command for that, or add some flag to do a client-side "logout".

So basically /logout is the other half of /login. It should undo what /login does. If the token comes from token create, then /logout doesn't make sense. I think it would be better to throw an error than to do something potentially unexpected. For your use case, another command or flag can be implemented with documented behavior.

spikecurtis

spikecurtis commented on Jun 28, 2023

@spikecurtis
spikecurtis
on Jun 28, 2023
Contributor

So all commands allow the --token flag, which makes sense for one off commands. I don't think coder ls --token should create a new session.

I do see value in having a command to use a provided token. Would it not be confusing if coder login --token= didn't use the provided token? I am guessing we would just use the token to make an api key rather than redirecting to the UI.

Yeah, I think it makes sense for --token to use that token for the command being invoked. We shouldn't be storing that token for later use.

In the case of coder login --token, we still use the token, during that command, to authenticate against the API, but then as you say, we generate a new token, and only the new token is persisted, in the same way we would if you logged in via the UI. So, you used the token to "login", but once you are logged in, it's a different, session token that gets persisted. When you "logout" the persisted token is invalidated, but the token you used on coder login is still valid.

This gives us the following properties:

  1. logout is the other half of login, and undoes it
  2. --token uses the token for the command being executed, but does not persist the token
bpmct
added this to the ❓Sprint 2 milestone on Jun 28, 2023
bpmct
added
must-doIssues that must be completed by the end of the Sprint. Or else. Only humans may set this.
on Jun 28, 2023
francisco-mata

francisco-mata commented on Jun 28, 2023

@francisco-mata
francisco-mata
on Jun 28, 2023
Author

Sorry I got confused a bit, just to get a clear idea. If I create a token with the command coder token create --lifetime 24h, it will be deleted only 24 hours after creation or if I manually run coder token delete. For all the other cases token will persist and will be vaild to use, even tho my session is already logout.

Emyrk

Emyrk commented on Jun 28, 2023

@Emyrk
Emyrk
on Jun 28, 2023 · edited by Emyrk
Member

So all commands allow the --token flag, which makes sense for one off commands. I don't think coder ls --token should create a new session.
I do see value in having a command to use a provided token. Would it not be confusing if coder login --token= didn't use the provided token? I am guessing we would just use the token to make an api key rather than redirecting to the UI.

Yeah, I think it makes sense for --token to use that token for the command being invoked. We shouldn't be storing that token for later use.

In the case of coder login --token, we still use the token, during that command, to authenticate against the API, but then as you say, we generate a new token, and only the new token is persisted, in the same way we would if you logged in via the UI. So, you used the token to "login", but once you are logged in, it's a different, session token that gets persisted. When you "logout" the persisted token is invalidated, but the token you used on coder login is still valid.

This gives us the following properties:

  1. logout is the other half of login, and undoes it
  2. --token uses the token for the command being executed, but does not persist the token

Ah I see. That does make sense.

If I create a token with the command coder token create --lifetime 24h, it will be deleted only 24 hours after creation or if I manually run coder token delete.

Yes

For all the other cases token will persist and will be vaild to use, even tho my session is already logout.

What do you mean "for all ther other cases"? @spikecurtis is suggesting doing coder login --token <token> and then doing coder logout will not delete <token>.

5 remaining items

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

must-doIssues that must be completed by the end of the Sprint. Or else. Only humans may set this.s1Bugs that break core workflows. Only humans may set this.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    Coder tokens erase when session expired, token don't persist with lifetime flag · Issue #8169 · coder/coder