Skip to content

feat: add separate max token lifetime for administrators #18267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 6, 2025
Merged

feat: add separate max token lifetime for administrators #18267

merged 1 commit into from
Jun 6, 2025

Conversation

ThomasK33
Copy link
Member

@ThomasK33 ThomasK33 commented Jun 6, 2025
edited
Loading

Add separate token lifetime limits for administrators

This PR introduces a new configuration option --max-admin-token-lifetime that allows administrators to create API tokens with longer lifetimes than regular users. By default, administrators can create tokens with a lifetime of up to 7 days (168 hours), while the existing --max-token-lifetime setting continues to apply to regular users.

The implementation:

  • Adds a new MaximumAdminTokenDuration field to the session configuration
  • Modifies the token validation logic to check the user's role and apply the appropriate lifetime limit
  • Updates the token configuration endpoint to return the correct maximum lifetime based on the user's role
  • Adds tests to verify that administrators can create tokens with longer and shorter lifetimes
  • Updates documentation and help text to reflect the new option

This change allows organizations to grant administrators extended token lifetimes while maintaining tighter security controls for regular users.

Fixes #17395

@ThomasK33 Graphite App
Copy link
Member Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ThomasK33 ThomasK33 force-pushed the thomask33/06-06-feat_api_add_max_admin_token_lifetime_configuration_and_validation branch from 6214f1d to 4c418e6 Compare June 6, 2025 11:16
@ThomasK33 ThomasK33 marked this pull request as ready for review June 6, 2025 12:12
@ThomasK33 ThomasK33 requested a review from johnstcn June 6, 2025 12:12
johnstcn
johnstcn approved these changes Jun 6, 2025
View reviewed changes
Copy link
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to see some tests for the inverse (shorter admin max token lifetime), as I could imagine security-conscious orgs wanting to minimize dangerous token lifetimes. There's also a potentially misleading comment. Apart from that, I don't need to review again.

@ThomasK33 ThomasK33 force-pushed the thomask33/06-06-feat_api_add_max_admin_token_lifetime_configuration_and_validation branch from 4c418e6 to 9f15ef9 Compare June 6, 2025 13:13
johnstcn
johnstcn reviewed Jun 6, 2025
View reviewed changes
@ThomasK33
feat(api): add max admin token lifetime configuration and validation
a8ea1f9 
Change-Id: I4540ce3eeb46ab58909ac37e60c3ece93668212a
Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33 ThomasK33 force-pushed the thomask33/06-06-feat_api_add_max_admin_token_lifetime_configuration_and_validation branch from 9f15ef9 to a8ea1f9 Compare June 6, 2025 13:49
@ThomasK33 ThomasK33 merged commit f569d9c into main Jun 6, 2025
40 checks passed
@ThomasK33 ThomasK33 deleted the thomask33/06-06-feat_api_add_max_admin_token_lifetime_configuration_and_validation branch June 6, 2025 15:36
@github-actions github-actions bot locked and limited conversation to collaborators Jun 6, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@johnstcn johnstcn johnstcn approved these changes

Assignees

@ThomasK33 ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support finer control on token lifetime
2 participants
@ThomasK33 @johnstcn