Skip to content

feat: add flag to disable password auth #5991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Feb 6, 2023
Merged

feat: add flag to disable password auth #5991

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ff2ac1e
feat: add flag to disable password auth
deansheather Feb 2, 2023
68c9a38
fixup! feat: add flag to disable password auth
deansheather Feb 2, 2023
1084368
pr comments
deansheather Feb 3, 2023
5191a3d
Merge branch 'main' into dean/disable-password-auth
deansheather Feb 3, 2023
228098f
Merge branch 'main' into dean/disable-password-auth
deansheather Feb 3, 2023
7b8e237
fixup! Merge branch 'main' into dean/disable-password-auth
deansheather Feb 3, 2023
eb97214
Merge branch 'main' into dean/disable-password-auth
deansheather Feb 4, 2023
81716fb
Merge branch 'main' into dean/disable-password-auth
deansheather Feb 6, 2023
02ca3bf
pr comments
deansheather Feb 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Merge branch 'main' into dean/disable-password-auth
  • Loading branch information
@deansheather
deansheather committed Feb 4, 2023
commit eb97214a1fdf72ee02657920cf4c64add5e01dfc
12 changes: 12 additions & 0 deletions cli/deployment/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -538,6 +538,18 @@ func newConfig() *codersdk.DeploymentConfig {
Flag: "disable-path-apps",
Default: false,
},
SessionDuration: &codersdk.DeploymentConfigField[time.Duration]{
Name: "Session Duration",
Usage: "The token expiry duration for browser sessions. Sessions may last longer if they are actively making requests, but this functionality can be disabled via --disable-session-expiry-refresh.",
Flag: "session-duration",
Default: 24 * time.Hour,
},
DisableSessionExpiryRefresh: &codersdk.DeploymentConfigField[bool]{
Name: "Disable Session Expiry Refresh",
Usage: "Disable automatic session expiry bumping due to activity. This forces all sessions to become invalid after the session expiry duration has been reached.",
Flag: "disable-session-expiry-refresh",
Default: false,
},
DisablePasswordAuth: &codersdk.DeploymentConfigField[bool]{
Name: "Disable Password Authentication",
Usage: "Disable password authentication. This is recommended for security purposes in production deployments that rely on an identity provider. Any user with the owner role will be able to sign in with their password regardless of this setting to avoid potential lock out. If you are locked out of your account, you can use the `coder server create-admin` command to create a new admin user directly in the database.",
Expand Down
20 changes: 18 additions & 2 deletions cli/testdata/coder_server_--help.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,13 @@ Flags:
security purposes if a
--wildcard-access-url is configured.
Consumes $CODER_DISABLE_PATH_APPS
--disable-session-expiry-refresh Disable automatic session expiry
bumping due to activity. This forces
all sessions to become invalid after
the session expiry duration has been
reached.
Consumes
$CODER_DISABLE_SESSION_EXPIRY_REFRESH
--experiments strings Enable one or more experiments.
These are not ready for production.
Separate multiple experiments with
Expand All @@ -136,8 +143,9 @@ Flags:
--log-stackdriver string Output Stackdriver compatible logs
to a given file.
Consumes $CODER_LOGGING_STACKDRIVER
--max-token-lifetime duration The maximum lifetime duration for
any user creating a token.
--max-token-lifetime duration The maximum lifetime duration users
can specify when creating an API
token.
Consumes $CODER_MAX_TOKEN_LIFETIME
(default 720h0m0s)
--oauth2-github-allow-everyone Allow all logins, setting this
Expand Down Expand Up @@ -259,6 +267,14 @@ Flags:
--secure-auth-cookie Controls if the 'Secure' property is
set on browser session cookies.
Consumes $CODER_SECURE_AUTH_COOKIE
--session-duration duration The token expiry duration for
browser sessions. Sessions may last
longer if they are actively making
requests, but this functionality can
be disabled via
--disable-session-expiry-refresh.
Consumes $CODER_MAX_SESSION_EXPIRY
(default 24h0m0s)
--ssh-keygen-algorithm string The algorithm to use for generating
ssh keys. Accepted values are
"ed25519", "ecdsa", or "rsa4096".
Expand Down
2 changes: 2 additions & 0 deletions codersdk/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,8 @@ type DeploymentConfig struct {
Logging *LoggingConfig `json:"logging" typescript:",notnull"`
Dangerous *DangerousConfig `json:"dangerous" typescript:",notnull"`
DisablePathApps *DeploymentConfigField[bool] `json:"disable_path_apps" typescript:",notnull"`
SessionDuration *DeploymentConfigField[time.Duration] `json:"max_session_expiry" typescript:",notnull"`
DisableSessionExpiryRefresh *DeploymentConfigField[bool] `json:"disable_session_expiry_refresh" typescript:",notnull"`
DisablePasswordAuth *DeploymentConfigField[bool] `json:"disable_password_auth" typescript:",notnull"`

// DEPRECATED: Use HTTPAddress or TLS.Address instead.
Expand Down
6 changes: 5 additions & 1 deletion docs/cli/coder_server.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ coder server [flags]
Consumes $CODER_DISABLE_PASSWORD_AUTH
--disable-path-apps Disable workspace apps that are not served from subdomains. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. This is recommended for security purposes if a --wildcard-access-url is configured.
Consumes $CODER_DISABLE_PATH_APPS
--disable-session-expiry-refresh Disable automatic session expiry bumping due to activity. This forces all sessions to become invalid after the session expiry duration has been reached.
Consumes $CODER_DISABLE_SESSION_EXPIRY_REFRESH
--experiments strings Enable one or more experiments. These are not ready for production. Separate multiple experiments with commas, or enter '*' to opt-in to all available experiments.
Consumes $CODER_EXPERIMENTS
-h, --help help for server
Expand All @@ -50,7 +52,7 @@ coder server [flags]
Consumes $CODER_LOGGING_JSON
--log-stackdriver string Output Stackdriver compatible logs to a given file.
Consumes $CODER_LOGGING_STACKDRIVER
--max-token-lifetime duration The maximum lifetime duration for any user creating a token.
--max-token-lifetime duration The maximum lifetime duration users can specify when creating an API token.
Consumes $CODER_MAX_TOKEN_LIFETIME (default 720h0m0s)
--oauth2-github-allow-everyone Allow all logins, setting this option means allowed orgs and teams must be empty.
Consumes $CODER_OAUTH2_GITHUB_ALLOW_EVERYONE
Expand Down Expand Up @@ -112,6 +114,8 @@ coder server [flags]
Consumes $CODER_REDIRECT_TO_ACCESS_URL
--secure-auth-cookie Controls if the 'Secure' property is set on browser session cookies.
Consumes $CODER_SECURE_AUTH_COOKIE
--session-duration duration The token expiry duration for browser sessions. Sessions may last longer if they are actively making requests, but this functionality can be disabled via --disable-session-expiry-refresh.
Consumes $CODER_MAX_SESSION_EXPIRY (default 24h0m0s)
--ssh-keygen-algorithm string The algorithm to use for generating ssh keys. Accepted values are "ed25519", "ecdsa", or "rsa4096".
Consumes $CODER_SSH_KEYGEN_ALGORITHM (default "ed25519")
--swagger-enable Expose the swagger endpoint via /swagger.
Expand Down
2 changes: 2 additions & 0 deletions site/src/api/typesGenerated.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,8 @@ export interface DeploymentConfig {
readonly logging: LoggingConfig
readonly dangerous: DangerousConfig
readonly disable_path_apps: DeploymentConfigField<boolean>
readonly max_session_expiry: DeploymentConfigField<number>
readonly disable_session_expiry_refresh: DeploymentConfigField<boolean>
readonly disable_password_auth: DeploymentConfigField<boolean>
readonly address: DeploymentConfigField<string>
readonly experimental: DeploymentConfigField<boolean>
Expand Down
You are viewing a condensed version of this merge commit. You can view the full changes here.