feat: add session expiry control flags (#5976)

Adds --session-duration which lets admins customize the default session expiration for browser sessions. Adds --disable-session-expiry-refresh which allows admins to prevent session expiry from being automatically bumped upon the API key being used.
2025-07-12 00:14:10 +00:00 · 2023-02-04 04:38:36 +11:00
parent 2285a5e8a0
commit cf9abe3a6c
16 changed files with 225 additions and 37 deletions
--- a/cli/deployment/config.go
+++ b/cli/deployment/config.go
@ -486,7 +486,7 @@ func newConfig() *codersdk.DeploymentConfig {
 		},
 		MaxTokenLifetime: &codersdk.DeploymentConfigField[time.Duration]{
 			Name:    "Max Token Lifetime",
-			Usage:   "The maximum lifetime duration for any user creating a token.",
+			Usage:   "The maximum lifetime duration users can specify when creating an API token.",
 			Flag:    "max-token-lifetime",
 			Default: 24 * 30 * time.Hour,
 		},
@ -538,6 +538,18 @@ func newConfig() *codersdk.DeploymentConfig {
 			Flag:    "disable-path-apps",
 			Default: false,
 		},
+		SessionDuration: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Session Duration",
+			Usage:   "The token expiry duration for browser sessions. Sessions may last longer if they are actively making requests, but this functionality can be disabled via --disable-session-expiry-refresh.",
+			Flag:    "session-duration",
+			Default: 24 * time.Hour,
+		},
+		DisableSessionExpiryRefresh: &codersdk.DeploymentConfigField[bool]{
+			Name:    "Disable Session Expiry Refresh",
+			Usage:   "Disable automatic session expiry bumping due to activity. This forces all sessions to become invalid after the session expiry duration has been reached.",
+			Flag:    "disable-session-expiry-refresh",
+			Default: false,
+		},
 	}
 }