feat: add session expiry control flags (#5976)

Adds --session-duration which lets admins customize the default session expiration for browser sessions. Adds --disable-session-expiry-refresh which allows admins to prevent session expiry from being automatically bumped upon the API key being used.
2025-07-03 16:13:58 +00:00 · 2023-02-04 04:38:36 +11:00
parent 2285a5e8a0
commit cf9abe3a6c
16 changed files with 225 additions and 37 deletions
--- a/coderd/workspaceapps.go
+++ b/coderd/workspaceapps.go
@ -733,23 +733,18 @@ func (api *API) workspaceApplicationAuth(rw http.ResponseWriter, r *http.Request
 	}

 	// Create the application_connect-scoped API key with the same lifetime as
-	// the current session (defaulting to 1 day, capped to 1 week).
+	// the current session.
 	exp := apiKey.ExpiresAt
-	if exp.IsZero() {
-		exp = database.Now().Add(time.Hour * 24)
-	}
-	if time.Until(exp) > time.Hour*24*7 {
-		exp = database.Now().Add(time.Hour * 24 * 7)
-	}
-	lifetime := apiKey.LifetimeSeconds
-	if lifetime > int64((time.Hour * 24 * 7).Seconds()) {
-		lifetime = int64((time.Hour * 24 * 7).Seconds())
+	lifetimeSeconds := apiKey.LifetimeSeconds
+	if exp.IsZero() || time.Until(exp) > api.DeploymentConfig.SessionDuration.Value {
+		exp = database.Now().Add(api.DeploymentConfig.SessionDuration.Value)
+		lifetimeSeconds = int64(api.DeploymentConfig.SessionDuration.Value.Seconds())
 	}
 	cookie, err := api.createAPIKey(ctx, createAPIKeyParams{
 		UserID:          apiKey.UserID,
 		LoginType:       database.LoginTypePassword,
 		ExpiresAt:       exp,
-		LifetimeSeconds: lifetime,
+		LifetimeSeconds: lifetimeSeconds,
 		Scope:           database.APIKeyScopeApplicationConnect,
 	})
 	if err != nil {