feat: add separate max token lifetime for administrators (#18267)

# Add separate token lifetime limits for administrators This PR introduces a new configuration option `--max-admin-token-lifetime` that allows administrators to create API tokens with longer lifetimes than regular users. By default, administrators can create tokens with a lifetime of up to 7 days (168 hours), while the existing `--max-token-lifetime` setting continues to apply to regular users. The implementation: - Adds a new `MaximumAdminTokenDuration` field to the session configuration - Modifies the token validation logic to check the user's role and apply the appropriate lifetime limit - Updates the token configuration endpoint to return the correct maximum lifetime based on the user's role - Adds tests to verify that administrators can create tokens with longer and shorter lifetimes - Updates documentation and help text to reflect the new option This change allows organizations to grant administrators extended token lifetimes while maintaining tighter security controls for regular users. Fixes #17395
2025-07-15 22:20:27 +00:00 · 2025-06-06 17:36:30 +02:00
parent 348d19ddb7
commit f569d9c33d
12 changed files with 178 additions and 13 deletions
--- a/docs/reference/api/general.md
+++ b/docs/reference/api/general.md
@ -454,6 +454,7 @@ curl -X GET http://coder-server:8080/api/v2/deployment/config \
      "default_duration": 0,
      "default_token_lifetime": 0,
      "disable_expiry_refresh": true,
+      "max_admin_token_lifetime": 0,
      "max_token_lifetime": 0
    },
    "ssh_keygen_algorithm": "string",
--- a/docs/reference/api/schemas.md
+++ b/docs/reference/api/schemas.md
@ -2625,6 +2625,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
      "default_duration": 0,
      "default_token_lifetime": 0,
      "disable_expiry_refresh": true,
+      "max_admin_token_lifetime": 0,
      "max_token_lifetime": 0
    },
    "ssh_keygen_algorithm": "string",
@ -3124,6 +3125,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
    "default_duration": 0,
    "default_token_lifetime": 0,
    "disable_expiry_refresh": true,
+    "max_admin_token_lifetime": 0,
    "max_token_lifetime": 0
  },
  "ssh_keygen_algorithm": "string",
@ -6767,18 +6769,20 @@ Git clone makes use of this by parsing the URL from: 'Username for "https://gith
  "default_duration": 0,
  "default_token_lifetime": 0,
  "disable_expiry_refresh": true,
+  "max_admin_token_lifetime": 0,
  "max_token_lifetime": 0
 }
 ```

 ### Properties

-| Name                     | Type    | Required | Restrictions | Description                                                                                                                                                                        |
-|--------------------------|---------|----------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `default_duration`       | integer | false    |              | Default duration is only for browser, workspace app and oauth sessions.                                                                                                            |
-| `default_token_lifetime` | integer | false    |              |                                                                                                                                                                                    |
-| `disable_expiry_refresh` | boolean | false    |              | Disable expiry refresh will disable automatically refreshing api keys when they are used from the api. This means the api key lifetime at creation is the lifetime of the api key. |
-| `max_token_lifetime`     | integer | false    |              |                                                                                                                                                                                    |
+| Name                       | Type    | Required | Restrictions | Description                                                                                                                                                                        |
+|----------------------------|---------|----------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `default_duration`         | integer | false    |              | Default duration is only for browser, workspace app and oauth sessions.                                                                                                            |
+| `default_token_lifetime`   | integer | false    |              |                                                                                                                                                                                    |
+| `disable_expiry_refresh`   | boolean | false    |              | Disable expiry refresh will disable automatically refreshing api keys when they are used from the api. This means the api key lifetime at creation is the lifetime of the api key. |
+| `max_admin_token_lifetime` | integer | false    |              |                                                                                                                                                                                    |
+| `max_token_lifetime`       | integer | false    |              |                                                                                                                                                                                    |

 ## codersdk.SlimRole