feat: tokens (#4380)

coderd/apikey.go

@@ -0,0 +1,235 @@
+package coderd
+
+import (
+	"context"
+	"crypto/sha256"
+	"database/sql"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
+	"github.com/tabbed/pqtype"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/httpmw"
+	"github.com/coder/coder/coderd/rbac"
+	"github.com/coder/coder/coderd/telemetry"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/cryptorand"
+)
+
+// Creates a new token API key that effectively doesn't expire.
+func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	user := httpmw.UserParam(r)
+
+	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceAPIKey.WithOwner(user.ID.String())) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+
+	// tokens last 100 years
+	lifeTime := time.Hour * 876000
+	cookie, err := api.createAPIKey(ctx, createAPIKeyParams{
+		UserID:          user.ID,
+		LoginType:       database.LoginTypeToken,
+		ExpiresAt:       database.Now().Add(lifeTime),
+		LifetimeSeconds: int64(lifeTime.Seconds()),
+	})
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Failed to create API key.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusCreated, codersdk.GenerateAPIKeyResponse{Key: cookie.Value})
+}
+
+func (api *API) apiKey(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx  = r.Context()
+		user = httpmw.UserParam(r)
+	)
+
+	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceAPIKey.WithOwner(user.ID.String())) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+
+	keyID := chi.URLParam(r, "keyid")
+	key, err := api.Database.GetAPIKeyByID(ctx, keyID)
+	if errors.Is(err, sql.ErrNoRows) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching API key.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, convertAPIKey(key))
+}
+
+func (api *API) tokens(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx  = r.Context()
+		user = httpmw.UserParam(r)
+	)
+
+	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceAPIKey.WithOwner(user.ID.String())) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+
+	keys, err := api.Database.GetAPIKeysByLoginType(ctx, database.LoginTypeToken)
+	if errors.Is(err, sql.ErrNoRows) {
+		httpapi.Write(ctx, rw, http.StatusOK, []codersdk.APIKey{})
+		return
+	}
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching API keys.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	var apiKeys []codersdk.APIKey
+	for _, key := range keys {
+		apiKeys = append(apiKeys, convertAPIKey(key))
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, apiKeys)
+}
+
+func (api *API) deleteAPIKey(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx  = r.Context()
+		user = httpmw.UserParam(r)
+	)
+
+	if !api.Authorize(r, rbac.ActionDelete, rbac.ResourceAPIKey.WithOwner(user.ID.String())) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+
+	keyID := chi.URLParam(r, "keyid")
+	err := api.Database.DeleteAPIKeyByID(ctx, keyID)
+	if errors.Is(err, sql.ErrNoRows) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error deleting API key.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusNoContent, nil)
+}
+
+// Generates a new ID and secret for an API key.
+func generateAPIKeyIDSecret() (id string, secret string, err error) {
+	// Length of an API Key ID.
+	id, err = cryptorand.String(10)
+	if err != nil {
+		return "", "", err
+	}
+	// Length of an API Key secret.
+	secret, err = cryptorand.String(22)
+	if err != nil {
+		return "", "", err
+	}
+	return id, secret, nil
+}
+
+type createAPIKeyParams struct {
+	UserID     uuid.UUID
+	RemoteAddr string
+	LoginType  database.LoginType
+
+	// Optional.
+	ExpiresAt       time.Time
+	LifetimeSeconds int64
+	Scope           database.APIKeyScope
+}
+
+func (api *API) createAPIKey(ctx context.Context, params createAPIKeyParams) (*http.Cookie, error) {
+	keyID, keySecret, err := generateAPIKeyIDSecret()
+	if err != nil {
+		return nil, xerrors.Errorf("generate API key: %w", err)
+	}
+	hashed := sha256.Sum256([]byte(keySecret))
+
+	// Default expires at to now+lifetime, or just 24hrs if not set
+	if params.ExpiresAt.IsZero() {
+		if params.LifetimeSeconds != 0 {
+			params.ExpiresAt = database.Now().Add(time.Duration(params.LifetimeSeconds) * time.Second)
+		} else {
+			params.ExpiresAt = database.Now().Add(24 * time.Hour)
+		}
+	}
+
+	host, _, _ := net.SplitHostPort(params.RemoteAddr)
+	ip := net.ParseIP(host)
+	if ip == nil {
+		ip = net.IPv4(0, 0, 0, 0)
+	}
+	bitlen := len(ip) * 8
+
+	scope := database.APIKeyScopeAll
+	if params.Scope != "" {
+		scope = params.Scope
+	}
+
+	key, err := api.Database.InsertAPIKey(ctx, database.InsertAPIKeyParams{
+		ID:              keyID,
+		UserID:          params.UserID,
+		LifetimeSeconds: params.LifetimeSeconds,
+		IPAddress: pqtype.Inet{
+			IPNet: net.IPNet{
+				IP:   ip,
+				Mask: net.CIDRMask(bitlen, bitlen),
+			},
+			Valid: true,
+		},
+		// Make sure in UTC time for common time zone
+		ExpiresAt:    params.ExpiresAt.UTC(),
+		CreatedAt:    database.Now(),
+		UpdatedAt:    database.Now(),
+		HashedSecret: hashed[:],
+		LoginType:    params.LoginType,
+		Scope:        scope,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("insert API key: %w", err)
+	}
+
+	api.Telemetry.Report(&telemetry.Snapshot{
+		APIKeys: []telemetry.APIKey{telemetry.ConvertAPIKey(key)},
+	})
+
+	// This format is consumed by the APIKey middleware.
+	sessionToken := fmt.Sprintf("%s-%s", keyID, keySecret)
+	return &http.Cookie{
+		Name:     codersdk.SessionTokenKey,
+		Value:    sessionToken,
+		Path:     "/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		Secure:   api.SecureAuthCookie,
+	}, nil
+}

coderd/apikey_test.go

@@ -0,0 +1,41 @@
+package coderd_test
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/testutil"
+)
+
+func TestTokens(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+	_ = coderdtest.CreateFirstUser(t, client)
+	keys, err := client.GetTokens(ctx, codersdk.Me)
+	require.NoError(t, err)
+	require.Empty(t, keys)
+
+	res, err := client.CreateToken(ctx, codersdk.Me)
+	require.NoError(t, err)
+	require.Greater(t, len(res.Key), 2)
+
+	keys, err = client.GetTokens(ctx, codersdk.Me)
+	require.NoError(t, err)
+	require.EqualValues(t, len(keys), 1)
+	require.Contains(t, res.Key, keys[0].ID)
+	// expires_at must be greater than 50 years
+	require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+
+	err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
+	require.NoError(t, err)
+	keys, err = client.GetTokens(ctx, codersdk.Me)
+	require.NoError(t, err)
+	require.Empty(t, keys)
+}

coderd/coderd.go

@@ -399,8 +399,14 @@ func New(options *Options) *API {
 					r.Get("/roles", api.userRoles)
 
 					r.Route("/keys", func(r chi.Router) {
-						r.Post("/", api.postAPIKey)
-						r.Get("/{keyid}", api.apiKey)
+						r.Route("/tokens", func(r chi.Router) {
+							r.Post("/", api.postToken)
+							r.Get("/", api.tokens)
+						})
+						r.Route("/{keyid}", func(r chi.Router) {
+							r.Get("/", api.apiKey)
+							r.Delete("/", api.deleteAPIKey)
+						})
 					})
 
 					r.Route("/organizations", func(r chi.Router) {

coderd/database/databasefake/databasefake.go

@@ -279,6 +279,19 @@ func (q *fakeQuerier) GetAPIKeysLastUsedAfter(_ context.Context, after time.Time
 	return apiKeys, nil
 }
 
+func (q *fakeQuerier) GetAPIKeysByLoginType(_ context.Context, t database.LoginType) ([]database.APIKey, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	apiKeys := make([]database.APIKey, 0)
+	for _, key := range q.apiKeys {
+		if key.LoginType == t {
+			apiKeys = append(apiKeys, key)
+		}
+	}
+	return apiKeys, nil
+}
+
 func (q *fakeQuerier) DeleteAPIKeyByID(_ context.Context, id string) error {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()

coderd/database/dump.sql

@@ -33,7 +33,8 @@ CREATE TYPE log_source AS ENUM (
 CREATE TYPE login_type AS ENUM (
     'password',
     'github',
-    'oidc'
+    'oidc',
+    'token'
 );
 
 CREATE TYPE parameter_destination_scheme AS ENUM (

coderd/database/migrations/000057_api_key_token.down.sql

@@ -0,0 +1,2 @@
+-- You cannot safely remove values from enums https://www.postgresql.org/docs/current/datatype-enum.html
+-- You cannot create a new type and do a rename because objects depend on this type now.

coderd/database/migrations/000057_api_key_token.up.sql

@@ -0,0 +1 @@
+ALTER TYPE login_type ADD VALUE IF NOT EXISTS 'token';

coderd/database/models.go

@@ -120,6 +120,7 @@ const (
 	LoginTypePassword LoginType = "password"
 	LoginTypeGithub   LoginType = "github"
 	LoginTypeOIDC     LoginType = "oidc"
+	LoginTypeToken    LoginType = "token"
 )
 
 func (e *LoginType) Scan(src interface{}) error {

coderd/database/querier.go

@@ -25,6 +25,7 @@ type querier interface {
 	DeleteOldAgentStats(ctx context.Context) error
 	DeleteParameterValueByID(ctx context.Context, id uuid.UUID) error
 	GetAPIKeyByID(ctx context.Context, id string) (APIKey, error)
+	GetAPIKeysByLoginType(ctx context.Context, loginType LoginType) ([]APIKey, error)
 	GetAPIKeysLastUsedAfter(ctx context.Context, lastUsed time.Time) ([]APIKey, error)
 	GetActiveUserCount(ctx context.Context) (int64, error)
 	GetAuditLogCount(ctx context.Context, arg GetAuditLogCountParams) (int64, error)

coderd/database/queries.sql.go

@@ -175,6 +175,45 @@ func (q *sqlQuerier) GetAPIKeyByID(ctx context.Context, id string) (APIKey, erro
 	return i, err
 }
 
+const getAPIKeysByLoginType = `-- name: GetAPIKeysByLoginType :many
+SELECT id, hashed_secret, user_id, last_used, expires_at, created_at, updated_at, login_type, lifetime_seconds, ip_address, scope FROM api_keys WHERE login_type = $1
+`
+
+func (q *sqlQuerier) GetAPIKeysByLoginType(ctx context.Context, loginType LoginType) ([]APIKey, error) {
+	rows, err := q.db.QueryContext(ctx, getAPIKeysByLoginType, loginType)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []APIKey
+	for rows.Next() {
+		var i APIKey
+		if err := rows.Scan(
+			&i.ID,
+			&i.HashedSecret,
+			&i.UserID,
+			&i.LastUsed,
+			&i.ExpiresAt,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+			&i.LoginType,
+			&i.LifetimeSeconds,
+			&i.IPAddress,
+			&i.Scope,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const getAPIKeysLastUsedAfter = `-- name: GetAPIKeysLastUsedAfter :many
 SELECT id, hashed_secret, user_id, last_used, expires_at, created_at, updated_at, login_type, lifetime_seconds, ip_address, scope FROM api_keys WHERE last_used > $1
 `

coderd/database/queries/apikeys.sql

@@ -11,6 +11,9 @@ LIMIT
 -- name: GetAPIKeysLastUsedAfter :many
 SELECT * FROM api_keys WHERE last_used > $1;
 
+-- name: GetAPIKeysByLoginType :many
+SELECT * FROM api_keys WHERE login_type = $1;
+
 -- name: InsertAPIKey :one
 INSERT INTO
 	api_keys (

coderd/users.go

@@ -3,21 +3,17 @@ package coderd
 import (
 	"bytes"
 	"context"
-	"crypto/sha256"
 	"database/sql"
 	"errors"
 	"fmt"
-	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"
-	"time"
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"
 	"github.com/google/uuid"
-	"github.com/tabbed/pqtype"
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
@@ -31,7 +27,6 @@ import (
 	"github.com/coder/coder/coderd/userpassword"
 	"github.com/coder/coder/coderd/util/slice"
 	"github.com/coder/coder/codersdk"
-	"github.com/coder/coder/cryptorand"
 	"github.com/coder/coder/examples"
 )
 
@@ -943,69 +938,6 @@ func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
 	})
 }
 
-// Creates a new session key, used for logging in via the CLI.
-func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	user := httpmw.UserParam(r)
-
-	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceAPIKey.WithOwner(user.ID.String())) {
-		httpapi.ResourceNotFound(rw)
-		return
-	}
-
-	lifeTime := time.Hour * 24 * 7
-	cookie, err := api.createAPIKey(ctx, createAPIKeyParams{
-		UserID:     user.ID,
-		LoginType:  database.LoginTypePassword,
-		RemoteAddr: r.RemoteAddr,
-		// All api generated keys will last 1 week. Browser login tokens have
-		// a shorter life.
-		ExpiresAt:       database.Now().Add(lifeTime),
-		LifetimeSeconds: int64(lifeTime.Seconds()),
-	})
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Failed to create API key.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	// We intentionally do not set the cookie on the response here.
-	// Setting the cookie will couple the browser sesion to the API
-	// key we return here, meaning logging out of the website would
-	// invalid your CLI key.
-	httpapi.Write(ctx, rw, http.StatusCreated, codersdk.GenerateAPIKeyResponse{Key: cookie.Value})
-}
-
-func (api *API) apiKey(rw http.ResponseWriter, r *http.Request) {
-	var (
-		ctx  = r.Context()
-		user = httpmw.UserParam(r)
-	)
-
-	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceAPIKey.WithOwner(user.ID.String())) {
-		httpapi.ResourceNotFound(rw)
-		return
-	}
-
-	keyID := chi.URLParam(r, "keyid")
-	key, err := api.Database.GetAPIKeyByID(ctx, keyID)
-	if errors.Is(err, sql.ErrNoRows) {
-		httpapi.ResourceNotFound(rw)
-		return
-	}
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching API key.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	httpapi.Write(ctx, rw, http.StatusOK, convertAPIKey(key))
-}
-
 // Clear the user's session cookie.
 func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
@@ -1078,99 +1010,6 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
 	})
 }
 
-// Generates a new ID and secret for an API key.
-func generateAPIKeyIDSecret() (id string, secret string, err error) {
-	// Length of an API Key ID.
-	id, err = cryptorand.String(10)
-	if err != nil {
-		return "", "", err
-	}
-	// Length of an API Key secret.
-	secret, err = cryptorand.String(22)
-	if err != nil {
-		return "", "", err
-	}
-	return id, secret, nil
-}
-
-type createAPIKeyParams struct {
-	UserID     uuid.UUID
-	RemoteAddr string
-	LoginType  database.LoginType
-
-	// Optional.
-	ExpiresAt       time.Time
-	LifetimeSeconds int64
-	Scope           database.APIKeyScope
-}
-
-func (api *API) createAPIKey(ctx context.Context, params createAPIKeyParams) (*http.Cookie, error) {
-	keyID, keySecret, err := generateAPIKeyIDSecret()
-	if err != nil {
-		return nil, xerrors.Errorf("generate API key: %w", err)
-	}
-	hashed := sha256.Sum256([]byte(keySecret))
-
-	// Default expires at to now+lifetime, or just 24hrs if not set
-	if params.ExpiresAt.IsZero() {
-		if params.LifetimeSeconds != 0 {
-			params.ExpiresAt = database.Now().Add(time.Duration(params.LifetimeSeconds) * time.Second)
-		} else {
-			params.ExpiresAt = database.Now().Add(24 * time.Hour)
-		}
-	}
-
-	host, _, _ := net.SplitHostPort(params.RemoteAddr)
-	ip := net.ParseIP(host)
-	if ip == nil {
-		ip = net.IPv4(0, 0, 0, 0)
-	}
-	bitlen := len(ip) * 8
-
-	scope := database.APIKeyScopeAll
-	if params.Scope != "" {
-		scope = params.Scope
-	}
-
-	key, err := api.Database.InsertAPIKey(ctx, database.InsertAPIKeyParams{
-		ID:              keyID,
-		UserID:          params.UserID,
-		LifetimeSeconds: params.LifetimeSeconds,
-		IPAddress: pqtype.Inet{
-			IPNet: net.IPNet{
-				IP:   ip,
-				Mask: net.CIDRMask(bitlen, bitlen),
-			},
-			Valid: true,
-		},
-		// Make sure in UTC time for common time zone
-		ExpiresAt:    params.ExpiresAt.UTC(),
-		CreatedAt:    database.Now(),
-		UpdatedAt:    database.Now(),
-		HashedSecret: hashed[:],
-		LoginType:    params.LoginType,
-		Scope:        scope,
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("insert API key: %w", err)
-	}
-
-	api.Telemetry.Report(&telemetry.Snapshot{
-		APIKeys: []telemetry.APIKey{telemetry.ConvertAPIKey(key)},
-	})
-
-	// This format is consumed by the APIKey middleware.
-	sessionToken := fmt.Sprintf("%s-%s", keyID, keySecret)
-	return &http.Cookie{
-		Name:     codersdk.SessionTokenKey,
-		Value:    sessionToken,
-		Path:     "/",
-		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-		Secure:   api.SecureAuthCookie,
-	}, nil
-}
-
 type CreateUserRequest struct {
 	codersdk.CreateUserRequest
 	LoginType database.LoginType

coderd/users_test.go

@@ -285,16 +285,15 @@ func TestPostLogin(t *testing.T) {
 		require.NoError(t, err, "fetch login key")
 		require.Equal(t, int64(86400), key.LifetimeSeconds, "default should be 86400")
 
-		// Generated tokens have a longer life
-		token, err := client.CreateAPIKey(ctx, admin.UserID.String())
-		require.NoError(t, err, "make new api key")
+		// tokens have a longer life
+		token, err := client.CreateToken(ctx, codersdk.Me)
+		require.NoError(t, err, "make new token api key")
 		split = strings.Split(token.Key, "-")
 		apiKey, err := client.GetAPIKey(ctx, admin.UserID.String(), split[0])
 		require.NoError(t, err, "fetch api key")
 
-		require.True(t, apiKey.ExpiresAt.After(time.Now().Add(time.Hour*24*6)), "api key lasts more than 6 days")
-		require.True(t, apiKey.ExpiresAt.After(key.ExpiresAt.Add(time.Hour)), "api key should be longer expires")
-		require.Greater(t, apiKey.LifetimeSeconds, key.LifetimeSeconds, "api key should have longer lifetime")
+		require.True(t, apiKey.ExpiresAt.After(time.Now().Add(time.Hour*438300)), "tokens lasts more than 50 years")
+		require.Greater(t, apiKey.LifetimeSeconds, key.LifetimeSeconds, "token should have longer lifetime")
 	})
 }
 
@@ -1195,36 +1194,18 @@ func TestGetUsers(t *testing.T) {
 	})
 }
 
-func TestPostAPIKey(t *testing.T) {
+func TestPostTokens(t *testing.T) {
 	t.Parallel()
-	t.Run("InvalidUser", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, nil)
-		_ = coderdtest.CreateFirstUser(t, client)
+	client := coderdtest.New(t, nil)
+	_ = coderdtest.CreateFirstUser(t, client)
 
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
 
-		client.SessionToken = ""
-		_, err := client.CreateAPIKey(ctx, codersdk.Me)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusUnauthorized, apiErr.StatusCode())
-	})
-
-	t.Run("Success", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, nil)
-		_ = coderdtest.CreateFirstUser(t, client)
-
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		apiKey, err := client.CreateAPIKey(ctx, codersdk.Me)
-		require.NotNil(t, apiKey)
-		require.GreaterOrEqual(t, len(apiKey.Key), 2)
-		require.NoError(t, err)
-	})
+	apiKey, err := client.CreateToken(ctx, codersdk.Me)
+	require.NotNil(t, apiKey)
+	require.GreaterOrEqual(t, len(apiKey.Key), 2)
+	require.NoError(t, err)
 }
 
 func TestWorkspacesByUser(t *testing.T) {