Implement expiry for access tokens#59565
Conversation
0d9fcfe to
5f16566
Compare
|
Have you checked what happens if a token is expired in the VS Code client? e.g. do you get an obscure error or is it clear about what you need to do to get the Cody client working again? |
emidoots
left a comment
There was a problem hiding this comment.
Looks correct & well-tested to me, great work
5a72e46 to
273451f
Compare
VS Code isn't too bad, JetBrains you need to look a little deeper, I opened issues for it: |
| This is a one-time access token to connect your account to {requester.name}. This | ||
| token will expire in {defaultAccessTokenExpiryDays}{' '} | ||
| {pluralize('day', defaultAccessTokenExpiryDays)}. You will not be able to see this | ||
| token again once the window is closed. |
There was a problem hiding this comment.
What will this message say, when a user created a token without expiry?
There was a problem hiding this comment.
@unknwon This is the callback token generation page that is used by the extensions, the user doesn't have the ability to pick an expiration here. The token in generated without their input, it will use whatever the default is and currently I didn't provide a way to default to no expiration, since enforcing an expiration for this pathway is the primary purpose of this pr.
There was a problem hiding this comment.
What does one-time access token mean in this context? I'd expect it to work for only one request
There was a problem hiding this comment.
It's the 2nd half of this page, when you expand to see the token. That was the original copy but that isn't accurate so I'll remove the one-time.
| creator_user_id | integer | | not null | | ||
| scopes | text[] | | not null | | ||
| internal | boolean | | | false | ||
| expires_at | timestamp with time zone | | | |
There was a problem hiding this comment.
Maybe worth checking whether we need an update to the access_tokens_lookup index
(line 41)?
| This is a one-time access token to connect your account to {requester.name}. This | ||
| token will expire in {defaultAccessTokenExpiryDays}{' '} | ||
| {pluralize('day', defaultAccessTokenExpiryDays)}. You will not be able to see this | ||
| token again once the window is closed. |
There was a problem hiding this comment.
What does one-time access token mean in this context? I'd expect it to work for only one request
|
Thanks for tagging me, @chwarwick! @sourcegraph/cody-plg, do you think introducing token expirations affects us in any other way? |
@vdavid Correct the internal tokens will continue to have no expiration. |
|
@chwarwick For cloud, we are getting Should we set Can we set |
@daxmc99 What is the purpose of these tokens, happy to talk live to find a solution. |
|
@chwarwick What would happen to existing access tokens configured prior to this change once this site configuration is set? |
@alexAtSourcegraph They do not expire, this only effects new tokens created. |
Add expiry to access tokens. Users can now select a maximum timespan for which a token is valid. Tokens will automatically lose access after this period.
By default all new tokens will require expiration; however there is a site configuration setting to allow users to create tokens without expiration if necessary. The preconfigured options when creating a token are 7, 14, 30, 60, or 90 days with the selection defaulting to 90 days.
Tokens that are generated in the background for example from the Cody VS Code extension will use the default expiration period for the instance.
Defaults
Options when allowing no expiration
Allow no expiration but show warning
Created from VS Code shows using the default
closes https://github.com/sourcegraph/sourcegraph/issues/59545
Test plan