Skip to content

feat(auth): support custom token name and lifetime in webauth login#304

Open
tomaskir wants to merge 1 commit into
phasehq:mainfrom
tomaskir:feat/webauth-token-name-lifetime
Open

feat(auth): support custom token name and lifetime in webauth login#304
tomaskir wants to merge 1 commit into
phasehq:mainfrom
tomaskir:feat/webauth-token-name-lifetime

Conversation

@tomaskir

Copy link
Copy Markdown

Description

Adds two optional flags to phase auth (webauth mode) so the minted personal access token's name and lifetime can be set at login, instead of the token always being a non-expiring username@hostname PAT.

Parse-safe payload change: the webauth request payload moves from the hyphen-joined port-pubKeyHex-patName string to base64(JSON) { port, publicKey, name, lifetime? } (lifetime in seconds; omitted = never expires). This is needed because a user-supplied name can contain hyphens and other characters that the old naive split on - truncated, and it matches the Console webauth page contract.

New helper util.ParseTokenLifetime converts a lifetime string to seconds (units: s, m, h, d, w).

Requires the Console side to honor the values: phasehq/console#928 and phasehq/console#937, implemented in phasehq/console#938.

Closes #302
Closes #303

Verification

  • go vet ./..., CGO_ENABLED=0 go build (CI smoke test), and go test ./... pass on Go 1.24.
  • util.ParseTokenLifetime is unit-tested (units, trimming/case-insensitivity, invalid inputs).
  • End-to-end - ran the built binary and decoded the generated webauth URL:
    • phase auth --token-lifetime 7d --token-name "ci-prod-api" -> {"port":...,"name":"ci-prod-api","lifetime":604800} (604800 = 7d)
    • phase auth (no flags) -> {"port":...,"name":"root@<container-id>"}, lifetime omitted
    • phase auth --token-lifetime 7x -> clean validation error
    • The generated payload is accepted by the Console webauth route (console#938).

Type

  • New feature

phase auth (webauth mode) always minted a non-expiring PAT named
username@hostname, with no way to override either. Add two optional flags
and send the values to the Console in the webauth request payload:

- --token-name sets the PAT name (default username@hostname). This fixes
  unhelpful names under Docker, where the default becomes root@<container-id>.
- --token-lifetime sets the PAT lifetime, e.g. 7d, 12h, 30m, 60s, 2w
  (default: never expires).

The webauth payload moves from the hyphen-joined port-pubKeyHex-patName
string to base64(JSON) { port, publicKey, name, lifetime? }, where lifetime
is in seconds. This is parse-safe for names containing hyphens or other
characters and matches the Console webauth page contract.

Add util.ParseTokenLifetime to convert a lifetime string into seconds.

Console side: phasehq/console#928, phasehq/console#937 (PR phasehq/console#938).

Closes phasehq#302
Closes phasehq#303
@tomaskir tomaskir force-pushed the feat/webauth-token-name-lifetime branch from 13f65ab to b2ed17b Compare June 28, 2026 19:07
@tomaskir

Copy link
Copy Markdown
Author

Coordinated Console side: phasehq/console#938 (parses the base64(JSON) webauth payload and mints the PAT with the requested name and lifetime).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat: allow setting the token name during phase auth feat: allow requesting a token with a specific lifetime during phase auth

1 participant