Skip to content

feat: honor a CLI-requested token lifetime in the webauth login flow #928

Description

@tomaskir

Is your feature request related to a problem?

PATs created via the CLI webauth login flow always have infinite lifetime. The webauth approval page hardcodes the expiry to null when minting the token (frontend/app/webauth/[requestCode]/page.tsx calls generateUserToken(...) with null).

This is despite expiry being fully supported everywhere else:

  • CreateUserTokenMutation accepts expiry: BigInt (backend/backend/graphene/mutations/environment.py)
  • UserToken.expires_at exists and is nullable (backend/api/models.py)
  • Expiry is enforced on auth (backend/api/utils/rest.py, token_is_expired_or_deleted)
  • The normal "Create token" dialog already lets users pick an expiry (frontend/utils/tokens.ts)

The CLI webauth path is the only token-creation flow that can't set an expiry.

Describe the solution you'd like

Let the CLI request a token lifetime during webauth login, and honor it:

  • Extend the webauth request payload (currently port-pubKeyHex-patName) to carry an optional requested expiry.
  • On the webauth page, parse it and pass it to generateUserToken(...) / CreateUserTokenMutation as expiry instead of hardcoded null.
  • Show the resulting expiry on the approval screen so the user sees how long the token will live.
  • No CLI-requested lifetime = current behavior (never expires).

Backend mutation/model changes shouldn't be needed - only the webauth frontend path stops hardcoding null.

Caveat: the payload is hyphen-joined and the token name can itself contain hyphens, so adding an expiry field needs a parse-safe format (not a naive split on -); coordinate with the CLI side.

Describe alternatives you've considered

  • Letting the user pick the expiry directly on the webauth approval page, independent of any CLI request. Could complement the CLI-driven value, but the CLI-requested duration is the primary ask.

Additional context

Cross-repo change. CLI side (flag + sending the requested duration) tracked in phasehq/cli#302.

Key files: frontend/app/webauth/[requestCode]/page.tsx (hardcoded null), backend/backend/graphene/mutations/environment.py (CreateUserTokenMutation, already supports expiry).

Metadata

Metadata

Labels

No labels
No labels

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions