Is your feature request related to a problem?
Tokens minted through phase auth never expire. The webauth flow creates a non-expiring PAT, and --mode token just accepts a pre-existing one. There is no way to request a short-lived token at login - a problem for CI runners, shared machines, and demos.
(An --ttl flag already exists on phase auth, but it's scoped to external identity modes only - aws-iam, azure - see src/cmd/auth.go. It does not apply to webauth.)
Describe the solution you'd like
Add an optional lifetime flag to phase auth for the webauth flow:
phase auth --token-lifetime 7d
The CLI passes the requested duration in the webauth request payload (currently port-pubKeyHex-patName in src/cmd/auth_webauth.go:46), and the Console webauth page mints the PAT with that expiry. The backend already supports per-token expiry, so this is mostly plumbing. No flag = non-expiring token (unchanged default).
Caveat: the payload is hyphen-joined and patName can itself contain hyphens, so adding an expiry field needs a parse-safe format/ordering (not a naive split on -).
Describe alternatives you've considered
- Create a time-bound PAT manually in the web UI and use
--mode token (manual and breaks non-interactive setups).
- Extending the existing external-identity
--ttl flag to also cover webauth instead of a new flag name.
Additional context
Cross-repo change. Console side (webauth page honoring the requested expiry) tracked in phasehq/console#928.
Relevant code: src/cmd/auth.go, src/cmd/auth_webauth.go.
Is your feature request related to a problem?
Tokens minted through
phase authnever expire. Thewebauthflow creates a non-expiring PAT, and--mode tokenjust accepts a pre-existing one. There is no way to request a short-lived token at login - a problem for CI runners, shared machines, and demos.(An
--ttlflag already exists onphase auth, but it's scoped to external identity modes only -aws-iam,azure- seesrc/cmd/auth.go. It does not apply towebauth.)Describe the solution you'd like
Add an optional lifetime flag to
phase authfor thewebauthflow:The CLI passes the requested duration in the webauth request payload (currently
port-pubKeyHex-patNameinsrc/cmd/auth_webauth.go:46), and the Console webauth page mints the PAT with that expiry. The backend already supports per-token expiry, so this is mostly plumbing. No flag = non-expiring token (unchanged default).Caveat: the payload is hyphen-joined and
patNamecan itself contain hyphens, so adding an expiry field needs a parse-safe format/ordering (not a naive split on-).Describe alternatives you've considered
--mode token(manual and breaks non-interactive setups).--ttlflag to also coverwebauthinstead of a new flag name.Additional context
Cross-repo change. Console side (webauth page honoring the requested expiry) tracked in phasehq/console#928.
Relevant code:
src/cmd/auth.go,src/cmd/auth_webauth.go.