mirror of
https://github.com/coder/coder.git
synced 2026-06-03 13:08:25 +00:00
Cian Johnston
4a3304fc38
## Summary
> NOTE: Calling this out as a breaking change in case existing consumers
of the CLI depend on being able to see expired tokens OR being able to
delete tokens immediately.
Updates the `coder tokens rm` command to immediately expire a token by
ID, preserving the token record for audit trail purposes. Tokens can
still be deleted by passing `--delete`.
## Problem
During an incident on dev.coder.com, operators needed to urgently expire
an API key that was stuck in a hot loop. The only way to do this was via
direct database access:
```sql
UPDATE api_keys SET expires_at = NOW() WHERE id = '...';
```
This is not ideal for operators who may not have direct DB access or
want to avoid manual SQL.
## Solution
This PR adds:
- **API endpoint**: `PUT /api/v2/users/{user}/keys/{keyid}/expire` -
Sets the token's `expires_at` to now
- **SDK method**: `ExpireAPIKey(ctx, userID, keyID)`
- **Updates CLI**: `coder tokens rm <name|id|token>` now _expires_ by
default. You can still delete by passing the `--delete` flag. The `coder
tokens list` command now also hides expired tokens by default. You can
`--include-expired` if needed to include them.
- **Audit logging**: The expire action is logged with old and new key
states
## Test plan
- Tests cover: owner expiring own token, admin expiring other user's
token, non-admin cannot expire other's token, 404 for non-existent token
Closes #21782
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
51 lines
1.2 KiB
Markdown
Generated
51 lines
1.2 KiB
Markdown
Generated
<!-- DO NOT EDIT | GENERATED CONTENT -->
|
|
# tokens list
|
|
|
|
List tokens
|
|
|
|
Aliases:
|
|
|
|
* ls
|
|
|
|
## Usage
|
|
|
|
```console
|
|
coder tokens list [flags]
|
|
```
|
|
|
|
## Options
|
|
|
|
### -a, --all
|
|
|
|
| | |
|
|
|------|-------------------|
|
|
| Type | <code>bool</code> |
|
|
|
|
Specifies whether all users' tokens will be listed or not (must have Owner role to see all tokens).
|
|
|
|
### --include-expired
|
|
|
|
| | |
|
|
|------|-------------------|
|
|
| Type | <code>bool</code> |
|
|
|
|
Include expired tokens in the output. By default, expired tokens are hidden.
|
|
|
|
### -c, --column
|
|
|
|
| | |
|
|
|---------|---------------------------------------------------------------------------------------|
|
|
| Type | <code>[id\|name\|scopes\|allow list\|last used\|expires at\|created at\|owner]</code> |
|
|
| Default | <code>id,name,scopes,allow list,last used,expires at,created at</code> |
|
|
|
|
Columns to display in table output.
|
|
|
|
### -o, --output
|
|
|
|
| | |
|
|
|---------|--------------------------|
|
|
| Type | <code>table\|json</code> |
|
|
| Default | <code>table</code> |
|
|
|
|
Output format.
|