Add 30-day session timeout for CLI authentication #4634
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add 30-day session timeout for CLI authentication Addresses the issue where users returning to the CLI after extended periods may have stale or invalid tokens. Users are now automatically prompted to re-authenticate after 30 days of inactivity. Users with no existing timestamp are immediately prompted to login. Changes: - Add last_login timestamp tracking in config.yml - Implement token age validation in RequireSession preparer - Display styled "Welcome back!" message when session expires - Handle migration for existing users without login timestamps - Gracefully prompt for re-login in interactive sessions Non-interactive sessions return appropriate error messages.
Add proper config setup with LastLogin timestamp in the deploy test to satisfy the session timeout validation in RequireSession. This ensures unit tests pass while maintaining the security feature that forces users with expired tokens to re-authenticate.
When FLY_ACCESS_TOKEN or FLY_API_TOKEN environment variables are set, skip the session timeout validation. This ensures CI/CD pipelines continue to work without requiring manual re-authentication. The timestamp check only applies to interactive users with file-based config, protecting against stale sessions while not breaking automation. Tested both scenarios: - Without env var: timeout enforced after 30 days - With env var: timeout bypassed for CI/CD use
Add 30-day session timeout for CLI authentication Addresses the issue where users returning to the CLI after extended periods may have stale or invalid tokens. Users are now automatically prompted to re-authenticate after 30 days of inactivity. Users with no existing timestamp are immediately prompted to login. Changes: - Add last_login timestamp tracking in config.yml - Implement token age validation in RequireSession preparer - Display styled "Welcome back!" message when session expires - Handle migration for existing users without login timestamps - Gracefully prompt for re-login in interactive sessions Non-interactive sessions return appropriate error messages.
Add proper config setup with LastLogin timestamp in the deploy test to satisfy the session timeout validation in RequireSession. This ensures unit tests pass while maintaining the security feature that forces users with expired tokens to re-authenticate.
When FLY_ACCESS_TOKEN or FLY_API_TOKEN environment variables are set, skip the session timeout validation. This ensures CI/CD pipelines continue to work without requiring manual re-authentication. The timestamp check only applies to interactive users with file-based config, protecting against stale sessions while not breaking automation. Tested both scenarios: - Without env var: timeout enforced after 30 days - With env var: timeout bypassed for CI/CD use
…/flyctl into session-timeout-feature
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Users returning to the CLI after extended periods often have stale or invalid tokens. Currently, there's no mechanism to force re-authentication for users who haven't used flyctl in a long time, leading to cryptic errors or unexpected behavior with expired credentials.
Solution
Implement a 30-day session timeout that automatically prompts users to re-authenticate when their session has expired, while preserving CI/CD pipeline functionality.
Changes
config.ymlto track when users last authenticatedRequireSessionpreparer to check if tokens have expired (30-day timeout)FLY_ACCESS_TOKENorFLY_API_TOKENenvironment variables are set, the timeout check is bypassedCI/CD Compatibility
No impact on automated pipelines - tokens provided via environment variables bypass the session timeout check entirely. This ensures existing CI/CD workflows continue working without modification.