core: add user settable token durations (#7410)

* core: add support for user settable token duration * web: add support for user settable token duration * website: add documentation for user settable token duration * core : fix locales * web: fix tokenIntent when updating * core: fix linting * website: Update website/docs/user-group-role/user/user_ref.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jean-Michel DILLY <48059109+jmdilly@users.noreply.github.com> * make token duration system-wide configurable Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * small fixup Signed-off-by: Jens Langhammer <jens@goauthentik.io> * migrate token configs to tenants Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add release notes Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * make website Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint-fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix migrations Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * nosec Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint-fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix migrations for real this time Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * trying with no model using default_token_key Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint-fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix save Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint-fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * use signal instead of overriding save Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> --------- Signed-off-by: Jean-Michel DILLY <48059109+jmdilly@users.noreply.github.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2024-04-11 13:05:05 +02:00
parent 40c672f246
commit a70363bd95
24 changed files with 520 additions and 28 deletions
--- a/website/docs/installation/configuration.mdx
+++ b/website/docs/installation/configuration.mdx
@ -272,14 +272,6 @@ Disable the inbuilt update-checker. Defaults to `false`.
    -   Kubeconfig
    -   Existence of a docker socket

-### `AUTHENTIK_DEFAULT_TOKEN_LENGTH`
-
-:::info
-Requires authentik 2022.4.1
-:::
-
-Configure the length of generated tokens. Defaults to 60.
-
 ### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS`

 :::info
--- a/website/docs/releases/2024/next.md
+++ b/website/docs/releases/2024/next.md
@ -0,0 +1,60 @@
+---
+title: Release next
+slug: /releases/next
+---
+
+<!-- ## Breaking changes -->
+
+## Breaking changes
+
+### Manual action is required
+
+### Manual action may be required
+
+-   **Configuration options migrated to the Admin interface**
+
+    The following config options have been moved from the config file and can now be set using the Admin interface (under **System** -> **Settings**) or the API:
+
+    -   `AUTHENTIK_DEFAULT_TOKEN_LENGTH`
+
+    When upgrading to 2024.next, the currently configured options will be automatically migrated to the database, and can be removed from the `.env` or helm values file afterwards.
+
+## New features
+
+-   Configurable app password token expiring
+
+    Thanks @jmdilly for contributing this feature!
+
+    Admins can now configure the default token duration (which defaults to `minutes=30`) in the admin interface as specified above. This value can also be overridden per-user with the `goauthentik.io/user/token-maximum-lifetime` attribute.
+
+## Upgrading
+
+This release does not introduce any new requirements.
+
+### docker-compose
+
+To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
+
+```
+wget -O docker-compose.yml https://goauthentik.io/version/xxxx.x/docker-compose.yml
+docker compose up -d
+```
+
+The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name.
+
+### Kubernetes
+
+Upgrade the Helm Chart to the new version, using the following commands:
+
+```shell
+helm repo update
+helm upgrade authentik authentik/authentik -f values.yaml --version ^xxxx.x
+```
+
+## Minor changes/fixes
+
+<!-- _Insert the output of `make gen-changelog` here_ -->
+
+## API Changes
+
+<!-- _Insert output of `make gen-diff` here_ -->
--- a/website/docs/user-group-role/user/user_ref.md
+++ b/website/docs/user-group-role/user/user_ref.md
@ -70,6 +70,14 @@ Optional flag, when set to false, Tokens created by the user will not expire.

 Only applies when the token creation is triggered by the user with this attribute set. Additionally, the flag does not apply to superusers.

+### `goauthentik.io/user/token-maximum-lifetime`:
+
+Optional flag, when set, defines the maximum lifetime of user-created tokens. Defaults to the system setting if not set.
+
+Only applies when `goauthentik.io/user/token-expires` set to true.
+
+Format is string of format `days=10;hours=1;minute=3;seconds=5`.
+
 ### `goauthentik.io/user/debug`:

 See [Troubleshooting access problems](../../troubleshooting/access), when set, the user gets a more detailed explanation of access decisions.