Update Access token defaults (#60190)

Chris Warwick · web-flow · commit 48fdc633466b · 2024-02-05T21:28:06.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,7 +22,7 @@ All notable changes to Sourcegraph are documented in this file.
 - Supports custom ChatCompletion models in Cody clients for dotcom users. [#58158](https://github.com/sourcegraph/sourcegraph/pull/58158)
 - Topics synced from GitHub and GitLab are now displayed for repository matches in the search results and on the repository tree page. [#58927](https://github.com/sourcegraph/sourcegraph/pull/58927)
 - Added a new column "Repository metadata JSON" to the CSV export of repository search results, which includes the JSON encoded object of metadata key-value pairs. [#59334](https://github.com/sourcegraph/sourcegraph/pull/59334)
-- Expiry to access tokens. Users can now select a maximum timespan for which a token is valid. Tokens will automatically lose access after this period. Default timeframes and an override to allow access tokens without expiration can be configured in the `auth.accessTokens` section of the site configuration. [#59565](https://github.com/sourcegraph/sourcegraph/pull/59565)
+- Expiry to access tokens. Users can now select a maximum timespan for which a token is valid. Tokens will automatically lose access after this period. Default timeframes and an override to disable access tokens without expiration can be configured in the `auth.accessTokens` section of the site configuration. [#59565](https://github.com/sourcegraph/sourcegraph/pull/59565)
 - Gerrit code host connections now support an 'exclude' field that prevents repos in this list from being synced. [#59739](https://github.com/sourcegraph/sourcegraph/pull/59739)
 - Limit the number of active access tokens for a user. By default users are able to have 25 active access tokens. This limit can be configured using the `maxTokensPerUser` setting in the `auth.accessTokens` section of the site configuration. [#59731](https://github.com/sourcegraph/sourcegraph/pull/59731)
 - Add experimental support for .cody/ignore when retrieving remote context. To enable it, set `experimentalFeatures.codyContextIgnore: true` in the site configuration. [#59836](https://github.com/sourcegraph/sourcegraph/pull/59836), [#59907](https://github.com/sourcegraph/sourcegraph/pull/59907)
diff --git a/cmd/frontend/graphqlbackend/access_tokens_test.go b/cmd/frontend/graphqlbackend/access_tokens_test.go
@@ -101,6 +101,14 @@ func TestMutation_CreateAccessToken(t *testing.T) {
 	t.Run("authenticated as user, expiration required not sent", func(t *testing.T) {
 		ctx := actor.WithActor(context.Background(), &actor.Actor{UID: 1})
 		db := dbmocks.NewMockDB()
+		conf.Mock(&conf.Unified{
+			SiteConfiguration: schema.SiteConfiguration{
+				AuthAccessTokens: &schema.AuthAccessTokens{
+					AllowNoExpiration: pointers.Ptr(false),
+				},
+			},
+		})
+		defer conf.Mock(nil)
 		result, err := newSchemaResolver(db, gitserver.NewTestClient(t)).CreateAccessToken(ctx, &createAccessTokenInput{User: uid1GQLID, Scopes: []string{"user:all"}, Note: "n"})
 		if err == nil {
 			t.Error("err == nil")
@@ -132,7 +140,7 @@ func TestMutation_CreateAccessToken(t *testing.T) {
 		db := dbmocks.NewMockDB()
 		db.AccessTokensFunc.SetDefaultReturn(accessTokens)
 		db.UsersFunc.SetDefaultReturn(users)
-		conf.Get().AuthAccessTokens = &schema.AuthAccessTokens{Allow: string(conf.AccessTokensAll), AllowNoExpiration: true}
+		conf.Get().AuthAccessTokens = &schema.AuthAccessTokens{Allow: string(conf.AccessTokensAll), AllowNoExpiration: pointers.Ptr(true)}
 		defer func() { conf.Get().AuthAccessTokens = nil }()
 		result, err := newSchemaResolver(db, gitserver.NewTestClient(t)).CreateAccessToken(ctx, &createAccessTokenInput{User: uid1GQLID, Scopes: []string{"user:all"}, Note: "n"})
 		if err != nil {
@@ -150,7 +158,7 @@ func TestMutation_CreateAccessToken(t *testing.T) {
 		conf.Mock(&conf.Unified{
 			SiteConfiguration: schema.SiteConfiguration{
 				AuthAccessTokens: &schema.AuthAccessTokens{
-					AllowNoExpiration:     false,
+					AllowNoExpiration:     pointers.Ptr(false),
 					DefaultExpirationDays: pointers.Ptr(2),
 					ExpirationOptionDays:  []int{1, 2, 3},
 				},
diff --git a/internal/conf/computed.go b/internal/conf/computed.go
@@ -84,10 +84,10 @@ func AccessTokensMaxPerUser() int {
 // AccessTokensAllowNoExpiration returns whether access tokens can be created without expiration.
 func AccessTokensAllowNoExpiration() bool {
 	cfg := Get().AuthAccessTokens
-	if cfg == nil {
-		return false
+	if cfg == nil || cfg.AllowNoExpiration == nil {
+		return true
 	}
-	return cfg.AllowNoExpiration
+	return *cfg.AllowNoExpiration
 }
 
 // AccessTokensExpirationOptions returns the default access token expiration days
diff --git a/internal/conf/computed_test.go b/internal/conf/computed_test.go
@@ -1201,7 +1201,7 @@ func TestAccessTokenAllowNoExpiration(t *testing.T) {
 		{
 			name:       "no accesstoken config set",
 			siteConfig: schema.SiteConfiguration{},
-			want:       false,
+			want:       true,
 		},
 		{
 			name: "default value",
@@ -1210,18 +1210,28 @@ func TestAccessTokenAllowNoExpiration(t *testing.T) {
 					Allow: string(AccessTokensAll),
 				},
 			},
-			want: false,
+			want: true,
 		},
 		{
 			name: "allow no expiration",
 			siteConfig: schema.SiteConfiguration{
 				AuthAccessTokens: &schema.AuthAccessTokens{
 					Allow:             string(AccessTokensAll),
-					AllowNoExpiration: true,
+					AllowNoExpiration: pointers.Ptr(true),
 				},
 			},
 			want: true,
 		},
+		{
+			name: "do not allow no expiration",
+			siteConfig: schema.SiteConfiguration{
+				AuthAccessTokens: &schema.AuthAccessTokens{
+					Allow:             string(AccessTokensAll),
+					AllowNoExpiration: pointers.Ptr(false),
+				},
+			},
+			want: false,
+		},
 	}
 
 	for _, tc := range testCases {
diff --git a/internal/database/access_tokens_test.go b/internal/database/access_tokens_test.go
@@ -641,7 +641,7 @@ func TestAccessTokens_Limits(t *testing.T) {
 		SiteConfiguration: schema.SiteConfiguration{
 			AuthAccessTokens: &schema.AuthAccessTokens{
 				MaxTokensPerUser:  pointers.Ptr(2),
-				AllowNoExpiration: true,
+				AllowNoExpiration: pointers.Ptr(true),
 			},
 			Log: &schema.Log{
 				SecurityEventLog: &schema.SecurityEventLog{Location: "database"},
diff --git a/schema/schema.go b/schema/schema.go
diff --git a/schema/site.schema.json b/schema/site.schema.json
@@ -1164,7 +1164,10 @@
         "allowNoExpiration": {
           "description": "Allows new tokens to be created without specifying an expiration.",
           "type": "boolean",
-          "default": "false"
+          "!go": {
+            "pointer": true
+          },
+          "default": "true"
         },
         "expirationOptionDays": {
           "description": "Options users will see for the number of days until token expiration. The defaultExpirationDays will be added to the list if not already present.",

Original file line number	Diff line number	Diff line change
`@@ -84,10 +84,10 @@ func AccessTokensMaxPerUser() int {`
`84`	`84`	`// AccessTokensAllowNoExpiration returns whether access tokens can be created without expiration.`
`85`	`85`	`func AccessTokensAllowNoExpiration() bool {`
`86`	`86`	`cfg := Get().AuthAccessTokens`
`87`		`- if cfg == nil {`
`88`		`- return false`
	`87`	`+ if cfg == nil \|\| cfg.AllowNoExpiration == nil {`
	`88`	`+ return true`
`89`	`89`	`}`
`90`		`- return cfg.AllowNoExpiration`
	`90`	`+ return *cfg.AllowNoExpiration`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`// AccessTokensExpirationOptions returns the default access token expiration days`