If the value is 0, we default to 24hrs

Shouldn't this be a default when creating the column rather than on insert?

It is a default on the column, but you cannot insert anil value to the auto-generated code. So the default zero value in the insert code is0. I want to treat that as a default of 24hrs. The column default was mainly for the migration to be happy.

The alternative is to put this default in the Go code, but we don't have a layer to gatekeep db functions. So I'd rather put this in the SQL where it's guaranteed to be checked.

If desired, we can fix this to useNULL to indicate a default value rather than0 when the next version of sqlc is released, with support forsqlc.narg.

@dwahler yes. Ifnarg or I also sawsqlc.arg(name, nullable) is supported, then we can do exactly that 👍. And use the column default.

/login is still 24hrs. Creating api keys from the api (eg/cli-auth) is 1 week. Refreshes every hour as normal, so any activity every 7 days keeps it alive.

Do you think we need an arbitrary amount of seconds for an API key to live for? I'm curious for@dwahler's thoughts.

We do if we want api keys to have different lifetimes. Currently the browser login api keys are valid for 24hrs. When we refresh them, we need to know how long to refresh them for (24hrs).

The cli keys will have a longer life (1 week). When you refresh, you need to know to add 1 week onto the expiresAt.

Not sure where it falls on the spectrum of "needs", but I can definitely imagine this being useful, especially to enterprise users.

If the point of expiring keys is to mitigate risk, then you might want to make that tradeoff differently when the risk level is different. For instance, shorter lifetimes for keys that are stored on laptops (potentially prone to theft) or for admin users (where the consequences of key compromise are greater).

For now, I like specifying the lifetime as a request parameter, because it seems like the simplest way to expose this functionality. In the future it might make more sense for admins to be able to control the lifetimes with some kind of policy.

@dwahler It's not a configurable param from the api atm. There is just 2 endpoints (login and cli-auth) that make keys. But this backend does lead to it being easily configurable in the future.

Ah, gotcha, I missed thatparams wasn't directly populated from the request.

@dwahler I didn't think it was necessary at this time, since it's 2 different routes.