Is your feature request related to a problem?
The PAT name created by phase auth is hardcoded to username@hostname (src/cmd/auth_webauth.go:41). There is no way to override it.
This breaks down badly under Docker. When phase auth runs inside a container, the hostname is a random container ID and the username is whatever the image happens to run as (often root or an arbitrary build user). Neither is meaningful or stable. For anyone using Phase from dockerized applications, the token list fills up with entries like root@3f9a2c1b4e5d - many near-identical user@random-id PATs with no way to tell which container, service, or run each one came from.
The Console already honors whatever name the CLI sends (the webauth page mints the PAT with requestedTokenName from the payload), so today the CLI is the only thing standing between the user and a useful token name.
Describe the solution you'd like
Add an optional flag to phase auth for the webauth flow:
phase auth --token-name "ci-prod-api"
The CLI puts the chosen name in the webauth request payload (currently port-pubKeyHex-patName in src/cmd/auth_webauth.go:46) in place of the derived username@hostname. No flag = current behavior (username@hostname default, unchanged).
Caveat: the payload is hyphen-joined and a user-supplied name can contain hyphens (and arbitrary characters), so this needs the same parse-safe payload format being introduced for the token-lifetime work - not a naive split on -. The current Console parser (hash.split('-')[2]) already truncates any name containing a hyphen, so this flag depends on that format fix landing.
Describe alternatives you've considered
- Rename the PAT in the web UI after the fact (manual, breaks non-interactive/CI setups, and you first have to identify the right
user@random-id entry).
- Deriving a better default inside containers (e.g. reading a service name from an env var) - heuristic and fragile; an explicit flag is predictable.
Additional context
Cross-repo: shares the webauth payload-format change with the token-lifetime feature (#302, Console side phasehq/console#928). Cleanest to land both flags (--token-name, --token-lifetime) on one payload-format migration rather than two.
Relevant code: src/cmd/auth.go, src/cmd/auth_webauth.go.
Is your feature request related to a problem?
The PAT name created by
phase authis hardcoded tousername@hostname(src/cmd/auth_webauth.go:41). There is no way to override it.This breaks down badly under Docker. When
phase authruns inside a container, the hostname is a random container ID and the username is whatever the image happens to run as (oftenrootor an arbitrary build user). Neither is meaningful or stable. For anyone using Phase from dockerized applications, the token list fills up with entries likeroot@3f9a2c1b4e5d- many near-identicaluser@random-idPATs with no way to tell which container, service, or run each one came from.The Console already honors whatever name the CLI sends (the webauth page mints the PAT with
requestedTokenNamefrom the payload), so today the CLI is the only thing standing between the user and a useful token name.Describe the solution you'd like
Add an optional flag to
phase authfor thewebauthflow:The CLI puts the chosen name in the webauth request payload (currently
port-pubKeyHex-patNameinsrc/cmd/auth_webauth.go:46) in place of the derivedusername@hostname. No flag = current behavior (username@hostnamedefault, unchanged).Caveat: the payload is hyphen-joined and a user-supplied name can contain hyphens (and arbitrary characters), so this needs the same parse-safe payload format being introduced for the token-lifetime work - not a naive split on
-. The current Console parser (hash.split('-')[2]) already truncates any name containing a hyphen, so this flag depends on that format fix landing.Describe alternatives you've considered
user@random-identry).Additional context
Cross-repo: shares the webauth payload-format change with the token-lifetime feature (#302, Console side phasehq/console#928). Cleanest to land both flags (
--token-name,--token-lifetime) on one payload-format migration rather than two.Relevant code:
src/cmd/auth.go,src/cmd/auth_webauth.go.