[BUG] Editing token ttl has no validation between ttl and expiresAt field

[brudnak]

Rancher Server Setup

Component	Version / Type
Rancher version	v2.7-44d3d40c6dd9acd0aae257ea0f80ea9eab743784-head
Rancher commit link	https://github.com/rancher/rancher/commit/44d3d40c6dd9acd0aae257ea0f80ea9eab743784
Installation option	Helm (high availability)
If Helm Chart k8s cluster	v1.24.7+k3s1
Cert Details	Let's Encrypt / traefik
k3s ha external db	Aurora MySQL 5.7.mysql_aurora.2.10.2
Helm version	v2.16.8-rancher2
Downstream cluster type	RKE1 Linode
Downstream K8s version	v1.24.8-rancher1-1
Authentication providers enabled	local, GitHub
Logged in user role	Administrator, Standard User
Browser type	Google Chrome
Browser version	108.0.5359.94 (Official Build) (x86_64)

🚨 Additional Reproduction Setup Details: Click to Expand

>K3s install command for node one. Replace values in <> ```shell curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION= sh -s - server --token=SECRET --datastore-endpoint= --tls-san --node-external-ip ``` >K3s install command for node two. Replace values in <>. Main difference here is the --token ```shell curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION= sh -s - server --token= --datastore-endpoint= --tls-san --node-external-ip ```

Describe the bug

Editing the ttl of a token with kubectl and there is no validation between ttl and the expiresAt field

To Reproduce

1. Starting from the default Rancher homepage /dashboard/home
2. Click at top right of screen user icon >> Account & API Keys >> Create API Key
3. Fill out the API Key: Create form
   1. Description >> TEST_TOKEN
   2. Scope >> No Scope
   3. Automatically expire >> Never
4. Using kubectl against the local cluster run these commands
5. kubectl get tokens
6. From the list notice the token you just created, now run
7. kubectl edit token $token_name
8. NOTE: When editing the token the expiresAt field is set to an empty string ""
9. Change the ttl from 0 >> to ttl: 600000
   • 600000 milliseconds >> 10 minutes
10. Save/apply the changes to ttl
11. Edit the token again with kubectl edit token $token_name
    1. Now observe the expiresAt field is set to
       1. "2022-12-08T20:19:52Z"
    2. Which is 10 minutes past the `creationTimestamp:
       1. "2022-12-08T20:09:52Z"
12. Edit the token again with kubectl edit token $token_name
13. Change the ttl from 600000 to 1200000 (20 minutes)
14. Save these changes and check the token with kubectl describe token $token_name
15. Even though the ttl has changed from 600000 to 1200000 the expiresAt field has remained as: "2022-12-08T20:19:52Z"

Result

• The expiresAt field only changes once, when going from a token with a ttl of 0 to any other ttl value
• The token remains valid for the newly updated 1200000 even though in the UI it will show as expired
• Even though the token displays as expired in the UI, you are still able to use it to make API calls to rancher via Postman until the actual stated ttl time is up

Expected Result

For there to be some validation against expiresAt field and ttl so the UI can display accurate information on when a token will actually expire

Additional Info

Noticed while doing validations against: https://github.com/rancher/rancher/issues/39107

[KevinJoiner]

managing Tokens via kubeclt is not currently supported and will need to wait until they are migrated outside of Norman.