This is an automated email from the ASF dual-hosted git repository.
arm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new c99fcd0 #596 - security documentation updated
c99fcd0 is described below
commit c99fcd07530394b651ed24b8db18e7b50bbf4231
Author: Alastair McFarlane <[email protected]>
AuthorDate: Wed Jan 28 14:41:38 2026 +0000
#596 - security documentation updated
---
atr/docs/security-authentication.md | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/atr/docs/security-authentication.md
b/atr/docs/security-authentication.md
index fa96f8b..a2f96a6 100644
--- a/atr/docs/security-authentication.md
+++ b/atr/docs/security-authentication.md
@@ -53,7 +53,7 @@ Sessions are stored server-side. The browser receives only a
session cookie that
* `Secure` - cookie is only sent over HTTPS
* `SameSite=Strict` - provides CSRF protection for most requests
-Session data includes the user's ASF UID and is used to authorize requests.
The session expires after a period of inactivity or when the user logs out.
+Session data includes the user's ASF UID and is used to authorize requests.
The session expires after a configured maximum lifetime (default 72 hours), a
period of inactivity, or when the user logs out.
### Session caching
@@ -67,13 +67,15 @@ API access uses a two-token system: Personal Access Tokens
(PATs) for long-term
Committers can obtain PATs from the `/tokens` page on the ATR website. PATs
have the following properties:
-* **Validity**: 180 days from creation
+* **Validity**: 180 days from creation, while LDAP account is still active
* **Storage**: ATR stores only SHA3-256 hashes, never the plaintext PAT
* **Revocation**: Users can revoke their own PATs at any time; admins can
revoke any PAT
* **Purpose**: PATs are used solely to obtain JWTs; they cannot be used
directly for API access
Only authenticated committers (signed in via ASF OAuth) can create PATs. Each
user can have multiple active PATs.
+PATs are rejected if the user who created them has been removed from LDAP.
+
### JSON Web Tokens (JWTs)
To access protected API endpoints, users must first obtain a JWT by exchanging
their PAT. This is done by POSTing to `/api/jwt`:
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
