This is an automated email from the ASF dual-hosted git repository.
arm pushed a commit to branch arm
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/arm by this push:
new 8fbe527c Validate user ID of PATs on JWT usage
8fbe527c is described below
commit 8fbe527c71d525039c1b0d52c800bacad76af16e
Author: Alastair McFarlane <[email protected]>
AuthorDate: Tue Mar 10 17:05:31 2026 +0000
Validate user ID of PATs on JWT usage
---
atr/jwtoken.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/atr/jwtoken.py b/atr/jwtoken.py
index 2bf9dee4..2cebd4f0 100644
--- a/atr/jwtoken.py
+++ b/atr/jwtoken.py
@@ -143,6 +143,9 @@ async def verify(token: str) -> dict[str, Any]:
if not pat:
log.failed_authentication("pat_hash_invalid")
raise base.ASFQuartException("Personal Access Token invalid")
+ if pat.asfuid != claims.get("sub"):
+ log.failed_authentication("pat_user_mismatch")
+ raise base.ASFQuartException("Personal Access Token invalid")
if pat.expires < datetime.datetime.now(datetime.UTC):
log.failed_authentication("pat_expired")
raise base.ASFQuartException("Personal Access Token expired")
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
