This is an automated email from the ASF dual-hosted git repository. arm pushed a commit to branch arm in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 88b27f0611eaebedbe6ae778c028a8c2d3d7a0e1 Author: Alastair McFarlane <[email protected]> AuthorDate: Tue Mar 10 17:05:31 2026 +0000 Validate user ID of PATs on JWT usage --- atr/jwtoken.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/atr/jwtoken.py b/atr/jwtoken.py index 2bf9dee4..2cebd4f0 100644 --- a/atr/jwtoken.py +++ b/atr/jwtoken.py @@ -143,6 +143,9 @@ async def verify(token: str) -> dict[str, Any]: if not pat: log.failed_authentication("pat_hash_invalid") raise base.ASFQuartException("Personal Access Token invalid") + if pat.asfuid != claims.get("sub"): + log.failed_authentication("pat_user_mismatch") + raise base.ASFQuartException("Personal Access Token invalid") if pat.expires < datetime.datetime.now(datetime.UTC): log.failed_authentication("pat_expired") raise base.ASFQuartException("Personal Access Token expired") --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
