[I] Improve JWT secret key management - increase size and require configuration (tooling-trusted-releases)

[via GitHub]

andrewmusselman opened a new issue, #541:
URL: https://github.com/apache/tooling-trusted-releases/issues/541

   ## Summary
   
   JWT secret key fallback generation uses only 128 bits (NIST recommends 256 
for HS256), and keys regenerate on restart if not configured, invalidating all 
JWTs.
   
   ## ASVS Requirements
   
   - 2.2.2 - Secret key management
   - 10.4.3 - Key management
   
   ## Related Audit Reports
   
   - [Weak Cryptography #399](ASVS/weak-cryptography-399.md) - Section 2, Issue 
2
   - [Internal Access #402](ASVS/internal-access-402.md) - Section 2.2.2
   - [Credential Stealing #403](ASVS/credential-stealing-403.md) - Section 6
   
   ## Affected Files
   
   - `atr/config.py:64-65`
   
   ## Current Behavior
   
   ```python
   JWT_SECRET_KEY = _config_secrets("JWT_SECRET_KEY", STATE_DIR, default=None, 
cast=str) or secrets.token_hex(128 // 8)
   SECRET_KEY = _config_secrets("SECRET_KEY", STATE_DIR, default=None, 
cast=str) or secrets.token_hex(128 // 8)
   ```
   
   ## Issues
   
   1. Only 128 bits (should be 256 for HS256)
   2. Regenerated on restart if not configured
   3. Invalidates all JWTs on restart
   
   ## Recommended Fix
   
   ```python
   # Increase to 256 bits
   JWT_SECRET_KEY = _config_secrets("JWT_SECRET_KEY", STATE_DIR, default=None, 
cast=str) or secrets.token_hex(32)
   SECRET_KEY = _config_secrets("SECRET_KEY", STATE_DIR, default=None, 
cast=str) or secrets.token_hex(32)
   
   # In production startup check:
   def validate_production_config():
       if config.get_mode() == config.Mode.Production:
           if not os.environ.get("JWT_SECRET_KEY"):
               raise ValueError("JWT_SECRET_KEY must be explicitly configured 
in production")
   ```
   
   ## Acceptance Criteria
   
   - [ ] Key size increased to 256 bits
   - [ ] Production startup fails if key not configured
   - [ ] Key rotation procedure documented
   - [ ] Warning logged when using auto-generated key


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org
For additional commands, e-mail: dev-h...@tooling.apache.org