andrewmusselman opened a new issue, #542:
URL: https://github.com/apache/tooling-trusted-releases/issues/542
## Summary
JWTs are missing standard `iss` (issuer) and `aud` (audience) claims,
reducing validation strength and allowing tokens to be used across unintended
services.
## ASVS Requirements
- 3.5.3 - Stateless token protection
- 10.4.x - JWT claims completeness
## Related Audit Reports
- [External Access #400](ASVS/external-access-400.md) - Section 3.5.3
- [Internal Access #402](ASVS/internal-access-402.md) - Section 10.4.x
## Affected Files
- `atr/jwtoken.py:47-55` (issue)
- `atr/jwtoken.py:88-89` (verification)
## Current Behavior
```python
payload = {
"sub": uid,
"iat": now,
"exp": now + datetime.timedelta(seconds=ttl),
"jti": secrets.token_hex(8),
# Missing: "iss", "aud"
}
```
## Recommended Fix
```python
_ISSUER = "https://atr.apache.org";
_AUDIENCE = "atr-api"
def issue(uid: str, *, ttl: int = 90 * 60) -> str:
payload = {
"sub": uid,
"iss": _ISSUER,
"aud": _AUDIENCE,
"iat": now,
"exp": now + datetime.timedelta(seconds=ttl),
"jti": secrets.token_hex(16),
}
return jwt.encode(payload, _JWT_SECRET_KEY, algorithm=_ALGORITHM)
def verify(token: str) -> dict[str, Any]:
return jwt.decode(
token, _JWT_SECRET_KEY,
algorithms=[_ALGORITHM],
issuer=_ISSUER,
audience=_AUDIENCE,
options={"require": ["exp", "iat", "iss", "aud", "sub", "jti"]}
)
```
## Acceptance Criteria
- [ ] `iss` claim added to JWT payload
- [ ] `aud` claim added to JWT payload
- [ ] Verification validates `iss` and `aud`
- [ ] Documentation updated in `notes/api-security.md`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
