andrewmusselman opened a new issue, #547:
URL: https://github.com/apache/tooling-trusted-releases/issues/547
## Summary
Users are not notified when their authentication credentials (PATs) are
created, deleted, or modified.
## ASVS Requirements
- 6.2.2 - User notification on credential changes
## Related Audit Reports
- [Credential Integrity #406](ASVS/credential-integrity-406.md) - Issue 1
## Affected Files
- `atr/storage/writers/tokens.py:56-68`
## Current Behavior
```python
async def _add_token(...):
# Token created
# No notification sent
```
## Recommended Fix
```python
import atr.mail as mail
async def _add_token(session: web.Committer, add_form:
shared.tokens.AddTokenForm):
# ... existing token creation ...
await mail.send(mail.Message(
email_sender="[email protected]",
email_recipient=f"{session.uid}@apache.org",
subject="New API Token Created",
body=f"A new API token '{add_form.label or 'Unlabeled'}' was created
for your account. "
f"If you did not create this token, please revoke it
immediately."
))
```
## Note
- Need a `[email protected]` address
## Acceptance Criteria
- [ ] Email notification on PAT creation
- [ ] Email notification on PAT deletion
- [ ] Email includes timestamp and label
- [ ] Unsubscribe option or security-critical designation
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
