alitheg commented on code in PR #575: URL: https://github.com/apache/tooling-trusted-releases/pull/575#discussion_r2717823073
########## atr/docs/security-authentication.md: ########## @@ -0,0 +1,177 @@ +# 3.11. Authentication security + +**Up**: `3.` [Developer guide](developer-guide) + +**Prev**: `3.10.` [How to contribute](how-to-contribute) + +**Next**: `3.12.` [Authorization security](security-authorization) + +**Sections**: + +* [Overview](#overview) +* [Transport security](#transport-security) +* [Web authentication](#web-authentication) +* [API authentication](#api-authentication) +* [Token lifecycle](#token-lifecycle) +* [Security properties](#security-properties) +* [Limitations and future work](#limitations-and-future-work) +* [Implementation references](#implementation-references) + +## Overview + +ATR uses two authentication mechanisms depending on the access method: + +* **Web sessions** via ASF OAuth for browser-based users accessing the web interface +* **JWT tokens** derived from Personal Access Tokens (PATs) for programmatic API access + +Both mechanisms require HTTPS. Authentication verifies the identity of users, while authorization (covered in [Authorization security](security-authorization)) determines what actions they can perform. + +## Transport security + +All ATR routes, on both the website and the API, require HTTPS using TLS 1.2 or newer. This is enforced at the httpd layer in front of the application. Requests over plain HTTP are redirected to HTTPS. + +Tokens and credentials must never appear in URLs, as URLs may be logged or cached. They must only be transmitted in request headers or POST bodies over HTTPS. + +## Web authentication + +### ASF OAuth integration + +Browser users authenticate through [ASF OAuth](https://oauth.apache.org/api.html). The authentication flow works as follows: + +1. User clicks "Sign in" on the ATR website +2. ATR redirects the user to the ASF OAuth service +3. User authenticates with their ASF credentials +4. ASF OAuth redirects the user back to ATR with session information +5. ATR creates a server-side session linked to the user's ASF UID + +The session is managed by [ASFQuart](https://github.com/apache/infrastructure-asfquart), which handles the OAuth handshake and session cookie management. + +### Session management + +Sessions are stored server-side. The browser receives only a session cookie that references the server-side session data. Session cookies are configured with security attributes: + +* `HttpOnly` - prevents JavaScript access to the cookie +* `Secure` - cookie is only sent over HTTPS +* `SameSite=Lax` - provides CSRF protection for most requests Review Comment: I think Dave's latest PR (#574) set it to Lax? ``` SESSION_COOKIE_SAMESITE = "Lax" ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
