dave2wave commented on code in PR #646: URL: https://github.com/apache/tooling-trusted-releases/pull/646#discussion_r2801581646
########## atr/docs/authentication-security.md: ########## @@ -69,12 +69,13 @@ Committers can obtain PATs from the `/tokens` page on the ATR website. PATs have * **Validity**: 180 days from creation, while LDAP account is still active * **Storage**: ATR stores only SHA3-256 hashes, never the plaintext PAT -* **Revocation**: Users can revoke their own PATs at any time; admins can revoke any PAT +* **Revocation**: Users can revoke their own PATs at any time; admins can revoke all PATs for any user via the admin "Revoke user tokens" page +* **Automatic cleanup**: A background loop ([`token_cleanup`](/ref/atr/token_cleanup.py)) polls LDAP approximately every hour and automatically revokes all PATs belonging to banned or deleted accounts * **Purpose**: PATs are used solely to obtain JWTs; they cannot be used directly for API access Only authenticated committers (signed in via ASF OAuth) can create PATs. Each user can have multiple active PATs. -PATs are rejected if the user who created them has been removed from LDAP. +PATs are rejected if the user who created them has been removed from LDAP. This is enforced at three layers: the JWT exchange endpoint checks LDAP status before issuing a JWT (immediate), a background cleanup loop revokes PATs for banned or deleted accounts (within ~1 hour), and administrators can revoke PATs immediately through the admin interface. Review Comment: s/been removed from LDAP/been banned in or removed from LDAP/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
