andrewmusselman opened a new issue, #725:
URL: https://github.com/apache/tooling-trusted-releases/issues/725
**ASVS Reference:** 6.3.1 (Finding MEDIUM-002)
### Description
Authentication failures are not consistently logged with sufficient context
for security monitoring. Currently, only successful authentications are
recorded in audit logs. Failed PAT validation, failed JWT verification, and
failed SSH key authentication produce exceptions but no structured security log
entries.
### Affected Code
- `atr/storage/writers/tokens.py` — `issue_jwt()` only logs on success
- `atr/jwtoken.py` — `require` decorator
- `atr/ssh.py` — `validate_public_key()`
### Recommendation
Add structured logging for all authentication failures, including: the
targeted `asf_uid` (if available), client IP address, failure reason, and
timestamp. This enables security monitoring and incident response.
```python
# Example for PAT failure in tokens.py
if (pat is None) or (pat.expires < datetime.datetime.now(datetime.UTC)):
log.warning(
"Authentication failed",
extra={"asf_uid": self.__asf_uid, "client_ip":
quart.request.remote_addr, "reason": "invalid_or_expired_pat"}
)
raise storage.AccessError("Authentication failed")
```
Add separate auth and access logs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
