andrewmusselman opened a new issue, #732: URL: https://github.com/apache/tooling-trusted-releases/issues/732
**ASVS References:** 7.2.4, 7.4.1, 7.4.2 **Findings:** 7.2.4-03, 7.2.4-04, 7.4.1-HIGH-001, 7.4.2-04 ### Description JWT tokens are issued with a `jti` (JWT ID) claim, but this value is never stored or checked against a revocation list. Once issued, a JWT remains valid until its natural 30-minute expiration regardless of: - User logout - PAT deletion (the PAT used to obtain the JWT) - Account disable/deactivation - Suspected compromise Multiple valid JWTs can accumulate for the same user with no way to invalidate them. ### Affected Endpoints All endpoints protected by `@jwtoken.require`, including `/api/release/create`, `/api/release/upload`, `/api/key/add`, `/api/ssh-key/add`, `/api/vote/start`, and others. ### Affected Files - `atr/jwtoken.py` — `issue()` generates `jti` but never tracks it; `verify()` has no revocation check - `atr/storage/writers/tokens.py` — `issue_jwt()` and `delete_token()` don't interact with revocation - `atr/post/tokens.py` — JWT issuance endpoint ### Recommendation Add a page to expire all JWTs Also: when a PAT is deleted, any JWTs derived from it should be revoked (cross-ref finding 7.2.4-05). (@sbp should this be another issue?) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
