asf-tooling opened a new issue, #972:
URL: https://github.com/apache/tooling-trusted-releases/issues/972
**ASVS Level(s):** [L1, L2]
**Description:**
### Summary
When an administrator revokes all tokens for a user via the admin panel
(typically during security incident response), the target user's active
cookie-based sessions are not terminated. The admin sees success message
'Revoked N tokens for username' but web sessions remain valid for up to 72
hours, allowing continued access to all authenticated endpoints. This creates
dangerous false confidence where the admin believes they've locked out a
compromised account, but the attacker's browser session continues to work.
Additionally, no email notification is sent to the affected user about the
admin-initiated revocation.
### Details
**Affected Files and Lines:**
- `atr/admin/__init__.py:380-393` - revoke_user_tokens_post() without
session termination
- `atr/storage/writers/tokens.py:157-179` - Token revocation implementation
The function revokes PATs but does not terminate web sessions or SSH keys,
creating an incomplete security response.
### Recommended Remediation
Extend `revoke_user_tokens_post()` to:
```python
# 1. Revoke PATs (existing)
count = storage.write().tokens.revoke_all_user_tokens(asf_uid)
# 2. Revoke SSH keys (from FINDING-035)
ssh_count = storage.write().ssh.revoke_all_user_ssh_keys(asf_uid)
# 3. Add user to session deny list (requires FINDING-005 fix)
storage.write().sessions.invalidate_all_user_sessions(asf_uid)
# 4. Send email notification to user
send_email(
to=user.email,
subject='Security Alert: Credentials Revoked',
body='An administrator has revoked your access tokens and terminated
your sessions.'
)
# 5. Clear principal authorization cache
clear_authorization_cache(asf_uid)
# 6. Update success message
flash(f'Revoked {count} tokens, terminated all sessions, and revoked
{ssh_count} SSH keys for {username}')
```
Accept 30-minute window for active JWTs as acceptable risk given short TTL.
### Acceptance Criteria
- [ ] PAT revocation implemented (existing)
- [ ] SSH key revocation added
- [ ] Session termination added
- [ ] Email notification sent to user
- [ ] Authorization cache cleared
- [ ] Success message updated
- [ ] Unit test verifying the fix
### References
- Source reports: L1:7.4.2.md, L2:7.4.3.md, L2:7.4.5.md
- Related findings: FINDING-005, FINDING-035, FINDING-036, FINDING-132
- ASVS sections: 7.4.2, 7.4.3, 7.4.5
### Priority
High
---
---
**Triage notes:** related to session store
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
