asf-tooling opened a new issue, #1030:
URL: https://github.com/apache/tooling-trusted-releases/issues/1030
**ASVS Level(s):** [L1]
**Description:**
### Summary
The `@jwtoken.require()` decorator logs all JWT authentication failures but
does not log successful authentications. All exception handlers properly log
failures (jwt_token_expired, jwt_signature_invalid, jwt_token_invalid), but
when verification succeeds, the code silently sets `quart.g.jwt_claims` without
logging. This creates an incomplete audit trail that only captures negative
events and prevents reconstruction of successful API access patterns and
forensic investigation of compromised accounts.
### Details
Affected locations:
- `atr/jwtoken.py` lines 72-88: require() decorator logs failures only
- `atr/jwtoken.py` lines 89-122: verify() doesn't log success
- `atr/jwtoken.py` lines 124-175: verify_github_oidc() doesn't log success
The decorator has comprehensive failure logging but no success logging,
creating incomplete audit trail.
### Recommended Remediation
Add success logging after all exception handlers, before setting
`quart.g.jwt_claims`:
```python
# In require() decorator after verify() call:
log.info('jwt_authentication_success', extra={
'asf_uid': claims.get('sub'),
'jti': claims.get('jti'),
'endpoint': quart.request.endpoint,
'remote_addr': quart.request.remote_addr
})
quart.g.jwt_claims = claims
```
Apply the same pattern to `verify_github_oidc()` function (lines 124-175):
```python
log.info('github_oidc_authentication_success', extra={
'workflow_repository': claims.get('repository'),
'workflow_ref': claims.get('ref'),
'endpoint': quart.request.endpoint
})
```
### Acceptance Criteria
- [ ] Successful JWT authentication is logged
- [ ] Log entries include user identity and endpoint
- [ ] Audit trail is complete for both success and failure
- [ ] Test cases verify success logging
- [ ] Unit test verifying the fix
### References
- Source reports: L1:7.2.2.md
- Related findings: FINDING-135, FINDING-136, FINDING-250, FINDING-251
- ASVS sections: 7.2.2
### Priority
Medium
---
---
**Triage notes:** audit_guidance to say we are already logging from
@jwtoken.require() to the request log, so this is not an issue
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
