[I] Web-Based JWT Issuance Not Audit-Logged (tooling-trusted-releases)

Fri, 03 Apr 2026 11:39:54 -0700 


asf-tooling opened a new issue, #1036:
URL: https://github.com/apache/tooling-trusted-releases/issues/1036

   **ASVS Level(s):** [L1]
   
   **Description:**
   
   ### Summary
   The web interface allows authenticated users to issue JWTs via POST to 
`/tokens/jwt`, but this operation is not audit-logged. This creates an 
inconsistency with the API path (PAT→JWT exchange in 
`atr/storage/writers/tokens.py:93-127`) which properly logs JWT issuance using 
`append_to_audit_log()`. The `jwt_post()` function calls `jwtoken.issue()` but 
never writes to the audit log, preventing reconstruction of web-based JWT 
generation timeline and detection of compromised web sessions issuing JWTs.
   
   ### Details
   Affected location: `atr/post/tokens.py` lines 31-39
   
   The web JWT issuance endpoint:
   1. Accepts authenticated POST request
   2. Issues JWT via `jwtoken.issue()`
   3. Returns JWT to user
   4. Never logs the issuance
   
   The API path properly logs JWT issuance but web path does not.
   
   ### Recommended Remediation
   Add audit logging to `jwt_post()` function to match API path behavior. After 
`jwt_token = jwtoken.issue(session.uid)`, add:
   
   ```python
   log.info('web_jwt_issued', extra={
       'asf_uid': session.uid,
       'issuance_method': 'web_ui',
       'remote_addr': quart.request.remote_addr,
       'jti': jwt.decode(jwt_token, options={'verify_signature': False})['jti']
   })
   ```
   
   **Alternative:** Use `append_to_audit_log()` infrastructure for consistency 
with API path (requires access to storage writer):
   
   ```python
   await write.append_to_audit_log(
       user_uid=session.uid,
       action='jwt_issued',
       details={'method': 'web_ui', 'remote_addr': quart.request.remote_addr}
   )
   ```
   
   ### Acceptance Criteria
   - [ ] Web JWT issuance is audit-logged
   - [ ] Logging is consistent with API path
   - [ ] Log entries include user identity and method
   - [ ] Test cases verify JWT issuance logging
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L1:7.2.2.md
   - Related findings: FINDING-134, FINDING-250
   - ASVS sections: 7.2.2
   
   ### Priority
   Medium
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to