asf-tooling opened a new issue, #1050:
URL: https://github.com/apache/tooling-trusted-releases/issues/1050
**ASVS Level(s):** L2-only
**Description:**
### Summary
ATR JWTs do not include an explicit token type indicator. Neither a `typ`
header (e.g., `at+jwt` per RFC 9068) nor a custom `token_type` claim is
present. The `verify()` function does not validate any token type field. While
no active exploits exist due to robust architectural separation (algorithm,
audience, issuer differences), this represents a defense-in-depth gap. If ATR
evolves to issue additional JWT types (e.g., refresh tokens, delegation
tokens), the absence of an explicit type field would create cross-usage risk
within the same issuer context.
### Details
The issue exists in `atr/jwtoken.py` lines 70-83 (token issuance) and
104-137 (token verification). Current tokens contain standard claims (sub, iat,
exp, aud, iss) but lack type identification. While existing architectural
controls prevent cross-usage with external systems, future expansion of JWT
usage within ATR could introduce risks.
### Recommended Remediation
Add explicit token type indicators:
```python
def issue(self, uid: str) -> str:
"""Issue a JWT with explicit type indicators."""
now = datetime.datetime.now(tz=datetime.timezone.utc)
claims = {
"sub": uid,
"iat": now,
"exp": now + self.ttl,
"aud": self.audience,
"iss": self.issuer,
"token_type": "atr_api_access", # Custom claim
}
# Add typ header per RFC 9068
return jwt.encode(
claims,
self.secret,
algorithm="HS256",
headers={"typ": "at+jwt"}
)
def verify(self, token: str) -> dict:
"""Verify JWT with type validation."""
try:
decoded = jwt.decode(
token,
self.secret,
algorithms=["HS256"],
audience=self.audience,
issuer=self.issuer,
)
# Validate token type
if decoded.get("token_type") != "atr_api_access":
raise jwt.InvalidTokenError("Invalid token type")
return decoded
except jwt.InvalidTokenError:
return {}
```
This future-proofs against token type expansion and improves
defense-in-depth.
### Acceptance Criteria
- [ ] `typ: "at+jwt"` header added to issued tokens
- [ ] `token_type: "atr_api_access"` claim added to payload
- [ ] `verify()` function validates both type indicators
- [ ] Unit tests verify type validation enforcement
- [ ] Unit tests verify tokens without type indicators are rejected
- [ ] Documentation updated to describe token type validation
### References
- Source reports: L2:9.2.2.md
- Related findings: None
- ASVS sections: 9.2.2
- CWE: CWE-345
### Priority
Medium
---
---
**Triage notes:** check
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
