asf-tooling opened a new issue, #1091: URL: https://github.com/apache/tooling-trusted-releases/issues/1091
**ASVS Level(s):** L1, L2 **Description:** ### Summary The JWT time-to-live (TTL) is hardcoded as 30 minutes (1,800 seconds) in `atr/jwtoken.py` line 40-43 (`_ATR_JWT_TTL = 30 * 60`), but the authentication security documentation claims 90 minutes. The code implements the more restrictive value, so there is no security weakness. However, this discrepancy could cause confusion during security reviews, incorrect threat modeling assumptions, misleading incident response procedures, and compliance documentation errors. ### Details In `atr/jwtoken.py` at lines 40-43, the TTL is 30 minutes. In `atr/docs/authentication-security.md`, it is documented as 90 minutes. ### Recommended Remediation Update `atr/docs/authentication-security.md` to change 'Validity: 90 minutes from creation' to 'Validity: 30 minutes from creation' to align documentation with code implementation. Keep the 30-minute TTL in code (more secure) rather than increasing to 90 minutes. The shorter lifetime reduces the exposure window for compromised tokens. ### Acceptance Criteria - [ ] Documentation updated to 30 minutes - [ ] All references to 90 minutes removed - [ ] Single source of truth established - [ ] Unit tests verify TTL enforcement ### References - Source reports: L1:10.4.2.md, L1:10.4.3.md, L2:10.4.8.md - Related findings: None - ASVS sections: 10.4.2, 10.4.3, 10.4.8 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
