asf-tooling opened a new issue, #1089: URL: https://github.com/apache/tooling-trusted-releases/issues/1089
**ASVS Level(s):** L1, L2 **Description:** ### Summary Documentation states JWT validity is "90 minutes" but code defines `_ATR_JWT_TTL = 30 * 60` (30 minutes), creating a discrepancy between expected and actual token lifetime. This can lead to operational confusion, incorrect security assumptions in dependent systems, and unnecessary support requests when tokens expire earlier than documented. The documentation inconsistency appears in multiple sections of authentication-security.md. ### Details In `atr/jwtoken.py` at line 42, the TTL is defined as 30 minutes. However, `atr/docs/authentication-security.md` documents it as 90 minutes in multiple locations. ### Recommended Remediation **Option 1 (Recommended):** Update documentation to match code: ```markdown * **Validity**: 30 minutes from creation ``` **Option 2:** If 90 minutes is the intended policy, update code: ```python _ATR_JWT_TTL: Final[int] = 90 * 60 # 90 minutes ``` Verification: Review and align all documentation references to token lifetime, including API documentation, user guides, and inline code comments. ### Acceptance Criteria - [ ] Documentation and code TTL values match - [ ] All documentation references updated - [ ] Single source of truth established - [ ] Unit tests verify TTL enforcement ### References - Source reports: L1:9.1.2.md, L2:9.2.2.md - Related findings: None - ASVS sections: 9.1.2, 9.2.2 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
