asf-tooling opened a new issue, #1111: URL: https://github.com/apache/tooling-trusted-releases/issues/1111
**ASVS Level(s):** L1, L2 **Description:** ### Summary The documentation claims JWT tokens have a 90-minute validity period, while the actual implementation enforces a 30-minute TTL. This creates a discrepancy between documented and actual security behavior. Documentation-based security decisions may be based on incorrect TTL assumptions. While the actual TTL (30 minutes) is more secure than documented, the inconsistency erodes trust in documentation accuracy, could lead to confusion during incident response, may cause operational issues if teams plan around 90-minute windows, and creates audit trail inconsistencies. ### Details In `atr/docs/authentication-security.md`, multiple locations reference 90-minute JWT validity. However, in `atr/jwtoken.py` at line 47, the implementation uses `_ATR_JWT_TTL = 30 * 60` (30 minutes). ### Recommended Remediation Update documentation to reflect actual implementation: In `atr/docs/authentication-security.md`, update to: * **Validity**: 30 minutes from creation. Search all documentation files for "90 min" or "90 minutes" references to JWT and update all occurrences to "30 min" or "30 minutes". Add a documentation review step to CI/CD that validates security-critical parameters match code constants. Consider extracting TTL values from code comments/docstrings to ensure single source of truth. ### Acceptance Criteria - [ ] All documentation references updated to 30 minutes - [ ] No references to 90 minutes remain - [ ] Documentation review added to CI/CD - [ ] Single source of truth established for TTL values ### References - Source reports: L1:6.3.1.md, L1:6.4.1.md, L2:6.3.4.md - Related findings: None - ASVS sections: 6.3.1, 6.4.1, 6.3.4 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
