asf-tooling opened a new issue, #1120: URL: https://github.com/apache/tooling-trusted-releases/issues/1120
**ASVS Level(s):** L2 **Description:** ### Summary Both audience constants contain 'test' in their names (`_ATR_JWT_AUDIENCE = "atr-api-pat-test-v1"` and `_GITHUB_OIDC_AUDIENCE = "atr-test-v1"`), which may indicate development/testing configuration carried over to production deployment. While the audience values are functionally secure (distinct from each other, correctly validated), the naming suggests incomplete production configuration and could cause operational confusion about the token's intended deployment context. ### Details In `atr/jwtoken.py` at lines 23-24, both JWT audience constants contain 'test' identifiers that suggest development/testing configuration. ### Recommended Remediation Update audience values to production-appropriate URIs: - `_ATR_JWT_AUDIENCE = "https://release.apache.org/api/v1"` - `_GITHUB_OIDC_AUDIENCE = "https://release.apache.org/trusted-publisher/v1"` Alternatively, use environment-specific configuration with `APP_HOST` variable. Remove 'test' identifiers for clarity and operational confidence. ### Acceptance Criteria - [ ] Audience values updated to production-appropriate URIs - [ ] No 'test' identifiers in production configuration - [ ] Environment-specific configuration if applicable - [ ] Unit tests verify audience validation ### References - Source reports: L2:9.2.2.md - Related findings: None - ASVS sections: 9.2.2 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
