[I] Expired Personal Access Tokens Not Automatically Purged (tooling-trusted-releases)

Fri, 03 Apr 2026 15:24:57 -0700 


asf-tooling opened a new issue, #1129:
URL: https://github.com/apache/tooling-trusted-releases/issues/1129

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   Expired Personal Access Tokens (PATs) are properly rejected during 
authentication but are never deleted from the database. This causes unbounded 
database growth as expired credentials accumulate indefinitely, wasting storage 
and potentially exposing expired credentials longer than necessary.
   
   ### Details
   The token authentication mechanism in `atr/storage/writers/tokens.py` 
validates token expiration at authentication time but lacks a cleanup mechanism 
for expired tokens. Over time, this will result in:
   - Unbounded growth of the tokens table
   - Unnecessary storage costs
   - Increased backup sizes
   - Potential compliance issues with data retention policies
   - Longer query times as the table grows
   
   ### Recommended Remediation
   Implement a recurring cleanup task that purges expired tokens older than a 
retention period (e.g., 30 days):
   
   ```python
   def purge_expired_tokens(retention_days=30):
       """Remove expired tokens older than retention_days."""
       cutoff = datetime.utcnow() - timedelta(days=retention_days)
       # DELETE FROM tokens WHERE expires_at < cutoff AND expires_at < NOW()
   ```
   
   Schedule this task to run daily via cron, Celery beat, or similar scheduling 
mechanism.
   
   ### Acceptance Criteria
   - [ ] Implement automated cleanup task that deletes expired tokens older 
than 30 days
   - [ ] Schedule cleanup task to run at least daily
   - [ ] Add logging for cleanup operations (number of tokens purged)
   - [ ] Document the cleanup policy in the security documentation
   - [ ] Unit test verifying the cleanup logic correctly identifies and removes 
only expired tokens
   
   ### References
   - Source reports: L2:14.2.4.md
   - Related findings: None
   - ASVS sections: 14.2.4
   
   ### Priority
   Low
   
   ---
   
   ---
   
   **Triage notes:** janitorial services


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to