andrewmusselman opened a new issue, #675:
URL: https://github.com/apache/tooling-trusted-releases/issues/675
**ASVS Requirement:** 9.2.1 — Token Validity Time Span Verification
**Severity:** Informational (defense-in-depth)
### Description
The JWT issuance function in `atr/jwtoken.py:54-61` sets `exp` and `iat` but
does not include an `nbf` (not-before) claim. While ASVS 9.2.1 only requires
verification of time claims that are *present*, including `nbf` set to the
current time would guard against edge cases where tokens are used before their
intended issuance moment (e.g., due to clock skew between services).
PyJWT validates `nbf` automatically when present, so no changes to
`verify()` are needed.
### Recommended fix
1. Document inline with prefixed comment
2. Ensure prompt is aware of prefixed comments
Add `"nbf": now` to the payload in `issue()`:
```python
payload = {
"nbf": now,
"exp": now + datetime.timedelta(seconds=ttl),
# ... existing claims
}
```
### Relevant code
`atr/jwtoken.py` — `issue()`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
