asf-tooling opened a new issue, #971:
URL: https://github.com/apache/tooling-trusted-releases/issues/971
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
When a user deletes or creates a Personal Access Token (an authentication
factor), no option is presented to terminate all other active sessions. The PAT
is added/removed from the database and an email notification is sent, but
cookie-based web sessions and non-PAT-bound JWTs remain fully active for up to
72 hours. If a user deletes their PAT because of suspected compromise or
creates a new PAT to replace a compromised one, they cannot force logout of
potentially compromised sessions, creating a false sense of security.
### Details
**Affected Files and Lines:**
- `atr/post/tokens.py:63-78` - PAT deletion without session termination
option
- `atr/post/tokens.py:80-85` - PAT creation without session termination
option
- `atr/storage/writers/tokens.py:55-90` - _add_token implementation
- `atr/storage/writers/tokens.py:92-112` - _delete_token implementation
This violates ASVS 7.4.3's requirement to offer session termination after
authentication factor changes.
### Recommended Remediation
Add 'terminate_other_sessions' boolean field to `AddTokenForm` and
`DeleteTokenForm`:
```python
class DeleteTokenForm:
token_id: int
terminate_other_sessions: bool = False
```
Update `_add_token()` and `_delete_token()` handlers:
```python
if form.terminate_other_sessions:
terminate_all_other_sessions(session.asf_uid, current_session_id)
```
Add checkbox to token forms with text: 'Terminate all other active sessions
- Recommended if this token was compromised or if replacing a compromised
token. You will remain logged in on this device.'
Display warning if user declines on deletion: 'Token deleted successfully.
Consider terminating other sessions if this token was compromised.'
Note: Requires FINDING-005 fix first to implement session termination.
### Acceptance Criteria
- [ ] terminate_other_sessions field added to forms
- [ ] Checkbox added to UI
- [ ] Session termination triggered when checked
- [ ] Warning displayed when declined
- [ ] Current session preserved
- [ ] Unit test verifying the fix
### References
- Source reports: L2:7.4.3.md
- Related findings: FINDING-005, FINDING-037, FINDING-131
- ASVS sections: 7.4.3
### Priority
High
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
