Skip to content

Security: Excessively long JWT access token lifetime#135

Open
tuanaiseo wants to merge 1 commit into
reconurge:mainfrom
tuanaiseo:contribai/fix/security/excessively-long-jwt-access-token-lifeti
Open

Security: Excessively long JWT access token lifetime#135
tuanaiseo wants to merge 1 commit into
reconurge:mainfrom
tuanaiseo:contribai/fix/security/excessively-long-jwt-access-token-lifeti

Conversation

@tuanaiseo

Copy link
Copy Markdown

Problem

ACCESS_TOKEN_EXPIRE_MINUTES is set to 60 * 60 (3600 minutes = 60 hours). Long-lived bearer tokens significantly increase impact of token theft and replay.

Severity: medium
File: flowsint-core/src/flowsint_core/core/auth.py

Solution

Reduce access-token TTL (commonly 5–30 minutes), issue refresh tokens separately, and rotate/revoke tokens on sensitive events.

Changes

  • flowsint-core/src/flowsint_core/core/auth.py (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

`ACCESS_TOKEN_EXPIRE_MINUTES` is set to `60 * 60` (3600 minutes = 60 hours). Long-lived bearer tokens significantly increase impact of token theft and replay.

Affected files: auth.py

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
@dextmorgn

Copy link
Copy Markdown
Collaborator

Hello @tuanaiseo,

You are absolutly right. Token TTL is extremly long.
Your fix is good but we currently don't have any refresh token mechanism. Maybe that's an issue we should create and fix ?
Let me know what you think

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants