Files

T

curo1305 0af5e8cc24 Harden JWT: 8-hour expiry, add JWT vulnerability checks

- Reduce ACCESS_TOKEN_EXPIRE_MINUTES from 24h to 8h (no permanent sessions)
- Add JWT_PATTERNS to security_check.py: algorithm=none, verify_exp=False,
  multi-day timedelta, oversized EXPIRE_MINUTES, hardcoded secret
- Add JWT security checklist to security-auditor agent
- Document auth/session security items in TODO.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-13 22:54:53 +02:00

1.1 KiB

Raw Permalink Blame History

2026-04-13 — JWT token expiry hardened to 8 hours

Timestamp: 2026-04-13T04:00:00

Summary

Reduced JWT token lifetime from 24 hours to 8 hours with no permanent session option. Added JWT vulnerability detection to the pre-commit security check and a JWT security checklist to the security-auditor agent. Updated TODO with auth/session security items.

Files Modified

backend/app/core/config.py — ACCESS_TOKEN_EXPIRE_MINUTES changed from 60 * 24 to 60 * 8; added comment "no permanent sessions"
scripts/security_check.py — added JWT_PATTERNS category: algorithm confusion (none), disabled expiry verification, multi-day token lifetime, oversized EXPIRE_MINUTES, hardcoded secret; wired into ALL_PATTERNS and updated docstring
.claude/agents/security-auditor.md — added JWT security checklist table covering algorithm confusion, expiry enforcement, token lifetime, secret key strength, missing claims, localStorage storage, no refresh tokens policy
TODO.md — added "Auth / session security" section: 8-hour JWT checked off, refresh token and httpOnly cookie migration as future items

1.1 KiB Raw Permalink Blame History

2026-04-13 — JWT token expiry hardened to 8 hours

Summary

Files Modified

1.1 KiB

Raw Permalink Blame History