curo1305
0af5e8cc24
- Reduce ACCESS_TOKEN_EXPIRE_MINUTES from 24h to 8h (no permanent sessions) - Add JWT_PATTERNS to security_check.py: algorithm=none, verify_exp=False, multi-day timedelta, oversized EXPIRE_MINUTES, hardcoded secret - Add JWT security checklist to security-auditor agent - Document auth/session security items in TODO.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
15 lines
1.1 KiB
Markdown
15 lines
1.1 KiB
Markdown
# 2026-04-13 — JWT token expiry hardened to 8 hours
|
|
|
|
**Timestamp:** 2026-04-13T04:00:00
|
|
|
|
## Summary
|
|
|
|
Reduced JWT token lifetime from 24 hours to 8 hours with no permanent session option. Added JWT vulnerability detection to the pre-commit security check and a JWT security checklist to the security-auditor agent. Updated TODO with auth/session security items.
|
|
|
|
## Files Modified
|
|
|
|
- `backend/app/core/config.py` — `ACCESS_TOKEN_EXPIRE_MINUTES` changed from `60 * 24` to `60 * 8`; added comment "no permanent sessions"
|
|
- `scripts/security_check.py` — added `JWT_PATTERNS` category: algorithm confusion (`none`), disabled expiry verification, multi-day token lifetime, oversized EXPIRE_MINUTES, hardcoded secret; wired into `ALL_PATTERNS` and updated docstring
|
|
- `.claude/agents/security-auditor.md` — added JWT security checklist table covering algorithm confusion, expiry enforcement, token lifetime, secret key strength, missing claims, localStorage storage, no refresh tokens policy
|
|
- `TODO.md` — added "Auth / session security" section: 8-hour JWT checked off, refresh token and httpOnly cookie migration as future items
|