Skip to content

docs: update SECURITY.md §8.3 — backend tokens now bounded + revocable #302

Description

@aptracebloc

Background

docs/SECURITY.md §8.3 ("Backend tokens never expire — backend team") is now stale. The work it tracked landed via tracebloc/backend#590:

  • Backend (tracebloc/backend#933): active data-scientist web logins get a bounded, revocable 30-day ClientAccessToken (Bearer); revocation via /auth/revoke, /logout/, password change, and a Django-admin action. No refresh token by design — re-login mints a fresh token.
  • Frontend (tracebloc/frontend-app#575): scheme-aware Authorization: ${token_scheme} ${token} header + central 401 → re-login handling.

Scope

Update §8.3 to reflect:

  1. The unbounded-token finding is mitigated for interactive DS web sessions (bounded + revocable).
  2. EDGE devices and bots intentionally keep the legacy long-lived DRF Token (non-interactive service credentials) — this is by design, not an oversight.
  3. The residual risk — token still stored in JS-readable storage (localStorage + non-httpOnly cookie) — is tracked separately (SEC-06 residual follow-up in tracebloc/backend, successor to tracebloc/backend#590).

Refs

tracebloc/backend#590 (closed) · tracebloc/backend#933 · tracebloc/frontend-app#575

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions