Background
docs/SECURITY.md §8.3 ("Backend tokens never expire — backend team") is now stale. The work it tracked landed via tracebloc/backend#590:
- Backend (tracebloc/backend#933): active data-scientist web logins get a bounded, revocable 30-day
ClientAccessToken (Bearer); revocation via /auth/revoke, /logout/, password change, and a Django-admin action. No refresh token by design — re-login mints a fresh token.
- Frontend (tracebloc/frontend-app#575): scheme-aware
Authorization: ${token_scheme} ${token} header + central 401 → re-login handling.
Scope
Update §8.3 to reflect:
- The unbounded-token finding is mitigated for interactive DS web sessions (bounded + revocable).
- EDGE devices and bots intentionally keep the legacy long-lived DRF
Token (non-interactive service credentials) — this is by design, not an oversight.
- The residual risk — token still stored in JS-readable storage (localStorage + non-httpOnly cookie) — is tracked separately (SEC-06 residual follow-up in tracebloc/backend, successor to tracebloc/backend#590).
Refs
tracebloc/backend#590 (closed) · tracebloc/backend#933 · tracebloc/frontend-app#575
Background
docs/SECURITY.md§8.3 ("Backend tokens never expire — backend team") is now stale. The work it tracked landed via tracebloc/backend#590:ClientAccessToken(Bearer); revocation via/auth/revoke,/logout/, password change, and a Django-admin action. No refresh token by design — re-login mints a fresh token.Authorization: ${token_scheme} ${token}header + central 401 → re-login handling.Scope
Update §8.3 to reflect:
Token(non-interactive service credentials) — this is by design, not an oversight.Refs
tracebloc/backend#590 (closed) · tracebloc/backend#933 · tracebloc/frontend-app#575