In-memory OAuth state storage incompatible with multi-instance deployments

[andrewmusselman]

Source: ATR ASVS V10.4.2 audit — Observation 1

Description

OAuth state parameters are stored in a process-local dictionary in src/asfquart/generics.py:

pending_states = {}  # keeps track of pending states and their expiry

In a multi-instance or load-balanced deployment, if the OAuth callback is routed to a different instance than the one that initiated the flow, the state lookup will fail because pending_states is not shared across processes.

Recommendation

For single-instance deployments this is acceptable. If ATR is ever deployed behind a load balancer with multiple instances, consider moving state storage to a shared backend (e.g., Redis, database) or ensuring session affinity at the load balancer level.

Severity

Informational — current single-instance deployment is not affected, but this is a scaling concern for future infrastructure changes.

[sebbASF]

Presumably the pending states will also be lost on process restart?
This should not happen often, but when it does, some auth flows will likely fail.