Add framework-level expiry validation for PAT bearer tokens #53
Description
ASVS Requirement: 9.2.1 — Token Validity Time Span Verification
Description
In asfquart/session.py:48-63, when a request arrives with a Bearer authorization header, the framework delegates PAT validation entirely to the application's token_handler callback. It does not independently check whether the returned session dictionary contains an expired token.
While the storage layer (atr/storage/writers/tokens.py:80) does check expiration when issuing JWTs for PATs, direct bearer-token authentication through the framework path has no expiry enforcement. If a future token_handler implementation omits its own expiry check, expired PATs could be accepted.
Recommended fix
After app.token_handler returns a session_dict, the framework should check for an expires field and reject the request if the token has expired:
if session_dict:
expires = session_dict.get("expires")
if expires is not None and datetime.datetime.now(datetime.UTC) > expires:
raise base.ASFQuartException("Token has expired", errorcode=401)
return ClientSession(session_dict)Relevant code
asfquart/session.py — case "bearer": block.