Skip to content

Code review: flowstate Token rotation can be bypassed by FLOW_RUNTIME_TOKEN #9

Description

@ajbeaver

Generated by Offband issue reporting.

Summary

Code review: flowstate Token rotation can be bypassed by FLOW_RUNTIME_TOKEN

Routing

  • Repo: offband/FlowState
  • Repo class: public_tool
  • Rule id: code_review.security_surface
  • Candidate key: code-review:flowstate:auth-restart
  • Category: code-review
  • Severity: warning
  • Review profile: code_review
  • Review target: flowstate
  • Labels: offband-report, weekly, needs-owner, code-review
  • Source: code_review.bounded_ai

Expected

Product repositories should avoid actionable code risks identified by bounded source review.

Observed

src/flowstate_runtime/auth.py:36: read_token() and configured_token() prefer FLOW_RUNTIME_TOKEN over the token file, while rotate_token() only writes a new file token. In a process with FLOW_RUNTIME_TOKEN set, rotating the token does not change the token accepted by verify_bearer().

Why It Matters

Users may believe a token was rotated, but the runtime can continue accepting the older environment-provided bearer token until the environment is changed and the process restarted.

Decision Needed

Decide whether token rotation is intended to override environment auth or document/enforce that environment tokens take precedence and must be separately rotated.

Policy Source

config/issue-reporting.json: code_review

Evidence

{
  "artifact_path": "<redacted-path>",
  "canonical_topic": "auth-restart",
  "dedupe_core": "ensure-token",
  "dedupe_subject": "symbol:ensure-token",
  "finding": {
    "confidence": "high",
    "finding_class": "security_surface",
    "impact": "Users may believe a token was rotated, but the runtime can continue accepting the older environment-provided bearer token until the environment is changed and the process restarted.",
    "line": 36,
    "owner_decision": "Decide whether token rotation is intended to override environment auth or document/enforce that environment tokens take precedence and must be separately rotated.",
    "path": "src/flowstate_runtime/auth.py",
    "summary": "read_token() and configured_token() prefer FLOW_RUNTIME_TOKEN over the token file, while rotate_token() only writes a new file token. In a process with FLOW_RUNTIME_TOKEN set, rotating the token does not change the token accepted by verify_bearer().",
    "title": "Token rotation can be bypassed by FLOW_RUNTIME_TOKEN"
  },
  "line": 36,
  "path": "src/flowstate_runtime/auth.py",
  "semantic_topic": "auth-restart"
}

Suggested Resolution

Decide whether token rotation is intended to override environment auth or document/enforce that environment tokens take precedence and must be separately rotated.

Report

  • Report generated: 2026-07-03T23:13:32Z
  • Candidate key: code-review:flowstate:auth-restart

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions