WF-S-1 — Attacker replays a stolen JWT to impersonate a user
Component: Wallet Frontend. Mitigations: Short expiry (
exp); JTI blacklist (in-memory); refresh token rotation. Action: Ensure JTI blacklist survives restart or use distributed blacklist
| Property | Value |
|---|---|
| Section | Spoofing |
| Owner | platform |
Mapped Controls
| Control | Title |
|---|---|
| SID-AUTH-01 | FIDO2/WebAuthn Passwordless Authentication |
| SID-AUTH-02 | JWT Bearer Token Session Management |
Source: STRIDE analysis (April 2026), architecture/stride-threat-model.md