@auth0/auth0-checkmate 1.4.0

package/tests/clients/checkRefreshToken.test.js

@@ -0,0 +1,63 @@
+const chai = require("chai");
+const expect = chai.expect;
+
+const checkRefreshToken = require("../../analyzer/lib/clients/checkRefreshToken");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkRefreshToken", function() {
+
+    it("should report failure if refresh_token is used but rotation_type is not rotating", function() {
+        const options = {
+            clients: [{
+                name: "Default App",
+                client_id: "client_id",
+                app_type: "spa",
+                grant_types: ["authorization_code", "refresh_token"],
+                refresh_token: {
+                    rotation_type: "non-rotating",
+                },
+            }]
+        };;
+
+        checkRefreshToken(options, (result) => {
+            expect(result).to.be.an("array").with.lengthOf(1);
+            expect(result[0].name).to.equal("Default App (client_id)");
+            expect(result[0].report).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report[0]).to.include({
+                name: "Default App (client_id)",
+                client_id: "client_id",
+                field: "use_rotating_refresh_token",
+                status: CONSTANTS.FAIL,
+                value: "non-rotating",
+            });
+        });
+    });
+
+    it("should return an empty report if refresh_token uses rotating", function() {
+        const options = {
+            clients: [{
+                name: "Secure App",
+                client_id: "client_secure",
+                app_type: "spa",
+                grant_types: ["authorization_code", "refresh_token"],
+                refresh_token: {
+                    rotation_type: "rotating",
+                },
+            }]
+        };;
+
+        checkRefreshToken(options, (result) => {
+
+            expect(result).to.be.an("array").with.lengthOf(1);
+            expect(result[0].name).to.equal("Secure App (client_secure)");
+            expect(result[0].report).to.be.an("array").that.is.empty;
+        })
+    });
+
+    it("should return empty result if no clients are provided", function() {
+        const options = {clients: []};
+        checkRefreshToken(options, (result) => {
+            expect(result).to.be.an("array").that.is.empty;
+        });
+    });
+});

package/tests/clients/checkWebOrigins.test.js

@@ -0,0 +1,140 @@
+const chai = require("chai");
+const expect = chai.expect;
+
+const checkWebOrigins = require("../../analyzer/lib/clients/checkWebOrigins");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkWebOrigins", function () {
+  it("should return an empty report when there are no clients", function () {
+    const options = {
+      clients: [], // No clients
+    };
+
+    checkWebOrigins(options, (reports) => {
+      expect(reports).to.deep.equal([]); // No reports expected
+    });
+  });
+
+  it("should return a empty report when client has no web origins URLs and app_type is not non_interactive and native", function () {
+    const options = {
+      clients: [
+        {
+          name: "Test App",
+          client_id: "client_id",
+          app_type: "spa", // Not non_interactive
+          web_origins: [], // No allowed logout URLs
+        },
+      ],
+    };
+
+    checkWebOrigins(options, (reports) => {
+      expect(reports).to.deep.equal([
+        {
+          name: "Test App",
+          report: [],
+        },
+      ]);
+    });
+  });
+
+  it("should return a fail report when client has insecure web origin URLs (http://localhost)", function () {
+    const options = {
+      clients: [
+        {
+          name: "Test App",
+          client_id: "client_id",
+          web_origins: ["http://localhost:3000"], // Insecure logout URL
+          app_type: "spa",
+        },
+      ],
+    };
+
+    checkWebOrigins(options, (reports) => {
+      expect(reports).to.deep.equal([
+        {
+          name: "Test App",
+          report: [
+            {
+              name: "Test App",
+              client_id: "client_id",
+              field: "insecure_web_origins_urls",
+              url: "http://localhost:3000",
+              status: CONSTANTS.FAIL,
+              app_type: "spa",
+            },
+          ],
+        },
+      ]);
+    });
+  });
+
+  it("should return a success report when client has secure aweb origin URLs (https://contoso.com)", function () {
+    const options = {
+      clients: [
+        {
+          name: "Test App",
+          client_id: "client_id",
+          web_origins: ["https://contoso.com"], // Secure logout URL
+          app_type: "spa",
+        },
+      ],
+    };
+
+    checkWebOrigins(options, (reports) => {
+      expect(reports).to.deep.equal([
+        {
+          name: "Test App",
+          report: [
+            {
+              name: "Test App",
+              client_id: "client_id",
+              field: "secure_web_origins_urls",
+              status: CONSTANTS.SUCCESS,
+              url: "https://contoso.com",
+              app_type: "spa",
+            },
+          ],
+        },
+      ]);
+    });
+  });
+
+  it("should return both fail and success reports when client has both insecure and secure allowed logout URLs", function () {
+    const options = {
+      clients: [
+        {
+          name: "Test App",
+          client_id: "client_id",
+          web_origins: ["http://localhost:3000", "https://contoso.com"], // Mix of insecure and secure URLs
+          app_type: "spa",
+        },
+      ],
+    };
+
+    checkWebOrigins(options, (reports) => {
+      expect(reports).to.deep.equal([
+        {
+          name: "Test App",
+          report: [
+            {
+              name: "Test App",
+              client_id: "client_id",
+              field: "insecure_web_originst_urls",
+              url: "http://localhost:3000",
+              status: CONSTANTS.FAIL,
+              app_type: "spa",
+            },
+            {
+              name: "Test App",
+              client_id: "client_id",
+              field: "secure_web_originst_urls",
+              status: CONSTANTS.SUCCESS,
+              url: "https://contoso.com",
+              app_type: "spa",
+            },
+          ],
+        },
+      ]);
+    });
+  });
+});

package/tests/custom_domain/checkCustomDomain.test.js

@@ -0,0 +1,73 @@
+const chai = require("chai");
+const expect = chai.expect;
+
+const customDomainConfigured = require("../../analyzer/lib/custom_domain/checkCustomDomain"); // Adjust the path accordingly
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkCustomDomain", function () {
+  it("should return fail when customDomains is empty", function () {
+    const options = { customDomains: [] };
+
+    customDomainConfigured(options, (report) => {
+      expect(report.checkName).to.equal("checkCustomDomain");
+      expect(report.result).to.equal("fail");
+      expect(report.timestamp).to.be.ok;
+      expect(report.details).to.deep.equal([
+        {
+          field: "not_configured",
+          status: CONSTANTS.FAIL,
+        },
+      ]);
+    });
+  });
+
+  it("should return success when a domain is ready", function () {
+    const options = {
+      customDomains: [
+        {
+          domain: "apac-tam-team.oauth101.net",
+          primary: true,
+          status: "ready",
+          tls_policy: "recommended",
+          type: "auth0_managed_certs",
+          verification: {},
+        },
+      ],
+    };
+
+    customDomainConfigured(options, (report) => {
+      expect(report).to.deep.equal([
+        {
+          field: "ready",
+          status: CONSTANTS.SUCCESS,
+          value: "auth.contoso.com",
+        },
+      ]);
+    });
+  });
+
+  it("should return fail when a domain is pending verification", function () {
+    const options = {
+      customDomains: [
+        {
+          domain: "auth.contoso.com",
+          primary: true,
+          status: "pending_verification",
+          tls_policy: "recommended",
+          type: "auth0_managed_certs",
+          verification: {},
+        },
+      ],
+    };
+
+    customDomainConfigured(options, (report) => {
+      expect(report).to.deep.equal([
+        {
+          field: "pending_verification",
+          status: CONSTANTS.FAIL,
+          value: "auth.contoso.com",
+        },
+      ]);
+    });
+  });
+});

package/tests/databases/checkAuthenticationMethods.test.js

@@ -0,0 +1,124 @@
+const chai = require("chai");
+const expect = chai.expect;
+const checkAuthenticationMethods = require("../../analyzer/lib/databases/checkAuthenticationMethods");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkAuthenticationMethods", function () {
+  it("should return a failure report when no database connections are found", function () {
+    const options = { databases: [] }; // No databases provided
+    checkAuthenticationMethods(options, (report) => {
+      expect(report).to.be.an("array").that.has.lengthOf(1);
+      expect(report[0]).to.deep.equal({
+        field: "no_database_connections_found",
+        status: CONSTANTS.FAIL,
+      });
+    });
+  });
+
+  it("should return a failure report when authentication methods are missing", function () {
+    const options = {
+      databases: [
+        {
+          name: "Username-Password-Authentication",
+          options: {
+            authentication_methods: {},
+          },
+        },
+      ],
+    };
+    checkAuthenticationMethods(options, (report) => {
+      expect(report).to.be.an("array").that.has.lengthOf(1);
+      expect(report[0]).to.deep.equal({
+        name: "Username-Password-Authentication",
+        status: CONSTANTS.FAIL,
+        field: "only_password_method",
+      });
+    });
+  });
+
+  it("should return a failure report when password is enabled but passkey is missing", function () {
+    const options = {
+      databases: [
+        {
+          name: "Username-Password-Authentication",
+          options: {
+            authentication_methods: {
+              password: { enabled: true },
+              passkey: { enabled: false },
+            },
+          },
+        },
+      ],
+    };
+    checkAuthenticationMethods(options, (report) => {
+      expect(report).to.be.an("array").that.has.lengthOf(1);
+      expect(report[0]).to.deep.equal({
+        name: "Username-Password-Authentication",
+        status: CONSTANTS.FAIL,
+        field: "only_password_method",
+      });
+    });
+  });
+
+  it("should return a success report when passkey is enabled", function () {
+    const options = {
+      databases: [
+        {
+          name: "Username-Password-Authentication",
+          options: {
+            authentication_methods: {
+              password: { enabled: false },
+              passkey: { enabled: true },
+            },
+          },
+        },
+      ],
+    };
+    checkAuthenticationMethods(options, (report) => {
+      expect(report).to.be.an("array").that.has.lengthOf(1);
+      expect(report[0]).to.deep.equal({
+        name: "Username-Password-Authentication",
+        status: CONSTANTS.SUCCESS,
+        field: "passkey_enabled",
+      });
+    });
+  });
+
+  it("should handle multiple databases correctly", function () {
+    const options = {
+      databases: [
+        {
+          name: "Username-Password-Authentication",
+          options: {
+            authentication_methods: {
+              password: { enabled: true },
+              passkey: { enabled: false },
+            },
+          },
+        },
+        {
+          name: "Another-Authentication",
+          options: {
+            authentication_methods: {
+              password: { enabled: false },
+              passkey: { enabled: true },
+            },
+          },
+        },
+      ],
+    };
+    checkAuthenticationMethods(options, (report) => {
+      expect(report).to.be.an("array").that.has.lengthOf(2);
+      expect(report[0]).to.deep.equal({
+        name: "Username-Password-Authentication",
+        status: CONSTANTS.FAIL,
+        field: "only_password_method",
+      });
+      expect(report[1]).to.deep.equal({
+        name: "Another-Authentication",
+        status: CONSTANTS.SUCCESS,
+        field: "passkey_enabled",
+      });
+    });
+  });
+});

package/tests/databases/checkDASHardCodedValues.test.js

@@ -0,0 +1,77 @@
+const chai = require("chai");
+const expect = chai.expect;
+
+const checkDASHardCodedValues = require("../../analyzer/lib/databases/checkDASHardCodedValues");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkDASHardCodedValues", function() {
+
+    it("should detect hardcoded values in login script", async function() {
+        const mockData = {
+            databases: [
+                {
+                    name: "Username-Password-Authentication",
+                    options: {
+                        enabledDatabaseCustomization: true,
+                        customScripts: {
+                            login: `
+                function login(identifierValue, password, callback) {
+                  const mysql = require('mysql');
+                  const connection = mysql.createConnection({
+                    host: 'localhost',
+                    user: 'admin',
+                    password: 'secret',
+                    database: 'users_db'
+                  });
+                  connection.connect();
+                  const query = 'SELECT * FROM users WHERE email = ?';
+                  connection.query(query, [ identifierValue ], callback);
+                }
+              `,
+                        },
+                    },
+                },
+            ],
+        };
+
+        const result = await checkDASHardCodedValues(mockData);
+        expect(result.details).to.have.lengthOf(1);
+        const report = result.details[0];
+        expect(report.report).to.have.lengthOf(5);
+        expect(report.report[0].scriptName).to.equal("login");
+        expect(report.report[0].type).to.equal("string");
+        expect(report.report[0].field).to.equal("hard_coded_value_detected");
+        expect(report.report[0].status).to.equal(CONSTANTS.FAIL);
+
+        const findings = report.report.map((r) => r.variableName);
+        expect(findings).to.include.members(["host", "user", "password", "database", "query"]);
+    });
+
+    it("should return no findings if customization is disabled", async function() {
+        const mockData = {
+            databases: [
+                {
+                    name: "NoCustomization",
+                    options: {
+                        enabledDatabaseCustomization: false,
+                        customScripts: {
+                            login: "function login() { return; }",
+                        },
+                    },
+                },
+            ],
+        };
+
+        const result = await checkDASHardCodedValues(mockData);
+        expect(result.details).to.be.an("array").that.is.empty;
+    });
+
+    it("should return failure if no databases are present", async function() {
+        const report = await checkDASHardCodedValues({ databases: [] });
+        expect(report.details).to.be.an("array").that.has.lengthOf(1);
+        expect(report.details[0]).to.deep.equal({
+            field: "no_database_connections_found",
+            status: CONSTANTS.FAIL,
+        });
+    });
+});

package/tests/databases/checkEmailAttributeVerification.test.js

@@ -0,0 +1,79 @@
+const chai = require("chai");
+const expect = chai.expect;
+const checkEmailAttributeVerification = require("../../analyzer/lib/databases/checkEmailAttributeVerification");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkEmailAttributeVerification", function () {
+    it("should return a failure report when no database connections are found", function () {
+        const options = { databases: [] }; // No databases provided
+        checkEmailAttributeVerification(options, (report) => {
+            expect(report).to.be.an("array").that.has.lengthOf(1);
+            expect(report[0]).to.deep.equal({
+                field: "no_database_connections_found",
+                status: CONSTANTS.FAIL,
+            });
+        });
+    });
+
+    it("should return a failure report when attributes are missing", function () {
+        const options = {
+            databases: [
+                {
+                    name: "Username-Password-Authentication",
+                    options: {
+                        authentication_methods: {},
+                    },
+                },
+            ],
+        };
+        checkEmailAttributeVerification(options, (report) => {
+            expect(report).to.be.an("array").that.has.lengthOf(1);
+            expect(report[0]).to.deep.equal({
+                name: "Username-Password-Authentication",
+                status: CONSTANTS.FAIL,
+                field: "flexible_identifiers_disabled",
+            });
+        });
+    });
+
+    it("should return a failure report when verification_method is not otp", function () {
+        const options = {
+            databases: [
+                {
+                    name: "Username-Password-Authentication",
+                    options: {
+                        attributes: {
+                            email: { verification_method: "link" },
+                        },
+                    },
+                },
+            ],
+        };
+        checkEmailAttributeVerification(options, (report) => {
+            expect(report).to.be.an("array").that.has.lengthOf(1);
+            expect(report[0]).to.deep.equal({
+                name: "Username-Password-Authentication",
+                status: CONSTANTS.FAIL,
+                field: "verification_by_link_method",
+            });
+        });
+    });
+
+    it("should return a success report when verification_method is otp", function () {
+        const options = {
+            databases: [
+                {
+                    name: "Username-Password-Authentication",
+                    options: {
+                        attributes: {
+                            email: { verification_method: "otp" },
+                        },
+                    },
+                },
+            ],
+        };
+        checkEmailAttributeVerification(options, (report) => {
+            expect(report).to.be.an("array").that.has.lengthOf(0);
+        });
+    });
+});

package/tests/databases/checkEnabledDatabaseCustomization.test.js

@@ -0,0 +1,68 @@
+const chai = require("chai");
+const expect = chai.expect;
+const checkEnabledDatabaseCustomization = require("../../analyzer/lib/databases/checkEnabledDatabaseCustomization");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkEnabledDatabaseCustomization", function () {
+  it("should return a failure report when no database connections are found", function () {
+    const options = { databases: [] }; // No databases provided
+    checkEnabledDatabaseCustomization(options, (report) => {
+      expect(report).to.be.an("array").that.has.lengthOf(1);
+      expect(report[0]).to.deep.equal({
+        field: "no_database_connections_found",
+        status: CONSTANTS.FAIL,
+      });
+    });
+  });
+
+  it("should return a failure report when import_mode is false and enabledDatabaseCustomization is true", function () {
+    const options = {
+      databases: [
+        {
+          name: "Username-Password-Authentication",
+          options: {
+            import_mode: false,
+            enabledDatabaseCustomization: true
+          },
+        },
+      ],
+    };
+    checkEnabledDatabaseCustomization(options, (report) => {
+      expect(report).to.be.an("array").that.has.lengthOf(1);
+      expect(report[0]).to.deep.equal({
+        name: "Username-Password-Authentication",
+        status: CONSTANTS.FAIL,
+        field: "external_user_store",
+      });
+    });
+  });
+
+  it("should handle multiple databases correctly", function () {
+    const options = {
+      databases: [
+        {
+          name: "Username-Password-Authentication",
+          options: {
+            import_mode: false,
+            enabledDatabaseCustomization: true
+          },
+        },
+        {
+          name: "Another-Authentication",
+          options: {
+            import_mode: false,
+            enabledDatabaseCustomization: false
+          },
+        },
+      ],
+    };
+    checkEnabledDatabaseCustomization(options, (report) => {
+      expect(report).to.be.an("array").that.has.lengthOf(1);
+      expect(report[0]).to.deep.equal({
+        name: "Username-Password-Authentication",
+        status: CONSTANTS.FAIL,
+        field: "external_user_store",
+      });
+    });
+  });
+});