@auth0/auth0-checkmate 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (114) hide show
  1. package/.github/CODEOWNERS +1 -0
  2. package/.github/workflows/npm-release.yml +77 -0
  3. package/.github/workflows/sca_scan.yml +10 -0
  4. package/.github/workflows/test.yml +48 -0
  5. package/AUTHORS +5 -0
  6. package/LICENSE +203 -0
  7. package/README.md +166 -0
  8. package/THIRD-PARTY-NOTICES +226 -0
  9. package/analyzer/lib/actions/checkActionsHardCodedValues.js +151 -0
  10. package/analyzer/lib/actions/checkActionsRuntime.js +105 -0
  11. package/analyzer/lib/actions/checkDependencies.js +111 -0
  12. package/analyzer/lib/attack_protection/checkBotDetectionSetting.js +76 -0
  13. package/analyzer/lib/attack_protection/checkBreachedPassword.js +140 -0
  14. package/analyzer/lib/attack_protection/checkBruteForce.js +89 -0
  15. package/analyzer/lib/attack_protection/checkSuspiciousIPThrottling.js +89 -0
  16. package/analyzer/lib/canonical_domain/checkCanonicalDomain.js +63 -0
  17. package/analyzer/lib/clients/checkAllowedCallbacks.js +122 -0
  18. package/analyzer/lib/clients/checkAllowedLogoutUrl.js +124 -0
  19. package/analyzer/lib/clients/checkApplicationLoginUri.js +125 -0
  20. package/analyzer/lib/clients/checkCrossOriginAuthentication.js +91 -0
  21. package/analyzer/lib/clients/checkGrantTypes.js +138 -0
  22. package/analyzer/lib/clients/checkJWTSignAlg.js +118 -0
  23. package/analyzer/lib/clients/checkRefreshToken.js +108 -0
  24. package/analyzer/lib/clients/checkWebOrigins.js +55 -0
  25. package/analyzer/lib/constants.js +63 -0
  26. package/analyzer/lib/custom_domain/checkCustomDomain.js +53 -0
  27. package/analyzer/lib/databases/checkAuthenticationMethods.js +98 -0
  28. package/analyzer/lib/databases/checkDASHardCodedValues.js +163 -0
  29. package/analyzer/lib/databases/checkEmailAttributeVerification.js +114 -0
  30. package/analyzer/lib/databases/checkEnabledDatabaseCustomization.js +83 -0
  31. package/analyzer/lib/databases/checkPasswordComplexity.js +100 -0
  32. package/analyzer/lib/databases/checkPasswordHistory.js +92 -0
  33. package/analyzer/lib/databases/checkPasswordNoPersonalInfo.js +91 -0
  34. package/analyzer/lib/databases/checkPasswordPolicy.js +95 -0
  35. package/analyzer/lib/databases/checkPromotedDBConnection.js +96 -0
  36. package/analyzer/lib/email_provider/checkEmailProvider.js +37 -0
  37. package/analyzer/lib/email_templates/checkEmailTemplates.js +71 -0
  38. package/analyzer/lib/error_page_template/checkErrorPageTemplate.js +153 -0
  39. package/analyzer/lib/event_streams/checkEventStreams.js +71 -0
  40. package/analyzer/lib/executeCheck.js +12 -0
  41. package/analyzer/lib/hooks/checkHooks.js +43 -0
  42. package/analyzer/lib/listOfAnalyser.js +24 -0
  43. package/analyzer/lib/log_streams/checkLogStream.js +60 -0
  44. package/analyzer/lib/logger.js +16 -0
  45. package/analyzer/lib/multifactor/checkGuardianFactors.js +72 -0
  46. package/analyzer/lib/multifactor/checkGuardianPolicy.js +40 -0
  47. package/analyzer/lib/network_acl/checkNetworkACL.js +35 -0
  48. package/analyzer/lib/rules/checkRules.js +102 -0
  49. package/analyzer/lib/tenant_settings/checkDefaultAudience.js +53 -0
  50. package/analyzer/lib/tenant_settings/checkDefaultDirectory.js +48 -0
  51. package/analyzer/lib/tenant_settings/checkEnabledDynamicClientRegistration.js +60 -0
  52. package/analyzer/lib/tenant_settings/checkSandboxVersion.js +37 -0
  53. package/analyzer/lib/tenant_settings/checkSessionLifetime.js +95 -0
  54. package/analyzer/lib/tenant_settings/checkSupportEmail.js +61 -0
  55. package/analyzer/lib/tenant_settings/checkSupportUrl.js +61 -0
  56. package/analyzer/lib/tenant_settings/checkTenantLoginUrl.js +71 -0
  57. package/analyzer/lib/tenant_settings/checkTenantLogoutUrl.js +60 -0
  58. package/analyzer/report.js +404 -0
  59. package/analyzer/tools/auth0.js +443 -0
  60. package/analyzer/tools/helpers.js +71 -0
  61. package/analyzer/tools/summary.js +84 -0
  62. package/analyzer/tools/utils.js +72 -0
  63. package/bin/index.js +393 -0
  64. package/eslint.config.mjs +16 -0
  65. package/images/auth0.png +0 -0
  66. package/images/okta.png +0 -0
  67. package/locales/en.json +1417 -0
  68. package/package.json +66 -0
  69. package/tests/actions/checkActionsHardCodedValues.test.js +106 -0
  70. package/tests/actions/checkActionsRuntime.test.js +102 -0
  71. package/tests/actions/checkDependencies.test.js +131 -0
  72. package/tests/attack_protection/checkBreachedPassword.test.js +253 -0
  73. package/tests/attack_protection/checkBruteForce.test.js +181 -0
  74. package/tests/attack_protection/checkSuspiciousIPThrottling.test.js +222 -0
  75. package/tests/canonical_domain/checkCanonicalDomain.test.js +94 -0
  76. package/tests/clients/checkAllowedCallbacks.test.js +149 -0
  77. package/tests/clients/checkAllowedLogoutUrl.test.js +149 -0
  78. package/tests/clients/checkApplicationLoginUri.test.js +180 -0
  79. package/tests/clients/checkCrossOriginAuthentication.test.js +99 -0
  80. package/tests/clients/checkGrantTypes.test.js +154 -0
  81. package/tests/clients/checkJWTSignAlg.test.js +121 -0
  82. package/tests/clients/checkRefreshToken.test.js +63 -0
  83. package/tests/clients/checkWebOrigins.test.js +140 -0
  84. package/tests/custom_domain/checkCustomDomain.test.js +73 -0
  85. package/tests/databases/checkAuthenticationMethods.test.js +124 -0
  86. package/tests/databases/checkDASHardCodedValues.test.js +77 -0
  87. package/tests/databases/checkEmailAttributeVerification.test.js +79 -0
  88. package/tests/databases/checkEnabledDatabaseCustomization.test.js +68 -0
  89. package/tests/databases/checkPasswordComplexity.test.js +127 -0
  90. package/tests/databases/checkPasswordHistory.test.js +100 -0
  91. package/tests/databases/checkPasswordNoPersonalInfo.test.js +94 -0
  92. package/tests/databases/checkPasswordPolicy.test.js +161 -0
  93. package/tests/databases/checkPromotedDBConnection.test.js +62 -0
  94. package/tests/email_provider/checkEmailProvider.test.js +58 -0
  95. package/tests/email_templates/checkEmailTemplates.test.js +120 -0
  96. package/tests/error_page_template/checkErrorPageTemplate.test.js +315 -0
  97. package/tests/event_streams/checkEventStreams.test.js +118 -0
  98. package/tests/hooks/checkHooks.test.js +112 -0
  99. package/tests/log_streams/checkLogStream.test.js +140 -0
  100. package/tests/multifactor/checkGuardianFactors.test.js +94 -0
  101. package/tests/multifactor/checkGuardianPolicy.test.js +49 -0
  102. package/tests/rules/checkRules.test.js +102 -0
  103. package/tests/tenant_settings/checkDefaultAudience.test.js +62 -0
  104. package/tests/tenant_settings/checkDefaultDirectory.test.js +62 -0
  105. package/tests/tenant_settings/checkEnabledDynamicClientRegistration.test.js +97 -0
  106. package/tests/tenant_settings/checkSandboxVersion.test.js +50 -0
  107. package/tests/tenant_settings/checkSessionLifetime.test.js +108 -0
  108. package/tests/tenant_settings/checkSupportEmail.test.js +77 -0
  109. package/tests/tenant_settings/checkSupportUrl.test.js +77 -0
  110. package/tests/tenant_settings/checkTenantLoginUri.test.js +82 -0
  111. package/tests/tenant_settings/checkTenantLogoutUrl.test.js +108 -0
  112. package/tests/tools/auth0.test.js +833 -0
  113. package/tests/tools/helpers.test.js +692 -0
  114. package/views/pdf_cli_report.handlebars +571 -0
package/tests/tenant_settings/checkSessionLifetime.test.js ADDED
@@ -0,0 +1,108 @@
1
+ const { expect } = require("chai");
2
+ const checkSessionLifetime = require("../../analyzer/lib/tenant_settings/checkSessionLifetime");
3
+ const CONSTANTS = require("../../analyzer/lib/constants");
4
+
5
+ describe("checkSessionLifetime", function() {
6
+
7
+ it("should report all fields with proper values", function() {
8
+ const options = {
9
+ tenant: {
10
+ idle_session_lifetime: 72,
11
+ session_lifetime: 168,
12
+ session_cookie: {
13
+ mode: "persistent",
14
+ },
15
+ },
16
+ };
17
+
18
+ checkSessionLifetime(options, (report) => {
19
+ expect(report).to.deep.include.members([
20
+ {
21
+ field: "idle_session_lifetime",
22
+ value: "72h",
23
+ status: CONSTANTS.FAIL,
24
+ },
25
+ {
26
+ field: "session_lifetime",
27
+ value: "168h",
28
+ status: CONSTANTS.FAIL,
29
+ },
30
+ {
31
+ field: "session_cookie_mode",
32
+ value: "persistent",
33
+ status: CONSTANTS.FAIL,
34
+ },
35
+ ]);
36
+ });
37
+ });
38
+
39
+ it("should return fail if tenant is missing", function() {
40
+ checkSessionLifetime({}, (report) => {
41
+ expect(report).to.deep.equal([
42
+ {
43
+ field: "tenant_setting_missing",
44
+ status: CONSTANTS.FAIL,
45
+ },
46
+ ]);
47
+ });
48
+ });
49
+
50
+ it("should report default values if idle_session_lifetime and session_lifetime are missing", function() {
51
+ const options = {
52
+ tenant: {
53
+ session_cookie: {
54
+ mode: "persistent",
55
+ },
56
+ },
57
+ };
58
+
59
+ checkSessionLifetime(options, (report) => {
60
+ expect(report).to.deep.include.members([
61
+ {
62
+ field: "idle_session_lifetime",
63
+ value: CONSTANTS.DEFAULT_IDLE_SESSION_LIFETIME,
64
+ status: CONSTANTS.FAIL,
65
+ },
66
+ {
67
+ field: "session_lifetime",
68
+ value: CONSTANTS.DEFAULT_SESSION_LIFETIME,
69
+ status: CONSTANTS.FAIL,
70
+ },
71
+ {
72
+ field: "session_cookie_mode",
73
+ value: "persistent",
74
+ status: CONSTANTS.FAIL,
75
+ },
76
+ ]);
77
+ });
78
+ });
79
+
80
+ it("should report default session_cookie_mode if session_cookie is missing", function() {
81
+ const options = {
82
+ tenant: {
83
+ idle_session_lifetime: 24,
84
+ session_lifetime: 48,
85
+ },
86
+ };
87
+
88
+ checkSessionLifetime(options, (report) => {
89
+ expect(report).to.deep.include.members([
90
+ {
91
+ field: "session_cookie_mode",
92
+ value: CONSTANTS.DEFAULT_SESSION_COOKIE_MODE,
93
+ status: CONSTANTS.FAIL,
94
+ },
95
+ {
96
+ field: "idle_session_lifetime",
97
+ value: "24h",
98
+ status: CONSTANTS.FAIL,
99
+ },
100
+ {
101
+ field: "session_lifetime",
102
+ value: "48h",
103
+ status: CONSTANTS.FAIL,
104
+ },
105
+ ]);
106
+ });
107
+ });
108
+ });
package/tests/tenant_settings/checkSupportEmail.test.js ADDED
@@ -0,0 +1,77 @@
1
+ const chai = require("chai");
2
+ const expect = chai.expect;
3
+
4
+ const checkSupportEmail = require("../../analyzer/lib/tenant_settings/checkSupportEmail");
5
+ const CONSTANTS = require("../../analyzer/lib/constants");
6
+
7
+ describe("checkSupportEmail", function () {
8
+ it("should return a fail report when tenant is missing or empty", function () {
9
+ const options = {
10
+ tenant: {}, // Empty tenant object
11
+ };
12
+
13
+ checkSupportEmail(options, (report) => {
14
+ expect(report).to.deep.equal([
15
+ {
16
+ field: "tenant_setting_missing",
17
+ status: CONSTANTS.FAIL,
18
+ },
19
+ ]);
20
+ });
21
+ });
22
+
23
+ it("should return a success report when support_email is provided", function () {
24
+ const options = {
25
+ tenant: {
26
+ support_email: "support@contoso.com", // support_email is provided
27
+ },
28
+ };
29
+
30
+ checkSupportEmail(options, (report) => {
31
+ expect(report).to.deep.equal([
32
+ {
33
+ field: "support_email",
34
+ attr: "support_email",
35
+ value: "support@contoso.com",
36
+ status: CONSTANTS.SUCCESS,
37
+ },
38
+ ]);
39
+ });
40
+ });
41
+
42
+ it("should return a fail report when support_email is not provided (empty string)", function () {
43
+ const options = {
44
+ tenant: {
45
+ support_email: "", // support_email is an empty string
46
+ },
47
+ };
48
+
49
+ checkSupportEmail(options, (report) => {
50
+ expect(report).to.deep.equal([
51
+ {
52
+ field: "no_support_email",
53
+ attr: "support_email",
54
+ status: CONSTANTS.FAIL,
55
+ },
56
+ ]);
57
+ });
58
+ });
59
+
60
+ it("should return a fail report when support_email is not provided (null)", function () {
61
+ const options = {
62
+ tenant: {
63
+ support_email: null, // support_email is null
64
+ },
65
+ };
66
+
67
+ checkSupportEmail(options, (report) => {
68
+ expect(report).to.deep.equal([
69
+ {
70
+ field: "no_support_email",
71
+ attr: "support_email",
72
+ status: CONSTANTS.FAIL,
73
+ },
74
+ ]);
75
+ });
76
+ });
77
+ });
package/tests/tenant_settings/checkSupportUrl.test.js ADDED
@@ -0,0 +1,77 @@
1
+ const chai = require("chai");
2
+ const expect = chai.expect;
3
+
4
+ const checkSupportUrl = require("../../analyzer/lib/tenant_settings/checkSupportUrl");
5
+ const CONSTANTS = require("../../analyzer/lib/constants");
6
+
7
+ describe("checkSupportUrl", function () {
8
+ it("should return a fail report when tenant is missing or empty", function () {
9
+ const options = {
10
+ tenant: {}, // Empty tenant object
11
+ };
12
+
13
+ checkSupportUrl(options, (report) => {
14
+ expect(report).to.deep.equal([
15
+ {
16
+ field: "tenant_setting_missing",
17
+ status: CONSTANTS.FAIL,
18
+ },
19
+ ]);
20
+ });
21
+ });
22
+
23
+ it("should return a success report when support_url is provided", function () {
24
+ const options = {
25
+ tenant: {
26
+ support_url: "https://support.contoso.com", // support_url is provided
27
+ },
28
+ };
29
+
30
+ checkSupportUrl(options, (report) => {
31
+ expect(report).to.deep.equal([
32
+ {
33
+ field: "support_url",
34
+ attr: "support_url",
35
+ value: "https://support.contoso.com",
36
+ status: CONSTANTS.SUCCESS,
37
+ },
38
+ ]);
39
+ });
40
+ });
41
+
42
+ it("should return a fail report when support_url is not provided (empty string)", function () {
43
+ const options = {
44
+ tenant: {
45
+ support_url: "", // support_url is an empty string
46
+ },
47
+ };
48
+
49
+ checkSupportUrl(options, (report) => {
50
+ expect(report).to.deep.equal([
51
+ {
52
+ field: "no_support_url",
53
+ attr: "support_url",
54
+ status: CONSTANTS.FAIL,
55
+ },
56
+ ]);
57
+ });
58
+ });
59
+
60
+ it("should return a fail report when support_url is not provided (null)", function () {
61
+ const options = {
62
+ tenant: {
63
+ support_url: null, // support_url is null
64
+ },
65
+ };
66
+
67
+ checkSupportUrl(options, (report) => {
68
+ expect(report).to.deep.equal([
69
+ {
70
+ field: "no_support_url",
71
+ attr: "support_url",
72
+ status: CONSTANTS.FAIL,
73
+ },
74
+ ]);
75
+ });
76
+ });
77
+ });
package/tests/tenant_settings/checkTenantLoginUri.test.js ADDED
@@ -0,0 +1,82 @@
1
+ const chai = require("chai");
2
+ const expect = chai.expect;
3
+
4
+ const checkTenantLoginUrl = require("../../analyzer/lib/tenant_settings/checkTenantLoginUrl");
5
+ const CONSTANTS = require("../../analyzer/lib/constants");
6
+
7
+ describe("checkTenantLoginUrl", function () {
8
+ it("should return a fail report when default_redirection_uri is empty", function () {
9
+ const options = {
10
+ tenant: {
11
+ default_redirection_uri: "", // Empty redirection URI
12
+ },
13
+ };
14
+
15
+ checkTenantLoginUrl(options, (report) => {
16
+ expect(report).to.deep.equal([
17
+ {
18
+ field: "no_default_redirection_uri",
19
+ attr: "default_redirection_uri",
20
+ status: CONSTANTS.FAIL,
21
+ },
22
+ ]);
23
+ });
24
+ });
25
+
26
+ it("should return a fail report when default_redirection_uri contains an insecure URL (localhost)", function () {
27
+ const options = {
28
+ tenant: {
29
+ default_redirection_uri: "http://localhost", // Insecure URL
30
+ },
31
+ };
32
+
33
+ checkTenantLoginUrl(options, (report) => {
34
+ expect(report).to.deep.equal([
35
+ {
36
+ field: "invalid_default_redirection_uri",
37
+ attr: "default_redirection_uri",
38
+ value: "http://localhost",
39
+ status: CONSTANTS.FAIL,
40
+ },
41
+ ]);
42
+ });
43
+ });
44
+
45
+ it("should return a fail report when default_redirection_uri contains an insecure URL (http://)", function () {
46
+ const options = {
47
+ tenant: {
48
+ default_redirection_uri: "http://example.com", // Insecure URL
49
+ },
50
+ };
51
+
52
+ checkTenantLoginUrl(options, (report) => {
53
+ expect(report).to.deep.equal([
54
+ {
55
+ field: "invalid_default_redirection_uri",
56
+ attr: "default_redirection_uri",
57
+ value: "http://example.com",
58
+ status: CONSTANTS.FAIL,
59
+ },
60
+ ]);
61
+ });
62
+ });
63
+
64
+ it("should return a success report when default_redirection_uri contains a secure URL", function () {
65
+ const options = {
66
+ tenant: {
67
+ default_redirection_uri: "https://contoso.com/login", // Secure URL
68
+ },
69
+ };
70
+
71
+ checkTenantLoginUrl(options, (report) => {
72
+ expect(report).to.deep.equal([
73
+ {
74
+ field: "default_redirection_uri",
75
+ attr: "default_redirection_uri",
76
+ value: "https://contoso.com/login",
77
+ status: CONSTANTS.SUCCESS,
78
+ },
79
+ ]);
80
+ });
81
+ });
82
+ });
package/tests/tenant_settings/checkTenantLogoutUrl.test.js ADDED
@@ -0,0 +1,108 @@
1
+ const chai = require("chai");
2
+ const expect = chai.expect;
3
+
4
+ const checkTenantLogoutUrl = require("../../analyzer/lib/tenant_settings/checkTenantLogoutUrl");
5
+ const CONSTANTS = require("../../analyzer/lib/constants");
6
+
7
+ describe("checkTenantLogoutUrl", function () {
8
+ it("should return a fail report when allowed_logout_urls is empty", function () {
9
+ const options = {
10
+ tenant: {
11
+ allowed_logout_urls: [], // Empty logout URLs
12
+ },
13
+ };
14
+
15
+ checkTenantLogoutUrl(options, (report) => {
16
+ expect(report).to.deep.equal([
17
+ {
18
+ field: "missing_allowed_logout_urls",
19
+ attr: "allowed_logout_urls",
20
+ value: "[]",
21
+ status: CONSTANTS.FAIL,
22
+ },
23
+ ]);
24
+ });
25
+ });
26
+
27
+ it("should return a fail report when allowed_logout_urls contains an insecure URL (localhost)", function () {
28
+ const options = {
29
+ tenant: {
30
+ allowed_logout_urls: ["http://localhost"], // Insecure URL
31
+ },
32
+ };
33
+
34
+ checkTenantLogoutUrl(options, (report) => {
35
+ expect(report).to.deep.equal([
36
+ {
37
+ field: "invalid_allowed_logout_urls",
38
+ attr: "allowed_logout_urls",
39
+ value: "http://localhost",
40
+ status: CONSTANTS.FAIL,
41
+ },
42
+ ]);
43
+ });
44
+ });
45
+
46
+ it("should return a fail report when allowed_logout_urls contains an insecure URL (http://)", function () {
47
+ const options = {
48
+ tenant: {
49
+ allowed_logout_urls: ["http://example.com"], // Insecure URL
50
+ },
51
+ };
52
+
53
+ checkTenantLogoutUrl(options, (report) => {
54
+ expect(report).to.deep.equal([
55
+ {
56
+ field: "invalid_allowed_logout_urls",
57
+ attr: "allowed_logout_urls",
58
+ value: "http://example.com",
59
+ status: CONSTANTS.FAIL,
60
+ },
61
+ ]);
62
+ });
63
+ });
64
+
65
+ it("should return a success report when allowed_logout_urls contains a secure URL", function () {
66
+ const options = {
67
+ tenant: {
68
+ allowed_logout_urls: ["https://contoso.com"], // Secure URL
69
+ },
70
+ };
71
+
72
+ checkTenantLogoutUrl(options, (report) => {
73
+ expect(report).to.deep.equal([
74
+ {
75
+ field: "allowed_logout_urls",
76
+ attr: "allowed_logout_urls",
77
+ value: "https://contoso.com",
78
+ status: CONSTANTS.SUCCESS,
79
+ },
80
+ ]);
81
+ });
82
+ });
83
+
84
+ it("should return both fail and success reports when allowed_logout_urls contains both secure and insecure URLs", function () {
85
+ const options = {
86
+ tenant: {
87
+ allowed_logout_urls: ["http://localhost", "https://contoso.com"], // Mix of insecure and secure URLs
88
+ },
89
+ };
90
+
91
+ checkTenantLogoutUrl(options, (report) => {
92
+ expect(report).to.deep.equal([
93
+ {
94
+ field: "invalid_allowed_logout_urls",
95
+ attr: "allowed_logout_urls",
96
+ value: "http://localhost",
97
+ status: CONSTANTS.FAIL,
98
+ },
99
+ {
100
+ field: "allowed_logout_urls",
101
+ attr: "allowed_logout_urls",
102
+ value: "https://contoso.com",
103
+ status: CONSTANTS.SUCCESS,
104
+ },
105
+ ]);
106
+ });
107
+ });
108
+ });