@auth0/auth0-checkmate 1.4.0

package/analyzer/lib/attack_protection/checkBreachedPassword.js

@@ -0,0 +1,140 @@
+/*
+{
+  attackProtection: {
+    breachedPasswordDetection: {
+  "enabled": true,
+  "shields": [
+    "user_notification",
+    "admin_notification",
+    "block"
+  ],
+  "admin_notification_frequency": [
+    "daily",
+    "monthly",
+    "weekly",
+    "immediately"
+  ],
+  "method": "standard|enhanced",
+  "stage": {
+    "pre-user-registration": {
+      "shields": [
+        "block",
+        "admin_notification"
+      ]
+    },
+    "pre-change-password": {
+      "shields": [
+        "block"
+      ]
+    }
+  }
+}
+  }
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+// Expected values
+const validShields = ["user_notification", "admin_notification", "block"];
+const validFrequencies = ["daily", "monthly", "weekly", "immediately"];
+const validMethods = ["standard", "enhanced"];
+
+// Function to validate configuration
+function validateBreachedPasswordConfig(config) {
+  const report = [];
+  if (_.isEmpty(config)) {
+    return report;
+  }
+  // Validate "enabled"
+  if (config.enabled) {
+    report.push({ field: "enabled", status: CONSTANTS.SUCCESS });
+  } else {
+    report.push({ field: "disabled", status: CONSTANTS.FAIL });
+  }
+
+  // Validate "shields"
+  if (config.shields && config.shields.length > 0) {
+    if (config.shields.some((shield) => !validShields.includes(shield))) {
+      report.push({ field: "shields_invalid_values", status: CONSTANTS.FAIL });
+    } else {
+      report.push({
+        field: "shields_values",
+        value: config.shields.length > 0 ? config.shields.join(", ") : "empty",
+        status: CONSTANTS.SUCCESS,
+      });
+    }
+  }
+  if (!config.shields.includes("block")) {
+    report.push({
+      field: "stage_login_shields_block_not_configured",
+      status: CONSTANTS.FAIL,
+    });
+  }
+
+  if (config.stage["pre-user-registration"] && !config.stage["pre-user-registration"].shields.includes("block")) {
+    report.push({
+      field: "stage_pre_user_shields_block_not_configured",
+      status: CONSTANTS.FAIL,
+    });
+  }
+
+  if (
+    config.stage["pre-change-password"] &&
+    !config.stage["pre-change-password"].shields.includes("block")
+  ) {
+    report.push({
+      field: "stage_pre_change_password_shields_block_not_configured",
+      status: CONSTANTS.FAIL,
+    });
+  }
+  // Validate "admin_notification_frequency"
+  if (
+    config.admin_notification_frequency &&
+    config.admin_notification_frequency.length > 0
+  ) {
+    if (
+      config.admin_notification_frequency.some(
+        (freq) => !validFrequencies.includes(freq),
+      )
+    ) {
+      report.push({
+        field: "admin_frequency_invalid_values",
+        value: config.admin_notification_frequency.join(", "),
+        status: CONSTANTS.FAIL,
+      });
+    } else {
+      report.push({
+        field: "admin_frequency_values",
+        value: config.admin_notification_frequency.join(", "),
+        status: CONSTANTS.SUCCESS,
+      });
+    }
+  }
+
+  // Validate "method"
+  if (!validMethods.includes(config.method)) {
+    report.push({ field: "method_invalid_value", status: CONSTANTS.FAIL });
+  } else {
+    report.push({
+      field: "method_value",
+      value: config.method,
+      status: CONSTANTS.SUCCESS,
+    });
+  }
+
+  if (config.enabled && config.shields.length === 0) {
+    report.push({ field: "monitoring_mode", status: CONSTANTS.FAIL });
+  }
+  return report;
+}
+
+function checkBreachedPassword(options) {
+  const { breachedPasswordDetection } = options.attackProtection || {};
+  return executeCheck("checkBreachedPassword", (callback) => {
+    return callback(validateBreachedPasswordConfig(breachedPasswordDetection));
+  });
+}
+
+module.exports = checkBreachedPassword;

package/analyzer/lib/attack_protection/checkBruteForce.js

@@ -0,0 +1,89 @@
+/*
+{
+  attackProtection: {
+    bruteForceProtection: {
+      "enabled": true,
+      "shields": [
+        "block",
+        "user_notification"
+      ],
+      "mode": "count_per_identifier_and_ip",
+      "allowlist": [],
+      "max_attempts": 3
+  }
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+// Validation Rules
+function validateBruteForceSettings(config) {
+  const report = [];
+  if (_.isEmpty(config)) {
+    return report;
+  }
+  // Check if brute force protection is enabled
+  if (config.enabled) {
+    report.push({
+      field: "enabled",
+      status: CONSTANTS.SUCCESS,
+    });
+  } else {
+    report.push({
+      field: "disabled",
+      status: CONSTANTS.FAIL,
+    });
+  }
+
+  // Validate shields
+  const requiredShields = ["block", "user_notification"];
+  const requiredModes = ["count_per_identifier"];
+  const missingShields = requiredShields.filter(
+    (shield) => !config.shields.includes(shield),
+  );
+  if (missingShields.length === 0) {
+    report.push({
+      field: "shieldsConfigured",
+      status: CONSTANTS.SUCCESS,
+    });
+  } else {
+    report.push({
+      field: "shieldsMissing",
+      status: CONSTANTS.FAIL,
+      value: missingShields.join(", "),
+    });
+  }
+
+  // Check allowlist
+  if (config.allowlist.length > 0) {
+    report.push({
+      field: "allowlistPresent",
+      status: CONSTANTS.FAIL,
+      value: config.allowlist.join(", "),
+    });
+  } else {
+    report.push({
+      field: "allowlistEmpty",
+      status: CONSTANTS.SUCCESS,
+    });
+  }
+  // validate account lock out mode settings 
+  if (config?.mode && !requiredModes.includes(config?.mode)) {
+    report.push({
+      field: "enableAccountLockout",
+      status: CONSTANTS.FAIL,
+      value: config?.mode
+    });
+  }
+  // Return the validation report
+  return report;
+}
+function checkBruteForce(options) {
+  const { bruteForceProtection } = options.attackProtection || {};
+  return executeCheck("checkBruteForce", (callback) => {
+    return callback(validateBruteForceSettings(bruteForceProtection));
+  });
+}
+
+module.exports = checkBruteForce;

package/analyzer/lib/attack_protection/checkSuspiciousIPThrottling.js

@@ -0,0 +1,89 @@
+/*
+{
+  attackProtection: {
+    suspiciousIpThrottling: {
+      "enabled": true,
+      "shields": [
+        "admin_notification",
+        "block"
+      ],
+      "allowlist": [],
+      "stage": {
+        "pre-login": {
+          "max_attempts": 100,
+          "rate": 864000
+        },
+        "pre-user-registration": {
+          "max_attempts": 50,
+          "rate": 1200
+        }
+      }
+  }
+}
+  */
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+// Validation Rules
+function validateSettings(config) {
+  const report = [];
+  if (_.isEmpty(config)) {
+    return report;
+  }
+  // Check if brute force protection is enabled
+  if (config.enabled) {
+    report.push({
+      field: "enabled",
+      status: CONSTANTS.SUCCESS,
+    });
+  } else {
+    report.push({
+      field: "disabled",
+      status: CONSTANTS.FAIL,
+    });
+  }
+
+  // Validate shields
+  const requiredShields = ["block", "admin_notification"];
+  const missingShields = requiredShields.filter(
+    (shield) => !config.shields.includes(shield),
+  );
+  if (missingShields.length === 0) {
+    report.push({
+      field: "shieldsConfigured",
+      status: CONSTANTS.SUCCESS,
+    });
+  } else {
+    report.push({
+      field: "shieldsMissing",
+      status: CONSTANTS.FAIL,
+      value: missingShields.join(", "),
+    });
+  }
+
+  // Check allowlist
+  if (config.allowlist.length > 0) {
+    report.push({
+      field: "allowlistPresent",
+      status: CONSTANTS.FAIL,
+      value: config.allowlist.join(", "),
+    });
+  } else {
+    report.push({
+      field: "allowlistEmpty",
+      status: CONSTANTS.SUCCESS,
+    });
+  }
+
+  // Return the validation report
+  return report;
+}
+function checkSuspiciousIPThrottling(options) {
+  const { suspiciousIpThrottling } = options.attackProtection || {};
+  return executeCheck("checkSuspiciousIPThrottling", (callback) => {
+    return callback(validateSettings(suspiciousIpThrottling));
+  });
+}
+
+module.exports = checkSuspiciousIPThrottling;

package/analyzer/lib/canonical_domain/checkCanonicalDomain.js

@@ -0,0 +1,63 @@
+/*
+{
+  customDomains: [
+    {
+      domain: 'constoso.com',
+      primary: true,
+      status: 'ready',
+      tls_policy: 'recommended',
+      type: 'auth0_managed_certs',
+      verification: [Object]
+    }
+  ],
+  logs: [
+    {
+        type: 's',
+        hostname: 'contoso.us.auth0.com',
+        _id: '90020250210004837491441000000000000001223372036874609060'
+    }
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+function checkCanonicalDomain(options) {
+  const { customDomains, logs, log_query } = options || {
+    customDomains: [],
+    logs: [],
+  };
+  return executeCheck("checkCanonicalDomain", (callback) => {
+    const report = [];
+    if (_.isEmpty(logs)) {
+      report.push({
+        field: "canonical_domain_no_logs",
+        value: `<br> ${log_query}`,
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    if (_.isEmpty(customDomains) && !_.isEmpty(logs)) {
+      report.push({
+        field: "canonical_domain_used",
+        value: `<br> ${log_query} <br> log_id: ${logs[0]._id}`,
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    // Finding a match
+    const matchedLog = _.find(logs, (log) => {
+      return _.some(customDomains, (domain) => log.hostname === domain.domain);
+    });
+    if (_.isEmpty(matchedLog)) {
+      report.push({
+        field: "canonical_domain_used",
+        value: `<br> ${log_query} <br> log_id: ${logs[0]._id}`,
+        status: CONSTANTS.FAIL,
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkCanonicalDomain;

package/analyzer/lib/clients/checkAllowedCallbacks.js

@@ -0,0 +1,122 @@
+/*
+{
+  clients: [
+  {
+    "tenant": "contos0",
+    "global": false,
+    "is_token_endpoint_ip_header_trusted": false,
+    "name": "Default App",
+    "is_first_party": true,
+    "oidc_conformant": true,
+    "sso_disabled": false,
+    "cross_origin_auth": false,
+    "refresh_token": {
+      "expiration_type": "expiring",
+      "leeway": 0,
+      "token_lifetime": 2592000,
+      "idle_token_lifetime": 1296000,
+      "infinite_token_lifetime": false,
+      "infinite_idle_token_lifetime": false,
+      "rotation_type": "rotating"
+    },
+    "allowed_clients": [],
+    "allowed_logout_urls": [
+      "http://localhost:3000"
+    ],
+    "callbacks": [
+      "http://localhost:3000"
+    ],
+    "native_social_login": {
+      "apple": {
+        "enabled": false
+      },
+      "facebook": {
+        "enabled": false
+      }
+    },
+    "client_id": "client_id",
+    "callback_url_template": false,
+    "jwt_configuration": {
+      "alg": "RS256",
+      "lifetime_in_seconds": 36000,
+      "secret_encoded": false
+    },
+    "client_aliases": [],
+    "token_endpoint_auth_method": "none",
+    "app_type": "spa",
+    "grant_types": [
+      "authorization_code",
+      "implicit",
+      "refresh_token"
+    ],
+    "web_origins": [
+      "http://localhost:3000"
+    ],
+    "custom_login_page_on": true
+  }  
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+// Function to check callback URLs for insecure patterns (localhost, http, 127.0.0.1)
+function checkCallbackURLsForApp(app) {
+  const callbackUrls = app.callbacks || [];
+  const report = [];
+  const insecurePatterns = ["localhost", "http://", "127.0.0.1"];
+  if (callbackUrls.length === 0 && app.app_type !== "non_interactive") {
+    report.push({
+      name: app.client_id ? app.name.concat(` (${app.client_id})`) : app.name,
+      client_id: app.client_id || app.name,
+      field: "missing_callbacks",
+      url: "",
+      status: CONSTANTS.SUCCESS,
+      app_type: app.app_type,
+    });
+  }
+  callbackUrls.forEach((url) => {
+    const subArr = insecurePatterns.filter((str) => url.includes(str));
+    if (subArr.length > 0) {
+      report.push({
+        name: app.client_id ? app.name.concat(` (${app.client_id})`) : app.name,
+        client_id: app.client_id || app.name,
+        field: "insecure_callbacks",
+        value: url,
+        status: CONSTANTS.FAIL,
+        app_type: app.app_type,
+        is_first_party: app.is_first_party
+      });
+    }
+  });
+  return report;
+}
+
+function checkAllowedCallbacks(options) {
+  return executeCheck("checkAllowedCallbacks", (callback) => {
+    const { clients } = options;
+    const reports = [];
+    if (_.isEmpty(clients)) {
+      return callback(reports);
+    }
+    clients.forEach((client) => {
+      var report = checkCallbackURLsForApp(client);
+      if (report.length === 0) {
+        report.push({
+          name: client.name,
+          client_id: client.client_id || client.name,
+          field: "secure_callbacks",
+          status: CONSTANTS.SUCCESS,
+          value: client.callbacks ? client.callbacks.join(", ") : "",
+          app_type: client.app_type || "unknown",
+          is_first_party: client.is_first_party
+        });
+      }
+      reports.push({ name: client.name.concat(` (${client.client_id})`), report: report });
+    });
+    return callback(reports);
+  });
+}
+
+module.exports = checkAllowedCallbacks;

package/analyzer/lib/clients/checkAllowedLogoutUrl.js

@@ -0,0 +1,124 @@
+/*
+{
+  clients: [
+  {
+    "tenant": "contos0",
+    "global": false,
+    "is_token_endpoint_ip_header_trusted": false,
+    "name": "Default App",
+    "is_first_party": true,
+    "oidc_conformant": true,
+    "sso_disabled": false,
+    "cross_origin_auth": false,
+    "refresh_token": {
+      "expiration_type": "expiring",
+      "leeway": 0,
+      "token_lifetime": 2592000,
+      "idle_token_lifetime": 1296000,
+      "infinite_token_lifetime": false,
+      "infinite_idle_token_lifetime": false,
+      "rotation_type": "rotating"
+    },
+    "allowed_clients": [],
+    "allowed_logout_urls": [
+      "http://localhost:3000"
+    ],
+    "callbacks": [
+      "http://localhost:3000"
+    ],
+    "native_social_login": {
+      "apple": {
+        "enabled": false
+      },
+      "facebook": {
+        "enabled": false
+      }
+    },
+    "client_id": "client_id",
+    "callback_url_template": false,
+    "jwt_configuration": {
+      "alg": "RS256",
+      "lifetime_in_seconds": 36000,
+      "secret_encoded": false
+    },
+    "client_aliases": [],
+    "token_endpoint_auth_method": "none",
+    "app_type": "spa",
+    "grant_types": [
+      "authorization_code",
+      "implicit",
+      "refresh_token"
+    ],
+    "web_origins": [
+      "http://localhost:3000"
+    ],
+    "custom_login_page_on": true
+  }  
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+// Function to check callback URLs for insecure patterns (localhost, http, 127.0.0.1)
+function checkURLsForApp(app) {
+  const allowed_logout_urls = app.allowed_logout_urls || [];
+  const report = [];
+  const insecurePatterns = ["localhost", "http://", "127.0.0.1"];
+  if (allowed_logout_urls.length === 0 && app.app_type !== "non_interactive") {
+    // report.push({
+    //   name: app.name.concat(` (${app.client_id})`),
+    //   client_id: app.client_id || app.name,
+    //   field: 'missing_allowed_logout_urls',
+    //   url: 'missing_allowed_logout_urls',
+    //   status: CONSTANTS.FAIL,
+    //   app_type: app.app_type
+    // });
+    return report;
+  }
+  allowed_logout_urls.forEach((url) => {
+    const subArr = insecurePatterns.filter((str) => url.includes(str));
+    if (subArr.length > 0) {
+      report.push({
+        name: app.client_id ? app.name.concat(` (${app.client_id})`) : app.name,
+        client_id: app.client_id || app.name,
+        field: "insecure_allowed_logout_urls",
+        value: url,
+        status: CONSTANTS.FAIL,
+        app_type: app.app_type,
+        is_first_party: app.is_first_party
+      });
+    }
+  });
+  return report;
+}
+
+function checkAllowedLogoutUrl(options) {
+  return executeCheck("checkAllowedLogoutUrl", (callback) => {
+    const { clients } = options;
+    const reports = [];
+    if (_.isEmpty(clients)) {
+      return callback(reports);
+    }
+    clients.forEach((client) => {
+      var report = checkURLsForApp(client);
+      if (report.length === 0) {
+        report.push({
+          name: client.name,
+          client_id: client.client_id || client.name,
+          field: "secure_allowed_logout_urls",
+          status: CONSTANTS.SUCCESS,
+          value: client.allowed_logout_urls
+            ? client.allowed_logout_urls.join(", ")
+            : "",
+          app_type: client.app_type || "unknown",
+          is_first_party: client.is_first_party
+        });
+      }
+      reports.push({ name: client.name.concat(` (${client.client_id})`), report: report });
+    });
+    return callback(reports);
+  });
+}
+
+module.exports = checkAllowedLogoutUrl;