@auth0/auth0-checkmate 1.4.0

package/analyzer/lib/clients/checkApplicationLoginUri.js

@@ -0,0 +1,125 @@
+/*
+{
+  clients: [
+  {
+    "tenant": "contos0",
+    "global": false,
+    "is_token_endpoint_ip_header_trusted": false,
+    "name": "Default App",
+    "is_first_party": true,
+    "oidc_conformant": true,
+    "sso_disabled": false,
+    "cross_origin_auth": false,
+    "refresh_token": {
+      "expiration_type": "expiring",
+      "leeway": 0,
+      "token_lifetime": 2592000,
+      "idle_token_lifetime": 1296000,
+      "infinite_token_lifetime": false,
+      "infinite_idle_token_lifetime": false,
+      "rotation_type": "rotating"
+    },
+    "allowed_clients": [],
+    "allowed_logout_urls": [
+      "http://localhost:3000"
+    ],
+    "callbacks": [
+      "http://localhost:3000"
+    ],
+    "native_social_login": {
+      "apple": {
+        "enabled": false
+      },
+      "facebook": {
+        "enabled": false
+      }
+    },
+    "client_id": "client_id",
+    "callback_url_template": false,
+    "jwt_configuration": {
+      "alg": "RS256",
+      "lifetime_in_seconds": 36000,
+      "secret_encoded": false
+    },
+    "client_aliases": [],
+    "token_endpoint_auth_method": "none",
+    "app_type": "spa",
+    "grant_types": [
+      "authorization_code",
+      "implicit",
+      "refresh_token"
+    ],
+    "web_origins": [
+      "http://localhost:3000"
+    ],
+    "custom_login_page_on": true
+  }  
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+// Function to check callback URLs for insecure patterns (localhost, http, 127.0.0.1)
+function checkURLsForApp(app) {
+  const initiate_login_uri = app.initiate_login_uri || "";
+  const report = [];
+  const insecurePatterns = ["localhost", "http://", "127.0.0.1"];
+  if (
+    _.isEmpty(initiate_login_uri) &&
+    (app.app_type === "spa" || app.app_type === "regular_web")
+  ) {
+    report.push({
+      name: app.client_id ? app.name.concat(` (${app.client_id})`) : app.name,
+      client_id: app.client_id || app.name,
+      field: "missing_initiate_login_uri",
+      value: "missing_initiate_login_uri",
+      status: CONSTANTS.FAIL,
+      app_type: app.app_type,
+      is_first_party: app.is_first_party
+    });
+  }
+  const subArr = insecurePatterns.filter((str) =>
+    initiate_login_uri.includes(str),
+  );
+  if (subArr.length > 0) {
+    report.push({
+      name: app.client_id ? app.name.concat(` (${app.client_id})`) : app.name,
+      client_id: app.client_id || app.name,
+      field: "insecure_initiate_login_uri",
+      value: initiate_login_uri,
+      status: CONSTANTS.FAIL,
+      app_type: app.app_type,
+      is_first_party: app.is_first_party
+    });
+  }
+  return report;
+}
+
+function checkApplicationLoginUri(options) {
+  return executeCheck("checkApplicationLoginUri", (callback) => {
+    const { clients } = options;
+    const reports = [];
+    if (_.isEmpty(clients)) {
+      return callback(reports);
+    }
+    clients.forEach((client) => {
+      var report = checkURLsForApp(client);
+      if (report.length === 0) {
+        report.push({
+          name: client.name,
+          client_id: client.client_id || client.name,
+          field: "secure_initiate_login_uri",
+          status: CONSTANTS.SUCCESS,
+          value: client.initiate_login_uri ? client.initiate_login_uri : "",
+          app_type: client.app_type || "unknown",
+          is_first_party: client.is_first_party
+        });
+      }
+      reports.push({ name: client.name.concat(` (${client.client_id})`), report: report });
+    });
+    return callback(reports);
+  });
+}
+
+module.exports = checkApplicationLoginUri;

package/analyzer/lib/clients/checkCrossOriginAuthentication.js

@@ -0,0 +1,91 @@
+/*
+{
+  clients: [
+  {
+    "tenant": "contos0",
+    "global": false,
+    "is_token_endpoint_ip_header_trusted": false,
+    "name": "Default App",
+    "is_first_party": true,
+    "oidc_conformant": true,
+    "sso_disabled": false,
+    "cross_origin_auth": false,
+    "cross_origin_authentication": false,
+    "refresh_token": {
+      "expiration_type": "expiring",
+      "leeway": 0,
+      "token_lifetime": 2592000,
+      "idle_token_lifetime": 1296000,
+      "infinite_token_lifetime": false,
+      "infinite_idle_token_lifetime": false,
+      "rotation_type": "rotating"
+    },
+    "allowed_clients": [],
+    "allowed_logout_urls": [
+      "http://localhost:3000"
+    ],
+    "callbacks": [
+      "http://localhost:3000"
+    ],
+    "native_social_login": {
+      "apple": {
+        "enabled": false
+      },
+      "facebook": {
+        "enabled": false
+      }
+    },
+    "client_id": "client_id",
+    "callback_url_template": false,
+    "jwt_configuration": {
+      "alg": "RS256",
+      "lifetime_in_seconds": 36000,
+      "secret_encoded": false
+    },
+    "client_aliases": [],
+    "token_endpoint_auth_method": "none",
+    "app_type": "spa",
+    "grant_types": [
+      "authorization_code",
+      "implicit",
+      "refresh_token"
+    ],
+    "web_origins": [
+      "http://localhost:3000"
+    ],
+    "custom_login_page_on": true
+  }  
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkCrossOriginAuthentication(options) {
+  return executeCheck("checkCrossOriginAuthentication", (callback) => {
+    const { clients } = options;
+    const reports = [];
+    if (_.isEmpty(clients)) {
+      return callback(reports);
+    }
+    // https://community.auth0.com/t/action-required-update-applications-that-use-cross-origin-authentication/132819
+    clients.forEach((client) => {
+      var report = [];
+      report.push({
+        name: client.client_id
+          ? client.name.concat(` (${client.client_id})`)
+          : client.name,
+        client_id: client.client_id || client.name,
+        field: client.cross_origin_authentication ? "cross_origin_authentication_enabled" : "cross_origin_authentication_disabled",
+        status: client.cross_origin_authentication ? CONSTANTS.FAIL : CONSTANTS.SUCCESS,
+        app_type: client.app_type || "unknown",
+        is_first_party: client.is_first_party
+      });
+      reports.push({ name: client.name.concat(` (${client.client_id})`), report: report });
+    });
+    return callback(reports);
+  });
+}
+
+module.exports = checkCrossOriginAuthentication;

package/analyzer/lib/clients/checkGrantTypes.js

@@ -0,0 +1,138 @@
+/*
+{
+  clients: [
+  {
+    "tenant": "contos0",
+    "global": false,
+    "is_token_endpoint_ip_header_trusted": false,
+    "name": "Default App",
+    "is_first_party": true,
+    "oidc_conformant": true,
+    "sso_disabled": false,
+    "cross_origin_auth": false,
+    "refresh_token": {
+      "expiration_type": "expiring",
+      "leeway": 0,
+      "token_lifetime": 2592000,
+      "idle_token_lifetime": 1296000,
+      "infinite_token_lifetime": false,
+      "infinite_idle_token_lifetime": false,
+      "rotation_type": "rotating"
+    },
+    "allowed_clients": [],
+    "allowed_logout_urls": [
+      "http://localhost:3000"
+    ],
+    "callbacks": [
+      "http://localhost:3000"
+    ],
+    "native_social_login": {
+      "apple": {
+        "enabled": false
+      },
+      "facebook": {
+        "enabled": false
+      }
+    },
+    "client_id": "client_id",
+    "callback_url_template": false,
+    "jwt_configuration": {
+      "alg": "RS256",
+      "lifetime_in_seconds": 36000,
+      "secret_encoded": false
+    },
+    "client_aliases": [],
+    "token_endpoint_auth_method": "none",
+    "app_type": "spa",
+    "grant_types": [
+      "authorization_code",
+      "implicit",
+      "refresh_token"
+    ],
+    "web_origins": [
+      "http://localhost:3000"
+    ],
+    "custom_login_page_on": true
+  }  
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function validateGrantTypesForApp(app) {
+  const enabledGrantTypes = app.grant_types || [];
+  const appType = app.app_type || "unknown";
+  const report = [];
+  let requiredGrantTypes = [];
+
+  // Define expected grant types based on appType (OAuth2.0 best practices)
+  switch (appType) {
+    case "regular_web":
+      requiredGrantTypes = [
+        "authorization_code",
+        "refresh_token",
+        "client_credentials",
+      ]; // Authorization Code with PKCE and Refresh Tokens
+      break;
+    case "spa":
+      requiredGrantTypes = ["authorization_code", "refresh_token"]; // Implicit (only for older apps) or Authorization Code with PKCE
+      break;
+    case "native":
+      requiredGrantTypes = [
+        "authorization_code",
+        "refresh_token",
+        "urn:ietf:params:oauth:grant-type:device_code",
+      ]; // Authorization Code with PKCE and Refresh Tokens, Device Code, this abou thow to skip this if extended granty_type is used
+      break;
+    case "non_interactive":
+      requiredGrantTypes = ["client_credentials"]; // Client Credentials (no user involvement)
+      break;
+    default:
+      requiredGrantTypes = [
+        "authorization_code",
+        "refresh_token"
+      ]; // Authorization Code with PKCE and Refresh Tokens
+      break;
+  }
+
+  // Optionally, check for any additional unexpected grant types
+  var unexpectedGrantTypes = [];
+  enabledGrantTypes.forEach((grantType) => {
+    if (!requiredGrantTypes.includes(grantType)) {
+      unexpectedGrantTypes.push(grantType);
+    }
+  });
+  if (!_.isEmpty(unexpectedGrantTypes)) {
+    report.push({
+      name: app.client_id ? app.name.concat(` (${app.client_id})`) : app.name,
+      client_id: app.client_id,
+      field: "unexpected_grant_type_for_app_type",
+      value: unexpectedGrantTypes.join(", "),
+      status: CONSTANTS.FAIL,
+      app_type: appType,
+      is_first_party: app.is_first_party
+    });
+  }
+  return report;
+}
+
+function checkGrantTypes(options) {
+  return executeCheck("checkGrantTypes", (callback) => {
+    const { clients } = options || [];
+    const reports = [];
+    if (_.isEmpty(clients)) {
+      return callback(reports);
+    }
+    clients.forEach((client) => {
+      var report = validateGrantTypesForApp(client);
+      var name = client.name.concat(` (${client.client_id})`);
+      // removed old code
+      reports.push({ name: name, report: report });
+    });
+    return callback(reports);
+  });
+}
+
+module.exports = checkGrantTypes;

package/analyzer/lib/clients/checkJWTSignAlg.js

@@ -0,0 +1,118 @@
+/*
+{
+  clients: [
+  {
+    "tenant": "contos0",
+    "global": false,
+    "is_token_endpoint_ip_header_trusted": false,
+    "name": "Default App",
+    "is_first_party": true,
+    "oidc_conformant": true,
+    "sso_disabled": false,
+    "cross_origin_auth": false,
+    "refresh_token": {
+      "expiration_type": "expiring",
+      "leeway": 0,
+      "token_lifetime": 2592000,
+      "idle_token_lifetime": 1296000,
+      "infinite_token_lifetime": false,
+      "infinite_idle_token_lifetime": false,
+      "rotation_type": "rotating"
+    },
+    "allowed_clients": [],
+    "allowed_logout_urls": [
+      "http://localhost:3000"
+    ],
+    "callbacks": [
+      "http://localhost:3000"
+    ],
+    "native_social_login": {
+      "apple": {
+        "enabled": false
+      },
+      "facebook": {
+        "enabled": false
+      }
+    },
+    "client_id": "client_id",
+    "callback_url_template": false,
+    "jwt_configuration": {
+      "alg": "RS256",
+      "lifetime_in_seconds": 36000,
+      "secret_encoded": false
+    },
+    "client_aliases": [],
+    "token_endpoint_auth_method": "none",
+    "app_type": "spa",
+    "grant_types": [
+      "authorization_code",
+      "implicit",
+      "refresh_token"
+    ],
+    "web_origins": [
+      "http://localhost:3000"
+    ],
+    "custom_login_page_on": true
+  }  
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkJWTSignAlg(options) {
+  return executeCheck("checkJWTSignAlg", (callback) => {
+    const { clients } = options;
+    const reports = [];
+    if (_.isEmpty(clients)) {
+      return callback(reports);
+    }
+    // If a client does not have a jwtConfiguration, it will use the default configuration of RS256
+    // Clients created via API will have an empty jwtConfiguration
+    clients.forEach((client) => {
+      var report = [];
+      if (!client.jwt_configuration) {
+        report.push({
+          name: client.client_id
+            ? client.name.concat(` (${client.client_id})`)
+            : client.name,
+          client_id: client.client_id || client.name,
+          field: "missing_jwt_alg",
+          status: CONSTANTS.SUCCESS,
+          value: "RS256",
+          is_first_party: client.is_first_party
+        });
+        reports.push({ name: client.name, report: report });
+        return;
+      }
+      if (client.jwt_configuration.alg !== "HS256") {
+        report.push({
+          name: client.client_id
+            ? client.name.concat(` (${client.client_id})`)
+            : client.name,
+          client_id: client.client_id || client.name,
+          field: "using_asymmetric_alg",
+          status: CONSTANTS.SUCCESS,
+          value: client.jwt_configuration.alg,
+          is_first_party: client.is_first_party
+        });
+      } else {
+        report.push({
+          name: client.client_id
+            ? client.name.concat(` (${client.client_id})`)
+            : client.name,
+          client_id: client.client_id || client.name,
+          field: "not_using_asymmetric_alg",
+          status: CONSTANTS.FAIL,
+          value: client.jwt_configuration.alg,
+          is_first_party: client.is_first_party
+        });
+      }
+      reports.push({ name: client.name.concat(` (${client.client_id})`), report: report });
+    });
+    return callback(reports);
+  });
+}
+
+module.exports = checkJWTSignAlg;

package/analyzer/lib/clients/checkRefreshToken.js

@@ -0,0 +1,108 @@
+/*
+{
+  clients: [
+  {
+    "tenant": "contos0",
+    "global": false,
+    "is_token_endpoint_ip_header_trusted": false,
+    "name": "Default App",
+    "is_first_party": true,
+    "oidc_conformant": true,
+    "sso_disabled": false,
+    "cross_origin_auth": false,
+    "refresh_token": {
+      "expiration_type": "expiring",
+      "leeway": 0,
+      "token_lifetime": 2592000,
+      "idle_token_lifetime": 1296000,
+      "infinite_token_lifetime": false,
+      "infinite_idle_token_lifetime": false,
+      "rotation_type": "rotating"
+    },
+    "allowed_clients": [],
+    "allowed_logout_urls": [
+      "http://localhost:3000"
+    ],
+    "callbacks": [
+      "http://localhost:3000"
+    ],
+    "native_social_login": {
+      "apple": {
+        "enabled": false
+      },
+      "facebook": {
+        "enabled": false
+      }
+    },
+    "client_id": "client_id",
+    "callback_url_template": false,
+    "jwt_configuration": {
+      "alg": "RS256",
+      "lifetime_in_seconds": 36000,
+      "secret_encoded": false
+    },
+    "client_aliases": [],
+    "token_endpoint_auth_method": "none",
+    "app_type": "spa",
+    "grant_types": [
+      "authorization_code",
+      "implicit",
+      "refresh_token"
+    ],
+    "web_origins": [
+      "http://localhost:3000"
+    ],
+    "custom_login_page_on": true
+  }  
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function validateRTGrantTypesForApp(app) {
+    const enabledGrantTypes = app.grant_types || [];
+    const appType = app.app_type || "unknown";
+    const report = [];
+
+    // Define expected grant types based on appType (OAuth2.0 best practices)
+    switch (appType) {
+        case "regular_web":
+        case "spa":
+        case "native":
+            break;
+        default:
+            break;
+    }
+    if (enabledGrantTypes.includes('refresh_token') && app?.refresh_token?.rotation_type && app?.refresh_token?.rotation_type !== 'rotating') {
+        // check refresh token configuration
+        report.push({
+            name: app.client_id ? app.name.concat(` (${app.client_id})`) : app.name,
+            client_id: app.client_id,
+            field: "use_rotating_refresh_token",
+            status: app?.refresh_token?.expiration_type !== 'expiring' ? CONSTANTS.FAIL : CONSTANTS.SUCCESS,
+            value: app.refresh_token.rotation_type,
+            is_first_party: app.is_first_party
+        });
+    }
+    return report;
+}
+
+function checkRefreshToken(options) {
+    return executeCheck("checkRefreshToken", (callback) => {
+        const { clients } = options || [];
+        const reports = [];
+        if (_.isEmpty(clients)) {
+            return callback(reports);
+        }
+        clients.forEach((client) => {
+            var report = validateRTGrantTypesForApp(client);
+            var name = client.name.concat(` (${client.client_id})`);
+            reports.push({ name: name, report: report });
+        });
+        return callback(reports);
+    });
+}
+
+module.exports = checkRefreshToken;

package/analyzer/lib/clients/checkWebOrigins.js

@@ -0,0 +1,55 @@
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+// Function to check web origin URLs for insecure patterns (localhost, http, 127.0.0.1)
+function checkURLsForApp(app) {
+  const web_origins = app.web_origins || [];
+  const report = [];
+  const insecurePatterns = ["localhost", "http://", "127.0.0.1"];
+  if (
+    web_origins.length === 0 &&
+    (app.app_type !== "non_interactive" || app.app_type !== "native")
+  ) {
+    return report;
+  }
+  web_origins.forEach((url) => {
+    const subArr = insecurePatterns.filter((str) => url.includes(str));
+    if (subArr.length > 0) {
+      report.push({
+        name: app.client_id ? app.name.concat(` (${app.client_id})`) : app.name,
+        client_id: app.client_id || app.name,
+        field: "insecure_web_origins_urls",
+        value: url,
+        status: CONSTANTS.FAIL,
+        app_type: app.app_type,
+        is_first_party: app.is_first_party
+      });
+    }
+  });
+  return report;
+}
+
+function checkWebOrigins(options) {
+  return executeCheck("checkWebOrigins", (callback) => {
+    const { clients } = options;
+    const reports = [];
+
+    clients.forEach((client) => {
+      var report = checkURLsForApp(client);
+      if (report.length === 0) {
+        report.push({
+          name: client.name,
+          client_id: client.client_id || client.name,
+          field: "secure_web_origins",
+          status: CONSTANTS.SUCCESS,
+          value: client.web_origins ? client.web_origins.join(", ") : "",
+          app_type: client.app_type || "unknown",
+          is_first_party: client.is_first_party
+        });
+      }
+      reports.push({ name: client.name.concat(` (${client.client_id})`), report: report });
+    });
+    return callback(reports);
+  });
+}
+
+module.exports = checkWebOrigins;

package/analyzer/lib/constants.js

@@ -0,0 +1,63 @@
+module.exports = {
+  INSECURE_URL_PATTERN: ["localhost", "http://", "127.0.0.1"],
+  FAIL: "red",
+  SUCCESS: "green",
+  INFO: "blue",
+  WARN: "yellow",
+  MULTIFACTOR_POLICY: {
+    empty: "Never",
+    "all-applications": "Always",
+    "confidence-score": "Use Adaptive MFA",
+  },
+  MINIMUM_NODE_VERSION: 18,
+  DEFAULT_IDLE_SESSION_LIFETIME: "72h",
+  DEFAULT_SESSION_LIFETIME: "168h",
+  DEFAULT_SESSION_COOKIE_MODE: "persistent",
+  CUSTOM_DOMAIN_SCOPE: "read:custom_domains",
+  CLIENTS_SCOPE: "read:clients",
+  DBCONNECTIONS_SCOPE: "read:connections",
+  ATTACK_PROTECTION_SCOPE: "read:attack_protection",
+  TENANT_SETTINGS_SCOPE: "read:tenant_settings",
+  EMAIL_PROVIDER_SCOPE: "read:email_provider",
+  EMAIL_TEMPLATES_SCOPE: "read:email_templates",
+  MFA_POLICIES_SCOPE: "read:mfa_policies",
+  MFA_FACTORS_SCOPE: "read:guardian_factors",
+  REQUIRED_SCOPES:
+    "read:tenant_settings read:custom_domains read:prompts read:clients read:connections read:connections_options read:resource_servers read:client_grants read:roles read:branding read:email_provider read:email_templates read:phone_providers read:phone_templates read:shields read:attack_protection read:self_service_profiles read:guardian_factors read:mfa_policies read:actions read:log_streams read:logs read:network_acls read:event_streams",
+  LOG_TYPES: [
+    "s",
+    "f",
+    "fs",
+    "ss",
+    "fu",
+    "fp",
+    "scoa",
+    "fcoa",
+    "sepft",
+    "fepft",
+  ],
+  EMAIL_TEMPLATES_NAMES: {
+    verify_email: "Verification Email (Link)",
+    verify_email_by_code: "Verification Email (Code)",
+    welcome_email: "Welcome Email",
+    enrollment_email: "Enroll in Multifactor Authentication",
+    reset_email: "Change Password (Link)",
+    reset_email_by_code: "Change Password (Code)",
+    blocked_account: "Blocked Account Email",
+    stolen_credentials: "Password Breach Alert",
+    mfa_oob_code: "Verification Code for Email MFA",
+    user_invitation: "User Invitation",
+  },
+  EMAIL_TEMPLATES_TYPES: [
+    "verify_email",
+    "verify_email_by_code",
+    "welcome_email",
+    "enrollment_email",
+    "reset_email",
+    "reset_email_by_code",
+    "blocked_account",
+    "stolen_credentials",
+    "mfa_oob_code",
+    "user_invitation",
+  ]
+};