@auth0/auth0-checkmate 1.4.0

package/analyzer/lib/custom_domain/checkCustomDomain.js

@@ -0,0 +1,53 @@
+/*
+  customDomains: [
+    {
+      domain: 'apac-tam-team.oauth101.net',
+      primary: true,
+      status: 'ready',
+      tls_policy: 'recommended',
+      type: 'auth0_managed_certs',
+      verification: [Object]
+    }
+  ]
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkCustomDomain(options) {
+  const { customDomains } = options;
+  return executeCheck("checkCustomDomain", (callback) => {
+    const report = [];
+    if (_.isEmpty(customDomains)) {
+      report.push({
+        field: "not_configured",
+        status: CONSTANTS.FAIL,
+      });
+    } else if (customDomains.some((domain) => domain.status === "ready")) {
+      report.push({
+        field: "ready",
+        status: CONSTANTS.SUCCESS,
+        value: customDomains
+          .map((d) => {
+            return d.domain;
+          })
+          .join(","),
+      });
+    } else if (
+      customDomains.some((domain) => domain.status === "pending_verification")
+    ) {
+      report.push({
+        field: "pending_verification",
+        status: CONSTANTS.FAIL,
+        value: customDomains
+          .map((d) => {
+            return d.domain;
+          })
+          .join(","),
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkCustomDomain;

package/analyzer/lib/databases/checkAuthenticationMethods.js

@@ -0,0 +1,98 @@
+/*
+{
+    databases: [
+  {
+    "id": "con_JBv3Nu3wcKQni7Vv",
+    "options": {
+      "import_mode": false,
+      "configuration": {},
+      "disable_signup": true,
+      "passwordPolicy": "good",
+      "passkey_options": {
+        "challenge_ui": "both",
+        "local_enrollment_enabled": true,
+        "progressive_enrollment_enabled": true
+      },
+      "password_history": {
+        "size": 5,
+        "enable": false
+      },
+      "strategy_version": 2,
+      "password_dictionary": {
+        "enable": false,
+        "dictionary": []
+      },
+      "authentication_methods": {
+        "passkey": {
+          "enabled": false
+        },
+        "password": {
+          "enabled": true
+        }
+      },
+      "brute_force_protection": true,
+      "password_no_personal_info": {
+        "enable": false
+      },
+      "password_complexity_options": {
+        "min_length": 8
+      },
+      "enabledDatabaseCustomization": false
+    },
+    "strategy": "auth0",
+    "name": "Username-Password-Authentication",
+    "is_domain_connection": false,
+    "realms": [
+      "Username-Password-Authentication"
+    ],
+    "enabled_clients": [
+    ]
+  }
+]    
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkAuthenticationMethods(options) {
+  const { databases } = options || [];
+  return executeCheck("checkAuthenticationMethods", (callback) => {
+    const report = [];
+    if (_.isEmpty(databases)) {
+      report.push({
+        field: "no_database_connections_found",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    databases.forEach((connection) => {
+      if (_.isEmpty(connection.options.authentication_methods)) {
+        //defaults to password
+        report.push({
+          name: connection.name,
+          status: CONSTANTS.FAIL,
+          field: "only_password_method",
+        });
+      } else if (
+        connection.options.authentication_methods.password.enabled &&
+        !connection.options.authentication_methods.passkey.enabled
+      ) {
+        report.push({
+          name: connection.name,
+          status: CONSTANTS.FAIL,
+          field: "only_password_method",
+        });
+      } else {
+        report.push({
+          name: connection.name,
+          status: CONSTANTS.SUCCESS,
+          field: "passkey_enabled",
+        });
+      }
+    });
+    return callback(report);
+  });
+}
+
+module.exports = checkAuthenticationMethods;

package/analyzer/lib/databases/checkDASHardCodedValues.js

@@ -0,0 +1,163 @@
+/*
+{
+    databases: [
+  {
+    "id": "con_JBv3Nu3wcKQni7Vv",
+    "options": {
+      "import_mode": false,
+      "configuration": {},
+      "disable_signup": true,
+      "passwordPolicy": "good",
+      "passkey_options": {
+        "challenge_ui": "both",
+        "local_enrollment_enabled": true,
+        "progressive_enrollment_enabled": true
+      },
+      "password_history": {
+        "size": 5,
+        "enable": false
+      },
+      "strategy_version": 2,
+      "password_dictionary": {
+        "enable": false,
+        "dictionary": []
+      },
+      "authentication_methods": {
+        "passkey": {
+          "enabled": false
+        },
+        "password": {
+          "enabled": true
+        }
+      },
+      "brute_force_protection": true,
+      "password_no_personal_info": {
+        "enable": false
+      },
+      "password_complexity_options": {
+        "min_length": 8
+      },
+    "customScripts": {
+      "login": "function login(identifierValue, password, callback) {\n  const mysql = require('mysql');\n  const bcrypt = require('bcrypt');\n\n  const connection = mysql.createConnection({\n    host: 'localhost',\n    user: 'me',\n    password: 'secret',\n    database: 'mydb'\n  });\n\n  connection.connect();\n\n  const query = 'SELECT id, nickname, email, password FROM users WHERE email = ?';\n\n  connection.query(query, [ identifierValue ], function(err, results) {\n    if (err) return callback(err);\n    if (results.length === 0) return callback(new WrongUsernameOrPasswordError(identifierValue));\n    const user = results[0];\n\n    bcrypt.compare(password, user.password, function(err, isValid) {\n      if (err || !isValid) return callback(err || new WrongUsernameOrPasswordError(identifierValue));\n\n      callback(null, {\n        user_id: user.id.toString(),\n        nickname: user.nickname,\n        email: user.email\n      });\n    });\n  });\n}\n",
+      "create": "function create(user, callback) {\n  const mysql = require('mysql');\n  const bcrypt = require('bcrypt');\n\n  const connection = mysql.createConnection({\n    host: 'localhost',\n    user: 'me',\n    password: 'secret',\n    database: 'mydb'\n  });\n\n  connection.connect();\n\n  const query = 'INSERT INTO users SET ?';\n\n  bcrypt.hash(user.password, 10, function(err, hash) {\n    if (err) return callback(err);\n\n    const insert = {\n      password: hash,\n      email: user.email\n    };\n\n    connection.query(query, insert, function(err, results) {\n      if (err) return callback(err);\n      if (results.length === 0) return callback();\n      callback(null);\n    });\n  });\n}\n",
+      "delete": "function remove(id, callback) {\n  // This script remove a user from your existing database.\n  // It is executed whenever a user is deleted from the API or Auth0 dashboard.\n  //\n  // There are two ways that this script can finish:\n  // 1. The user was removed successfully:\n  //     callback(null);\n  // 2. Something went wrong while trying to reach your database:\n  //     callback(new Error(\"my error message\"));\n\n  const msg = 'Please implement the Delete script for this database ' +\n    'connection at https://manage.auth0.com/#/connections/database';\n  return callback(new Error(msg));\n}\n",
+      "verify": "function verify(email, callback) {\n  const mysql = require('mysql');\n\n  const connection = mysql.createConnection({\n    host: 'localhost',\n    user: 'me',\n    password: 'secret',\n    database: 'mydb'\n  });\n\n  connection.connect();\n\n  const query = 'UPDATE users SET email_Verified = true WHERE email_Verified = false AND email = ?';\n\n  connection.query(query, [ email ], function(err, results) {\n    if (err) return callback(err);\n\n    callback(null, results.length > 0);\n  });\n\n}\n",
+      "get_user": "function getUser(identifierValue, callback) {\n  const mysql = require('mysql');\n\n  const connection = mysql.createConnection({\n    host: 'localhost',\n    user: 'me',\n    password: 'secret',\n    database: 'mydb'\n  });\n\n  connection.connect();\n\n  const query = 'SELECT id, nickname, email FROM users WHERE email = ?';\n\n  connection.query(query, [ identifierValue ], function(err, results) {\n    if (err || results.length === 0) return callback(err || null);\n\n    const user = results[0];\n    callback(null, {\n      user_id: user.id.toString(),\n      nickname: user.nickname,\n      email: user.email\n    });\n  });\n}\n",
+      "change_password": "function changePassword(email, newPassword, callback) {\n  const mysql = require('mysql');\n  const bcrypt = require('bcrypt');\n\n  const connection = mysql.createConnection({\n    host: 'localhost',\n    user: 'me',\n    password: 'secret',\n    database: 'mydb'\n  });\n\n  connection.connect();\n\n  const query = 'UPDATE users SET password = ? WHERE email = ?';\n\n  bcrypt.hash(newPassword, 10, function(err, hash) {\n    if (err) return callback(err);\n\n    connection.query(query, [ hash, email ], function(err, results) {\n      if (err) return callback(err);\n      callback(null, results.length > 0);\n    });\n  });\n}\n"
+    },
+      "enabledDatabaseCustomization": true,
+
+    },
+    "strategy": "auth0",
+    "name": "Username-Password-Authentication",
+    "is_domain_connection": false,
+    "realms": [
+      "Username-Password-Authentication"
+    ],
+    "enabled_clients": [
+    ]
+  }
+]    
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+const acorn = require("acorn");
+const walk = require("estree-walker").walk;
+
+function detectHardcodedValues(code, scriptName) {
+    let processedCode = code.replace(/(?!\w+#)\b#(\w+)/g, "_$1");
+    const ast = acorn.parse(processedCode, {
+        ecmaVersion: "latest",
+        locations: true,
+    });
+
+    const hardcodedValues = [];
+
+    walk(ast, {
+        enter(node) {
+            // Variable assignments
+            if (node.type === "VariableDeclaration") {
+                node.declarations.forEach((declaration) => {
+                    if (
+                        declaration.init &&
+                        declaration.init.type === "Literal" &&
+                        typeof declaration.init.value === "string" &&
+                        !isCommonException(declaration.init.value)
+                    ) {
+                        hardcodedValues.push({
+                            scriptName: scriptName,
+                            variableName: declaration.id.name,
+                            field: "hard_coded_value_detected",
+                            status: CONSTANTS.FAIL,
+                            type: typeof declaration.init.value,
+                            line: declaration.loc.start.line,
+                            column: declaration.loc.start.column,
+                        });
+                    }
+                });
+            }
+
+            // Object literals
+            if (
+                node.type === "Property" &&
+                node.value.type === "Literal" &&
+                typeof node.value.value === "string" &&
+                !isCommonException(node.value.value)
+            ) {
+                hardcodedValues.push({
+                    scriptName: scriptName,
+                    variableName: node.key.name || node.key.value,
+                    field: "hard_coded_value_detected",
+                    status: CONSTANTS.FAIL,
+                    type: typeof node.value.value,
+                    line: node.loc.start.line,
+                    column: node.loc.start.column,
+                });
+            }
+        },
+    });
+
+    return hardcodedValues;
+}
+
+// Helper functions
+function isCommonException(value) {
+    const exceptions = [
+        /^[0-1]$/, // Allow 0 and 1
+        /^[a-z]$/i, // Single letters
+        /^\s*$/, // Whitespace-only
+        /^[{}()[]<>]+$/, // Common brackets
+    ];
+    return exceptions.some((regex) => regex.test(String(value)));
+}
+
+
+function checkDASHardCodedValues(options) {
+    const { databases } = options || [];
+    return executeCheck("checkDASHardCodedValues", (callback) => {
+        const reports = [];
+        if (_.isEmpty(databases)) {
+            reports.push({
+                field: "no_database_connections_found",
+                status: CONSTANTS.FAIL,
+            });
+            return callback(reports);
+        }
+        databases.forEach((connection) => {
+            const { enabledDatabaseCustomization, customScripts } = connection.options;
+            if (enabledDatabaseCustomization) {
+                Object.entries(customScripts).forEach(([scriptName, scriptCode]) => {
+                    var report = detectHardcodedValues(scriptCode, scriptName);
+                    if (report.length > 0) {
+                        reports.push({ name: connection.name, report: report });
+                    }
+                });
+            }
+        });
+        return callback(reports);
+    });
+}
+
+module.exports = checkDASHardCodedValues;

package/analyzer/lib/databases/checkEmailAttributeVerification.js

@@ -0,0 +1,114 @@
+/*
+{
+  "id": "con_GVkgEDMhImBiBt2j",
+  "options": {
+    "mfa": {
+      "active": true,
+      "return_enroll_settings": true
+    },
+    "attributes": {
+      "email": {
+        "signup": {
+          "status": "required",
+          "verification": {
+            "active": true
+          }
+        },
+        "identifier": {
+          "active": true
+        },
+        "profile_required": true,
+        "verification_method": "otp" //link
+      }
+    },
+    "import_mode": false,
+    "configuration": {},
+    "customScripts": {
+      "login": "function login(identifierValue, password, callback) {\n  // This script should authenticate a user against the credentials stored in\n  // your database.\n  // It is executed when a user attempts to log in or immediately after signing\n  // up (as a verification that the user was successfully signed up).\n  //\n  // Everything returned by this script will be set as part of the user profile\n  // and will be visible by any of the tenant admins. Avoid adding attributes\n  // with values such as passwords, keys, secrets, etc.\n  //\n  // The `password` parameter of this function is in plain text. It must be\n  // hashed/salted to match whatever is stored in your database. For example:\n  //\n  //     var bcrypt = require('bcrypt@0.8.5');\n  //     bcrypt.compare(password, dbPasswordHash, function(err, res)) { ... }\n  //\n  // There are three ways this script can finish:\n  // 1. The user's credentials are valid. The returned user profile should be in\n  // the following format: https://auth0.com/docs/users/normalized/auth0/normalized-user-profile-schema\n  //     var profile = {\n  //       user_id: ..., // user_id is mandatory\n  //       email: ...,\n  //       [...]\n  //     };\n  //     callback(null, profile);\n  // 2. The user's credentials are invalid\n  //     callback(new WrongUsernameOrPasswordError(email, \"my error message\"));\n  //\n  //    Note: Passing no arguments or a falsey first argument to\n  //    `WrongUsernameOrPasswordError` will result in the error being logged as\n  //    an `fu` event (invalid username/email) with an empty string for a user_id.\n  //    Providing a truthy first argument will result in the error being logged\n  //    as an `fp` event (the user exists, but the password is invalid) with a\n  //    user_id value of \"auth0|<first argument>\". See the `Log Event Type Codes`\n  //    documentation for more information about these event types:\n  //    https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes\n  // 3. Something went wrong while trying to reach your database\n  //     callback(new Error(\"my error message\"));\n  //\n  // A list of Node.js modules which can be referenced is available here:\n  //\n  //    https://tehsis.github.io/webtaskio-canirequire/\n\n  const msg = 'Please implement the Login script for this database connection ' +\n    'at https://manage.auth0.com/#/connections/database';\n  return callback(new Error(msg));\n}\n",
+      "create": "function create(user, callback) {\n  // This script should create a user entry in your existing database. It will\n  // be executed when a user attempts to sign up, or when a user is created\n  // through the Auth0 dashboard or API.\n  // When this script has finished executing, the Login script will be\n  // executed immediately afterwards, to verify that the user was created\n  // successfully.\n  //\n  // The user object will always contain the following properties:\n  // * email: the user's email\n  // * password: the password entered by the user, in plain text\n  // * tenant: the name of this Auth0 account\n  // * client_id: the client ID of the application where the user signed up, or\n  //              API key if created through the API or Auth0 dashboard\n  // * connection: the name of this database connection\n  //\n  // There are three ways this script can finish:\n  // 1. A user was successfully created\n  //     callback(null);\n  // 2. This user already exists in your database\n  //     callback(new ValidationError(\"user_exists\", \"my error message\"));\n  // 3. Something went wrong while trying to reach your database\n  //     callback(new Error(\"my error message\"));\n\n  const msg = 'Please implement the Create script for this database connection ' +\n    'at https://manage.auth0.com/#/connections/database';\n  return callback(new Error(msg));\n}\n",
+      "delete": "function remove(id, callback) {\n  // This script remove a user from your existing database.\n  // It is executed whenever a user is deleted from the API or Auth0 dashboard.\n  //\n  // There are two ways that this script can finish:\n  // 1. The user was removed successfully:\n  //     callback(null);\n  // 2. Something went wrong while trying to reach your database:\n  //     callback(new Error(\"my error message\"));\n\n  const msg = 'Please implement the Delete script for this database ' +\n    'connection at https://manage.auth0.com/#/connections/database';\n  return callback(new Error(msg));\n}\n",
+      "verify": "function verify(email, callback) {\n  // This script should mark the current user's email address as verified in\n  // your database.\n  // It is executed whenever a user clicks the verification link sent by email.\n  // These emails can be customized at https://manage.auth0.com/#/emails.\n  // It is safe to assume that the user's email already exists in your database,\n  // because verification emails, if enabled, are sent immediately after a\n  // successful signup.\n  //\n  // There are two ways that this script can finish:\n  // 1. The user's email was verified successfully\n  //     callback(null, true);\n  // 2. Something went wrong while trying to reach your database:\n  //     callback(new Error(\"my error message\"));\n  //\n  // If an error is returned, it will be passed to the query string of the page\n  // where the user is being redirected to after clicking the verification link.\n  // For example, returning `callback(new Error(\"error\"))` and redirecting to\n  // https://example.com would redirect to the following URL:\n  //     https://example.com?email=alice%40example.com&message=error&success=false\n\n  const msg = 'Please implement the Verify script for this database connection ' +\n    'at https://manage.auth0.com/#/connections/database';\n  return callback(new Error(msg));\n}\n",
+      "get_user": "function getUser(identifierValue, callback) {\n  // This script should retrieve a user profile from your existing database,\n  // without authenticating the user.\n  // It is used to check if a user exists before executing flows that do not\n  // require authentication (signup and password reset).\n  //\n  // There are three ways this script can finish:\n  // 1. A user was successfully found. The profile should be in the following\n  // format: https://auth0.com/docs/users/normalized/auth0/normalized-user-profile-schema.\n  //     callback(null, profile);\n  // 2. A user was not found\n  //     callback(null);\n  // 3. Something went wrong while trying to reach your database:\n  //     callback(new Error(\"my error message\"));\n\n  const msg = 'Please implement the Get User script for this database connection ' +\n    'at https://manage.auth0.com/#/connections/database';\n  return callback(new Error(msg));\n}\n",
+      "change_password": "function changePassword(identifierValue, newPassword, callback) {\n  // This script should change the password stored for the current user in your\n  // database. It is executed when the user clicks on the confirmation link\n  // after a reset password request.\n  // The content and behavior of password confirmation emails can be customized\n  // here: https://manage.auth0.com/#/emails\n  // The `newPassword` parameter of this function is in plain text. It must be\n  // hashed/salted to match whatever is stored in your database.\n  //\n  // There are three ways that this script can finish:\n  // 1. The user's password was updated successfully:\n  //     callback(null, true);\n  // 2. The user's password was not updated:\n  //     callback(null, false);\n  // 3. Something went wrong while trying to reach your database:\n  //     callback(new Error(\"my error message\"));\n  //\n  // If an error is returned, it will be passed to the query string of the page\n  // where the user is being redirected to after clicking the confirmation link.\n  // For example, returning `callback(new Error(\"error\"))` and redirecting to\n  // https://example.com would redirect to the following URL:\n  //     https://example.com?email=alice%40example.com&message=error&success=false\n\n  const msg = 'Please implement the Change Password script for this database ' +\n    'connection at https://manage.auth0.com/#/connections/database';\n  return callback(new Error(msg));\n}\n"
+    },
+    "passwordPolicy": "fair",
+    "passkey_options": {
+      "challenge_ui": "both",
+      "local_enrollment_enabled": true,
+      "progressive_enrollment_enabled": true
+    },
+    "password_history": {
+      "size": 5,
+      "enable": false
+    },
+    "strategy_version": 2,
+    "password_dictionary": {
+      "enable": false,
+      "dictionary": []
+    },
+    "authentication_methods": {
+      "passkey": {
+        "enabled": false
+      },
+      "password": {
+        "enabled": true
+      }
+    },
+    "brute_force_protection": true,
+    "password_no_personal_info": {
+      "enable": false
+    },
+    "password_complexity_options": {
+      "min_length": 8
+    },
+    "enabledDatabaseCustomization": false
+  },
+  "strategy": "auth0",
+  "name": "Username-Password-Authentication",
+  "is_domain_connection": false,
+  "enabled_clients": [
+  ],
+  "realms": [
+    "Username-Password-Authentication"
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkEmailAttributeVerification(options) {
+  const { databases } = options || [];
+  return executeCheck("checkEmailAttributeVerification", (callback) => {
+    const report = [];
+    if (_.isEmpty(databases)) {
+      report.push({
+        field: "no_database_connections_found",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    databases.forEach((connection) => {
+      if (_.isEmpty(connection.options.attributes)) {
+        //defaults to email
+        report.push({
+          name: connection.name,
+          status: CONSTANTS.FAIL,
+          field: "flexible_identifiers_disabled",
+        });
+      } else if (
+        connection.options.attributes.email?.verification_method &&
+        connection.options.attributes.email?.verification_method !== 'otp'
+      ) {
+        report.push({
+          name: connection.name,
+          status: CONSTANTS.FAIL,
+          field: "verification_by_link_method",
+        });
+      }
+    });
+    return callback(report);
+  });
+}
+
+module.exports = checkEmailAttributeVerification;

package/analyzer/lib/databases/checkEnabledDatabaseCustomization.js

@@ -0,0 +1,83 @@
+/*
+{
+    databases: [
+  {
+    "id": "con_JBv3Nu3wcKQni7Vv",
+    "options": {
+      "import_mode": false,
+      "configuration": {},
+      "disable_signup": true,
+      "passwordPolicy": "good",
+      "passkey_options": {
+        "challenge_ui": "both",
+        "local_enrollment_enabled": true,
+        "progressive_enrollment_enabled": true
+      },
+      "password_history": {
+        "size": 5,
+        "enable": false
+      },
+      "strategy_version": 2,
+      "password_dictionary": {
+        "enable": false,
+        "dictionary": []
+      },
+      "authentication_methods": {
+        "passkey": {
+          "enabled": false
+        },
+        "password": {
+          "enabled": true
+        }
+      },
+      "brute_force_protection": true,
+      "password_no_personal_info": {
+        "enable": false
+      },
+      "password_complexity_options": {
+        "min_length": 8
+      },
+      "enabledDatabaseCustomization": false
+    },
+    "strategy": "auth0",
+    "name": "Username-Password-Authentication",
+    "is_domain_connection": false,
+    "realms": [
+      "Username-Password-Authentication"
+    ],
+    "enabled_clients": [
+    ]
+  }
+]    
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkEnabledDatabaseCustomization(options) {
+  const { databases } = options || [];
+  return executeCheck("checkEnabledDatabaseCustomization", (callback) => {
+    const report = [];
+    if (_.isEmpty(databases)) {
+      report.push({
+        field: "no_database_connections_found",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    databases.forEach((connection) => {
+      const { import_mode, enabledDatabaseCustomization} = connection.options;
+      if (!import_mode && enabledDatabaseCustomization) {
+        report.push({
+          name: connection.name,
+          status: CONSTANTS.FAIL,
+          field: "external_user_store",
+        });
+      }
+    });
+    return callback(report);
+  });
+}
+
+module.exports = checkEnabledDatabaseCustomization;

package/analyzer/lib/databases/checkPasswordComplexity.js

@@ -0,0 +1,100 @@
+/*
+{
+    databases: [
+  {
+    "id": "con_JBv3Nu3wcKQni7Vv",
+    "options": {
+      "import_mode": false,
+      "configuration": {},
+      "disable_signup": true,
+      "passwordPolicy": "good",
+      "passkey_options": {
+        "challenge_ui": "both",
+        "local_enrollment_enabled": true,
+        "progressive_enrollment_enabled": true
+      },
+      "password_history": {
+        "size": 5,
+        "enable": false
+      },
+      "strategy_version": 2,
+      "password_dictionary": {
+        "enable": false,
+        "dictionary": []
+      },
+      "authentication_methods": {
+        "passkey": {
+          "enabled": false
+        },
+        "password": {
+          "enabled": true
+        }
+      },
+      "brute_force_protection": true,
+      "password_no_personal_info": {
+        "enable": false
+      },
+      "password_complexity_options": {
+        "min_length": 8
+      },
+      "enabledDatabaseCustomization": false
+    },
+    "strategy": "auth0",
+    "name": "Username-Password-Authentication",
+    "is_domain_connection": false,
+    "realms": [
+      "Username-Password-Authentication"
+    ],
+    "enabled_clients": [
+    ]
+  }
+]    
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkPasswordComplexity(options) {
+  const { databases } = options || [];
+  return executeCheck("checkPasswordComplexity", (callback) => {
+    const report = [];
+    if (_.isEmpty(databases)) {
+      report.push({
+        field: "no_database_connections_found",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    databases.forEach((connection) => {
+      //Check password complexity and minimum length.
+      if (!_.isEmpty(connection.options.password_complexity_options)) {
+        // Recommend NIST standards
+        if (connection.options.password_complexity_options.min_length < 12) {
+          report.push({
+            name: connection.name,
+            field: "password_min_length_fail",
+            status: CONSTANTS.FAIL,
+            value: connection.options.password_complexity_options.min_length,
+          });
+        } else {
+          report.push({
+            name: connection.name,
+            status: CONSTANTS.SUCCESS,
+            field: "password_min_length_success",
+            value: connection.options.password_complexity_options.min_length,
+          });
+        }
+      } else {
+        report.push({
+          name: connection.name,
+          field: "password_complexity_not_configured",
+          status: CONSTANTS.FAIL,
+        });
+      }
+    });
+    return callback(report);
+  });
+}
+
+module.exports = checkPasswordComplexity;