@auth0/auth0-checkmate 1.4.0

package/analyzer/lib/databases/checkPasswordHistory.js

@@ -0,0 +1,92 @@
+/*
+{
+    databases: [
+  {
+    "id": "con_JBv3Nu3wcKQni7Vv",
+    "options": {
+      "import_mode": false,
+      "configuration": {},
+      "disable_signup": true,
+      "passwordPolicy": "good",
+      "passkey_options": {
+        "challenge_ui": "both",
+        "local_enrollment_enabled": true,
+        "progressive_enrollment_enabled": true
+      },
+      "password_history": {
+        "size": 5,
+        "enable": false
+      },
+      "strategy_version": 2,
+      "password_dictionary": {
+        "enable": false,
+        "dictionary": []
+      },
+      "authentication_methods": {
+        "passkey": {
+          "enabled": false
+        },
+        "password": {
+          "enabled": true
+        }
+      },
+      "brute_force_protection": true,
+      "password_no_personal_info": {
+        "enable": false
+      },
+      "password_complexity_options": {
+        "min_length": 8
+      },
+      "enabledDatabaseCustomization": false
+    },
+    "strategy": "auth0",
+    "name": "Username-Password-Authentication",
+    "is_domain_connection": false,
+    "realms": [
+      "Username-Password-Authentication"
+    ],
+    "enabled_clients": [
+    ]
+  }
+]    
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkPasswordHistory(options) {
+  const { databases } = options || [];
+  return executeCheck("checkPasswordHistory", (callback) => {
+    const report = [];
+    if (_.isEmpty(databases)) {
+      report.push({
+        field: "no_database_connections_found",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    databases.forEach((connection) => {
+      //Check Password History
+      if (connection.options.password_history) {
+        if (!connection.options.password_history.enable) {
+          report.push({
+            name: connection.name,
+            status: CONSTANTS.FAIL,
+            field: "password_history_disabled",
+          });
+        } else {
+          report.push({
+            name: connection.name,
+            field: "password_history_enabled",
+            status: CONSTANTS.SUCCESS,
+            value: connection.options.password_history.size,
+          });
+        }
+      }
+    });
+    return callback(report);
+  });
+}
+
+module.exports = checkPasswordHistory;

package/analyzer/lib/databases/checkPasswordNoPersonalInfo.js

@@ -0,0 +1,91 @@
+/*
+{
+    databases: [
+  {
+    "id": "con_JBv3Nu3wcKQni7Vv",
+    "options": {
+      "import_mode": false,
+      "configuration": {},
+      "disable_signup": true,
+      "passwordPolicy": "good",
+      "passkey_options": {
+        "challenge_ui": "both",
+        "local_enrollment_enabled": true,
+        "progressive_enrollment_enabled": true
+      },
+      "password_history": {
+        "size": 5,
+        "enable": false
+      },
+      "strategy_version": 2,
+      "password_dictionary": {
+        "enable": false,
+        "dictionary": []
+      },
+      "authentication_methods": {
+        "passkey": {
+          "enabled": false
+        },
+        "password": {
+          "enabled": true
+        }
+      },
+      "brute_force_protection": true,
+      "password_no_personal_info": {
+        "enable": false
+      },
+      "password_complexity_options": {
+        "min_length": 8
+      },
+      "enabledDatabaseCustomization": false
+    },
+    "strategy": "auth0",
+    "name": "Username-Password-Authentication",
+    "is_domain_connection": false,
+    "realms": [
+      "Username-Password-Authentication"
+    ],
+    "enabled_clients": [
+    ]
+  }
+]    
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkPasswordNoPersonalInfo(options) {
+  const { databases } = options || [];
+  return executeCheck("checkPasswordNoPersonalInfo", (callback) => {
+    const report = [];
+    if (_.isEmpty(databases)) {
+      report.push({
+        field: "no_database_connections_found",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    databases.forEach((connection) => {
+      //Disallow Personal Data
+      if (connection.options.password_no_personal_info) {
+        if (connection.options.password_no_personal_info.enable) {
+          report.push({
+            name: connection.name,
+            status: CONSTANTS.SUCCESS,
+            field: "password_no_personal_info_enable",
+          });
+        } else {
+          report.push({
+            name: connection.name,
+            status: CONSTANTS.FAIL,
+            field: "password_no_personal_info_disabled",
+          });
+        }
+      }
+    });
+    return callback(report);
+  });
+}
+
+module.exports = checkPasswordNoPersonalInfo;

package/analyzer/lib/databases/checkPasswordPolicy.js

@@ -0,0 +1,95 @@
+/*
+{
+    databases: [
+  {
+    "id": "con_JBv3Nu3wcKQni7Vv",
+    "options": {
+      "import_mode": false,
+      "configuration": {},
+      "disable_signup": true,
+      "passwordPolicy": "good",
+      "passkey_options": {
+        "challenge_ui": "both",
+        "local_enrollment_enabled": true,
+        "progressive_enrollment_enabled": true
+      },
+      "password_history": {
+        "size": 5,
+        "enable": false
+      },
+      "strategy_version": 2,
+      "password_dictionary": {
+        "enable": false,
+        "dictionary": []
+      },
+      "authentication_methods": {
+        "passkey": {
+          "enabled": false
+        },
+        "password": {
+          "enabled": true
+        }
+      },
+      "brute_force_protection": true,
+      "password_no_personal_info": {
+        "enable": false
+      },
+      "password_complexity_options": {
+        "min_length": 8
+      },
+      "enabledDatabaseCustomization": false
+    },
+    "strategy": "auth0",
+    "name": "Username-Password-Authentication",
+    "is_domain_connection": false,
+    "realms": [
+      "Username-Password-Authentication"
+    ],
+    "enabled_clients": [
+    ]
+  }
+]    
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkPasswordPolicy(options) {
+  const { databases } = options || [];
+  return executeCheck("checkPasswordPolicy", (callback) => {
+    const report = [];
+    if (_.isEmpty(databases)) {
+      report.push({
+        field: "no_database_connections_found",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    databases.forEach((connection) => {
+      var status = CONSTANTS.FAIL;
+      switch (connection.options.passwordPolicy) {
+        case "none":
+        case "low":
+        case "fair":
+          status = CONSTANTS.FAIL;
+          break;
+        case "good":
+        case "excellent":
+          status = CONSTANTS.SUCCESS;
+          break;
+      }
+      report.push({
+        name: connection.name,
+        field: connection.options.passwordPolicy
+          ? "password_policy"
+          : "missing_password_policy",
+        status: status,
+        value: connection.options.passwordPolicy,
+      });
+    });
+    return callback(report);
+  });
+}
+
+module.exports = checkPasswordPolicy;

package/analyzer/lib/databases/checkPromotedDBConnection.js

@@ -0,0 +1,96 @@
+/*
+{
+    databases: [
+  {
+    "id": "con_JBv3Nu3wcKQni7Vv",
+    "options": {
+      "import_mode": false,
+      "configuration": {},
+      "disable_signup": true,
+      "passwordPolicy": "good",
+      "passkey_options": {
+        "challenge_ui": "both",
+        "local_enrollment_enabled": true,
+        "progressive_enrollment_enabled": true
+      },
+      "password_history": {
+        "size": 5,
+        "enable": false
+      },
+      "strategy_version": 2,
+      "password_dictionary": {
+        "enable": false,
+        "dictionary": []
+      },
+      "authentication_methods": {
+        "passkey": {
+          "enabled": false
+        },
+        "password": {
+          "enabled": true
+        }
+      },
+      "brute_force_protection": true,
+      "password_no_personal_info": {
+        "enable": false
+      },
+      "password_complexity_options": {
+        "min_length": 8
+      },
+      "enabledDatabaseCustomization": false
+    },
+    "strategy": "auth0",
+    "name": "Username-Password-Authentication",
+    "is_domain_connection": false,
+    "realms": [
+      "Username-Password-Authentication"
+    ],
+    "enabled_clients": [
+    ]
+  }
+]    
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkPromotedDBConnection(options) {
+
+    const { databases } = options || [];
+    return executeCheck("checkPromotedDBConnection", (callback) => {
+        const report = [];
+        if (_.isEmpty(databases)) {
+            report.push({
+                field: "no_database_connections_found",
+                status: CONSTANTS.FAIL,
+            });
+            return callback(report);
+        }
+        let promoted_domain_connection = null;
+        databases.forEach((connection) => {
+            connection.is_domain_connection;
+            if (connection.is_domain_connection === true) {
+                promoted_domain_connection = connection.name;
+                return;
+            }
+        });
+        if (promoted_domain_connection === null) {
+            report.push({
+                name: "NO_PRMOTED_DOMAIN_CONNECTION",
+                status: CONSTANTS.FAIL,
+                field: "no_database_connections_found",
+            });
+        }
+        else {
+            report.push({
+                name: promoted_domain_connection,
+                status: CONSTANTS.FAIL,
+                field: "with_promoted_database_connections",
+            });
+        }
+        return callback(report);
+    });
+}
+
+module.exports = checkPromotedDBConnection;

package/analyzer/lib/email_provider/checkEmailProvider.js

@@ -0,0 +1,37 @@
+/*
+{
+  "name": "sendgrid",
+  "enabled": true
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkEmailProvider(options) {
+  const { emailProvider } = options || {};
+  return executeCheck("checkEmailProvider", (callback) => {
+    const report = [];
+    if (_.isEmpty(emailProvider)) {
+      report.push({
+        field: "email_provider_not_configured",
+        status: CONSTANTS.FAIL,
+      });
+    } else if (emailProvider.enabled) {
+      report.push({
+        field: "email_provider_enabled",
+        status: CONSTANTS.SUCCESS,
+        value: emailProvider.name,
+      });
+    } else {
+      report.push({
+        field: "email_provider_disabled",
+        status: CONSTANTS.FAIL,
+        value: emailProvider.name,
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkEmailProvider;

package/analyzer/lib/email_templates/checkEmailTemplates.js

@@ -0,0 +1,71 @@
+/*
+[
+  {
+    name: 'Verification Email (Link)',
+    template: {
+      template: 'verify_email',
+      syntax: 'liquid',
+      body: ''
+      from: '',
+      subject: '',
+      urlLifetimeInSeconds: 432000,
+      enabled: true
+    }
+  },
+  { name: 'Verification Email (Code)', template: null },
+  { name: 'Welcome Email', template: null },
+  { name: 'Enroll in Multifactor Authentication', template: null },
+  { name: 'Change Password (Link)', template: null },
+  { name: 'Change Password (Code)', template: null },
+  { name: 'Blocked Account Email', template: null },
+  { name: 'Password Breach Alert', template: null },
+  { name: 'Verification Code for Email MFA', template: null },
+  { name: 'User Invitation', template: null }
+]
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkEmailTemplates(options) {
+  const { emailTemplates } = options || [];
+  return executeCheck("checkEmailTemplates", (callback) => {
+    const report = [];
+    if (_.isEmpty(emailTemplates)) {
+      report.push({
+        field: "email_templates_not_configured",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    emailTemplates.forEach((t) => {
+      if (_.isEmpty(t.template)) {
+        report.push({
+          field: "email_template_not_configured",
+          status: CONSTANTS.FAIL,
+          attr: t.name,
+          value: t.name,
+        });
+        return;
+      }
+      if (t.template.enabled) {
+        report.push({
+          field: "email_template_enabled",
+          status: CONSTANTS.SUCCESS,
+          attr: t.template.template,
+          value: t.template.template,
+        });
+      } else {
+        report.push({
+          field: "email_template_not_enabled",
+          status: CONSTANTS.FAIL,
+          attr: t.name,
+          value: t.name,
+        });
+      }
+    });
+    return callback(report);
+  });
+}
+
+module.exports = checkEmailTemplates;

package/analyzer/lib/error_page_template/checkErrorPageTemplate.js

@@ -0,0 +1,153 @@
+/*
+{
+   "enabled_locales":[
+      "en"
+   ],
+   "error_page":{
+      "html":"<html>",
+      "show_log_link":false,
+      "url":""
+   },
+   "flags":{
+      "allow_changing_enable_sso":false,
+      "allow_legacy_delegation_grant_types":true,
+      "allow_legacy_ro_grant_types":true,
+      "allow_other_legacy_grant_types":true,
+      "disable_impersonation":true,
+      "enable_sso":true,
+      "universal_login":true,
+      "revoke_refresh_token_grant":false,
+      "disable_clickjack_protection_headers":false
+   },
+   "sandbox_version":"22",
+   "oidc_logout":{
+      "rp_logout_end_session_endpoint_discovery":true
+   },
+   "sandbox_versions_available":[
+      "22",
+      "18",
+      "16"
+      ]
+  }
+ */
+
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+const logger = require("../logger");
+
+/**
+ * Patterns that indicate potential XSS vulnerabilities in LiquidJS templates
+ */
+const XSS_PATTERNS = {
+  // Unescaped variable output - {{ variable }} without proper escaping
+  UNESCAPED_OUTPUT: /\{\{\s*([^}|]+?)(?:\s*\|\s*(?!escape|escape_once|h|html_escape)([^}]*))?\s*\}\}/g,
+
+  // Raw/unescaped filters that bypass HTML escaping
+  RAW_FILTERS: /\{\{\s*[^}]*\|\s*(raw|unescaped|safe)\s*\}\}/g,
+
+  // Direct HTML construction with variables
+  HTML_CONSTRUCTION: /<[^>]*\{\{[^}]*\}\}[^>]*>/g,
+
+  // JavaScript context insertions (dangerous)
+  SCRIPT_CONTEXT: /<script[^>]*>[\s\S]*?\{\{[^}]*\}\}[\s\S]*?<\/script>/gi,
+
+  // Event handler attributes with Liquid variables
+  EVENT_HANDLERS: /on\w+\s*=\s*["'][^"']*\{\{[^}]*\}\}[^"']*["']/gi,
+
+  // URL/href context without proper encoding
+  URL_CONTEXT: /href\s*=\s*["'][^"']*\{\{[^}]*\}\}[^"']*["']/gi,
+
+  // Style attribute context
+  STYLE_CONTEXT: /style\s*=\s*["'][^"']*\{\{[^}]*\}\}[^"']*["']/gi,
+
+  // Potentially dangerous user-controlled variables
+  USER_VARIABLES: /\{\{\s*(user\.|client\.|application\.)/g,
+};
+
+/**
+ * Safe filters that provide XSS protection
+ */
+const SAFE_FILTERS = [
+  'escape',
+  'escape_once',
+  'h',
+  'html_escape',
+  'url_encode',
+  'uri_escape',
+  'cgi_escape'
+];
+
+async function checkErrorPageTemplate(options) {
+  const { errorPageTemplate } = options || {};
+  return executeCheck("checkErrorPageTemplate", (callback) => {
+    const report = [];
+    logger.log("info", `Checking error page templates... ${errorPageTemplate}`);
+
+    if (_.isEmpty(errorPageTemplate)) {
+      report.push({
+        field: "liquidjs_no_templates_to_analyze",
+        status: CONSTANTS.SUCCESS,
+        value: "No custom error page templates found to analyze for XSS"
+      });
+      return callback(report);
+    }
+
+    // Check for potential matches first
+    const potentialMatches = errorPageTemplate.match(XSS_PATTERNS.UNESCAPED_OUTPUT);
+    logger.log("info", `Checking error page templates... ${potentialMatches}`);
+
+    // Check for raw filters first (before checking unescaped)
+    const raw = errorPageTemplate.match(XSS_PATTERNS.RAW_FILTERS);
+    if (raw) {
+      logger.log("info", `logging error page template raw: ${raw}`);
+      report.push({
+        field: "liquidjs_raw_filter_usage",
+        status: CONSTANTS.FAIL,
+        value: JSON.stringify(raw),
+      });
+    } else {
+      report.push({
+        field: "liquidjs_raw_filter_usage",
+        status: CONSTANTS.SUCCESS,
+        value: JSON.stringify(raw) || "null",
+      });
+    }
+
+    // Now check for unescaped output, filtering out properly escaped variables
+    const unescaped = errorPageTemplate.match(XSS_PATTERNS.UNESCAPED_OUTPUT);
+    if (unescaped) {
+      // Filter out variables that actually have safe filters
+      const actuallyUnescaped = unescaped.filter(match => {
+        // Check if this match contains any safe filter
+        return !SAFE_FILTERS.some(filter =>
+          match.includes(`| ${filter}`) || match.includes(`|${filter}`)
+        );
+      });
+
+      if (actuallyUnescaped.length > 0) {
+        report.push({
+          field: "liquidjs_unescaped_output",
+          status: CONSTANTS.FAIL,
+          value: JSON.stringify(actuallyUnescaped),
+        });
+      } else {
+        report.push({
+          field: "liquidjs_unescaped_output",
+          status: CONSTANTS.SUCCESS,
+          value: "All variables properly escaped",
+        });
+      }
+    } else {
+      report.push({
+        field: "liquidjs_unescaped_output",
+        status: CONSTANTS.SUCCESS,
+        value: "No Liquid variables found",
+      });
+    }
+
+    return callback(report);
+  });
+}
+
+module.exports = checkErrorPageTemplate;

package/analyzer/lib/event_streams/checkEventStreams.js

@@ -0,0 +1,71 @@
+/*
+
+  "eventStreams": [
+    {
+      "id": "est_jtCx6JaM4zvimx9N7enZ7p",
+      "status": "enabled|disabled",
+      "name": "Test Event Streams",
+      "subscriptions": [
+        {
+          "event_type": "user.created"
+        },
+        {
+          "event_type": "user.updated"
+        },
+        {
+          "event_type": "user.deleted"
+        }
+      ],
+      "created_at": "2025-05-30T04:08:17.775Z",
+      "updated_at": "2025-05-30T04:08:56.303Z",
+      "destination": {
+        "type": "webhook",
+        "configuration": {
+          "webhook_endpoint": "https://localhost/webhook",
+          "webhook_authorization": {
+            "method": "bearer"
+          }
+        }
+      }
+    }
+  ]
+}
+*/
+
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkEventStreams(options) {
+  const { eventStreams } = options;
+  return executeCheck("checkEventStreams", (callback) => {
+    const report = [];
+    const hasInsufficientScope = _.some(eventStreams, {
+      errorCode: "insufficient_scope",
+    });
+    if (hasInsufficientScope) {
+      return callback(report);
+    }
+    if (_.isEmpty(eventStreams)) {
+      report.push({
+        field: "event_stream_not_configured",
+        status: CONSTANTS.FAIL,
+      });
+    } else {
+        eventStreams.forEach((stream) => {
+        if (stream.status !== "enabled") {
+          report.push({
+            field: "event_stream_disabled",
+            name: stream.name,
+            type: stream?.destination.type,
+            stream_status: stream.status,
+            status: CONSTANTS.FAIL,
+          });
+        }
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkEventStreams;