@auth0/auth0-checkmate 1.4.0

package/analyzer/lib/tenant_settings/checkSessionLifetime.js

@@ -0,0 +1,95 @@
+
+/*
+{
+  "allowed_logout_urls": [
+    "https://contoso.com"
+  ],
+  "flags": {
+    "allow_changing_enable_sso": true,
+    "disable_impersonation": true,
+    "enable_dynamic_client_registration": true, // Can be false or undefined
+    "enable_sso": true,
+    "universal_login": true,
+    "revoke_refresh_token_grant": false,
+    "disable_clickjack_protection_headers": false
+  },
+  "default_redirection_uri": "https://contoso.com/login",
+  "idle_session_lifetime": 72, //default
+  "session_lifetime": 168, //default
+  "oidc_logout": {
+    "rp_logout_end_session_endpoint_discovery": true
+  },
+  "session_cookie": {
+    "mode": "persistent" //default
+  },
+  "support_email": "",
+  "support_url": "",
+  "sandbox_version": "22",
+  "sandbox_versions_available": [
+    "22",
+    "18",
+    "16",
+    "12"
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkSessionLifetime(options) {
+  const { tenant } = options || {};
+  return executeCheck("checkSessionLifetime", (callback) => {
+    const report = [];
+    if (_.isEmpty(tenant)) {
+      report.push({
+        field: "tenant_setting_missing",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    const { idle_session_lifetime, session_lifetime, session_cookie  } = tenant;
+    if (_.isEmpty(idle_session_lifetime)) {
+      report.push({
+        field: "idle_session_lifetime",
+        value: CONSTANTS.DEFAULT_IDLE_SESSION_LIFETIME,
+        status: CONSTANTS.FAIL, //to surface this configuration in the report
+      });         
+    } else {
+      report.push({
+        field: "idle_session_lifetime",
+        value: `${idle_session_lifetime}h`,
+        status: CONSTANTS.FAIL, //to surface this configuration in the report
+      }); 
+    }
+    if (_.isEmpty(session_lifetime)) {
+      report.push({
+        field: "session_lifetime",
+        value: CONSTANTS.DEFAULT_SESSION_LIFETIME,
+        status: CONSTANTS.FAIL, //to surface this configuration in the report
+      });          
+    } else {
+      report.push({
+        field: "session_lifetime",
+        value: `${session_lifetime}h`,
+        status: CONSTANTS.FAIL, //to surface this configuration in the report
+      });         
+    }
+    if (_.isEmpty(session_cookie)) {
+      report.push({
+        field: "session_cookie_mode",
+        value: CONSTANTS.DEFAULT_SESSION_COOKIE_MODE,
+        status: CONSTANTS.FAIL, //to surface this configuration in the report
+      });          
+    } else {
+      report.push({
+        field: "session_cookie_mode",
+        value: session_cookie?.mode,
+        status: CONSTANTS.FAIL, //to surface this configuration in the report
+      });         
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkSessionLifetime;

package/analyzer/lib/tenant_settings/checkSupportEmail.js

@@ -0,0 +1,61 @@
+/*
+{
+  "allowed_logout_urls": [
+    "https://contoso.com"
+  ],
+  "default_redirection_uri": "https://contoso.com/login",
+  "support_email": "",
+  "support_url": "",
+  "sandbox_version": "22",
+  "sandbox_versions_available": [
+    "22",
+    "18",
+    "16",
+    "12"
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+const defaultValues = {
+  allowed_logout_urls: [],
+  default_redirection_uri: [],
+  default_audience: "",
+  default_directory: "",
+  support_email: null,
+  support_url: null,
+};
+function checkSupportEmail(options) {
+  const { tenant } = options || {};
+  return executeCheck("checkSupportEmail", (callback) => {
+    const report = [];
+    if (_.isEmpty(tenant)) {
+      report.push({
+        field: "tenant_setting_missing",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    const { support_email } = _.defaultsDeep({}, tenant, defaultValues);
+
+    if (support_email) {
+      report.push({
+        field: "support_email",
+        attr: "support_email",
+        value: support_email,
+        status: CONSTANTS.SUCCESS,
+      });
+    } else {
+      report.push({
+        field: "no_support_email",
+        attr: "support_email",
+        status: CONSTANTS.FAIL,
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkSupportEmail;

package/analyzer/lib/tenant_settings/checkSupportUrl.js

@@ -0,0 +1,61 @@
+/*
+{
+  "allowed_logout_urls": [
+    "https://contoso.com"
+  ],
+  "default_redirection_uri": "https://contoso.com/login",
+  "support_email": "",
+  "support_url": "",
+  "sandbox_version": "22",
+  "sandbox_versions_available": [
+    "22",
+    "18",
+    "16",
+    "12"
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+const defaultValues = {
+  allowed_logout_urls: [],
+  default_redirection_uri: [],
+  default_audience: "",
+  default_directory: "",
+  support_email: null,
+  support_url: null,
+};
+function checkSupportUrl(options) {
+  const { tenant } = options || {};
+  return executeCheck("checkSupportUrl", (callback) => {
+    const report = [];
+    if (_.isEmpty(tenant)) {
+      report.push({
+        field: "tenant_setting_missing",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    const { support_url } = _.defaultsDeep({}, tenant, defaultValues);
+
+    if (support_url) {
+      report.push({
+        field: "support_url",
+        attr: "support_url",
+        value: support_url,
+        status: CONSTANTS.SUCCESS,
+      });
+    } else {
+      report.push({
+        field: "no_support_url",
+        attr: "support_url",
+        status: CONSTANTS.FAIL,
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkSupportUrl;

package/analyzer/lib/tenant_settings/checkTenantLoginUrl.js

@@ -0,0 +1,71 @@
+/*
+{
+  "allowed_logout_urls": [
+    "https://contoso.com"
+  ],
+  "default_redirection_uri": "https://contoso.com/login",
+  "support_email": "",
+  "support_url": "",
+  "sandbox_version": "22",
+  "sandbox_versions_available": [
+    "22",
+    "18",
+    "16",
+    "12"
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+const defaultValues = {
+  allowed_logout_urls: [],
+  default_redirection_uri: "",
+  default_audience: "",
+  default_directory: "",
+  support_email: null,
+  support_url: null,
+};
+function checkTenantLoginUrl(options) {
+  const { tenant } = options || {};
+  return executeCheck("checkTenantLoginUrl", (callback) => {
+    const report = [];
+    const { default_redirection_uri } = _.defaultsDeep(
+      {},
+      tenant,
+      defaultValues,
+    );
+    // allowed_logout_urls
+    const insecurePatterns = CONSTANTS.INSECURE_URL_PATTERN; //['localhost', 'http://', '127.0.0.1'];
+    //default_redirection_uri
+    if (_.isEmpty(default_redirection_uri)) {
+      report.push({
+        field: "no_default_redirection_uri",
+        attr: "default_redirection_uri",
+        status: CONSTANTS.FAIL,
+      });
+    } else {
+      const subArr = insecurePatterns.filter((str) =>
+        default_redirection_uri.includes(str),
+      );
+      if (subArr.length > 0) {
+        report.push({
+          field: "invalid_default_redirection_uri",
+          attr: "default_redirection_uri",
+          value: default_redirection_uri,
+          status: CONSTANTS.FAIL,
+        });
+      } else {
+        report.push({
+          field: "default_redirection_uri",
+          attr: "default_redirection_uri",
+          value: default_redirection_uri,
+          status: CONSTANTS.SUCCESS,
+        });
+      }
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkTenantLoginUrl;

package/analyzer/lib/tenant_settings/checkTenantLogoutUrl.js

@@ -0,0 +1,60 @@
+/*
+{
+  "allowed_logout_urls": [
+    "https://contoso.com"
+  ],
+  "default_redirection_uri": "https://contoso.com/login",
+  "support_email": "",
+  "support_url": "",
+  "sandbox_version": "22",
+  "sandbox_versions_available": [
+    "22",
+    "18",
+    "16",
+    "12"
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+const defaultValues = {
+  allowed_logout_urls: [],
+  default_redirection_uri: [],
+  default_audience: "",
+  default_directory: "",
+  support_email: null,
+  support_url: null,
+};
+function checkTenantLogoutUrl(options) {
+  const { tenant } = options || {};
+  return executeCheck("checkTenantLogoutUrl", (callback) => {
+    const report = [];
+    const { allowed_logout_urls } = _.defaultsDeep({}, tenant, defaultValues);
+    // allowed_logout_urls
+    const insecurePatterns = CONSTANTS.INSECURE_URL_PATTERN;
+    if (allowed_logout_urls.length === 0) {
+      report.push({
+        field: "missing_allowed_logout_urls",
+        attr: "allowed_logout_urls",
+        value: ["[]"].join(","),
+        status: CONSTANTS.FAIL,
+      });
+    } else {
+      allowed_logout_urls.forEach((url) => {
+        const subArr = insecurePatterns.filter((str) => url.includes(str));
+        if (subArr.length > 0) {
+          report.push({
+            field: "invalid_allowed_logout_urls",
+            attr: "allowed_logout_urls",
+            value: url,
+            status: CONSTANTS.FAIL,
+          });
+        }
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkTenantLogoutUrl;