@auth0/auth0-checkmate 1.6.13 → 1.6.15

package/analyzer/lib/actions/checkPasswordResetMFA.js

@@ -0,0 +1,128 @@
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+const acorn = require("acorn");
+const walk = require("estree-walker").walk;
+
+/**
+ * Scans the Action code for calls to MFA challenge methods.
+ * Returns boolean if challenge is found.
+ */
+function hasMFAChallenge(code, scriptName) {
+  let challengeFound = false;
+  let ast;
+
+  try {
+    ast = acorn.parse(code || "", {
+      ecmaVersion: "latest",
+      locations: true,
+    });
+  } catch (e) {
+    if (e instanceof SyntaxError) {
+      console.error(`[ACORN PARSE ERROR] Skipping script "${scriptName}" due to malformed code`);
+      return [];
+    }
+    throw e;
+  }
+
+  walk(ast, {
+    enter(node) {
+      if (node.type === "CallExpression") {
+        const callee = node.callee;
+        
+        function getMemberExpressionPath(expr) {
+          if (expr.type === "Identifier") return expr.name;
+          if (expr.type === "MemberExpression") {
+            const obj = getMemberExpressionPath(expr.object);
+            const prop = expr.property.name;
+            return obj ? `${obj}.${prop}` : prop;
+          }
+          return null;
+        }
+
+        const path = getMemberExpressionPath(callee);
+        if (path === "api.authentication.challengeWith" || path === "api.authentication.challengeWithAny") {
+          challengeFound = true;
+        }
+      }
+    },
+  });
+
+  return challengeFound;
+}
+
+/**
+ * Main validator for Actions targeting the password-reset trigger.
+ */
+function checkPasswordResetMFA(options) {
+  const { actions, databases } = options || {};
+  
+  return executeCheck("checkPasswordResetMFA", (callback) => {
+    // 1. Check for Active Password DBs (Same as before)
+    const hasActivePasswordDb = _.some(databases, (db) => {
+      const authMethods = db.options?.authentication_methods;
+      return db.strategy === "auth0" && (!authMethods || authMethods.password?.enabled !== false);
+    });
+
+    if (!hasActivePasswordDb) return callback([]); 
+
+    const actionsList = _.isArray(actions) ? actions : actions.actions;
+    if (_.isEmpty(actionsList)) {
+      return callback([{ name: "Actions", report: [{ field: "no_actions_configured", status: CONSTANTS.WARN }] }]);
+    }
+
+    // 2. Aggregate scan across ALL relevant actions
+    let passwordResetActionsFound = [];
+    let anyActionHasMFA = false;
+
+    for (const action of actionsList) {
+      const triggers = action.supported_triggers || [];
+      const isPassReset = triggers.some(t => t.id === "password-reset-post-challenge");
+      if (isPassReset) { // deployed_version.deployed
+        passwordResetActionsFound.push(action.name);
+        if (hasMFAChallenge(action.code, action.name)) {
+          anyActionHasMFA = true;
+        }
+      }
+    }
+
+    const reports = [];
+    const flowName = "Password Reset Flow";
+
+    // 3. Logic for the single finding report
+    if (passwordResetActionsFound.length === 0) {
+      reports.push({ 
+        name: "Password Reset Flow", 
+        report: [{ 
+            scriptName: flowName,
+            name: flowName, 
+            status: CONSTANTS.WARN,
+            variableName: "api.authentication.challengeWith",
+            line: "N/A",
+            column: "N/A",
+            field: "no_password_reset_action",
+        }] 
+      });
+    } else if (!anyActionHasMFA) {
+      // NONE of the password reset actions had MFA
+      reports.push({ 
+        name: "Password Reset Flow", 
+        report: [{ 
+          scriptName: `${passwordResetActionsFound.join(", ")}`, 
+          status: CONSTANTS.WARN,
+          name: flowName,
+          variableName: "api.authentication.challengeWith",
+          line: "N/A",
+          column: "N/A",
+          field: "missing_mfa_step",
+        }]      
+      });
+    } else {
+        // found an MFA challenge on password reset
+    }
+
+    return callback(reports);
+  });
+}
+
+module.exports = checkPasswordResetMFA;

package/analyzer/lib/actions/checkUserEnumeration.js

@@ -0,0 +1,102 @@
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+const acorn = require("acorn");
+const walk = require("estree-walker").walk;
+
+/**
+ * Scans the Action code for calls to api.access.deny()
+ * to warn about potential user enumeration vulnerabilities.
+ */
+function detectAccessDeny(code, scriptName) {
+  const findings = [];
+
+  let ast;
+  try {
+    ast = acorn.parse(code || "", {
+      ecmaVersion: "latest",
+      locations: true,
+    });
+  } catch (e) {
+    if (e instanceof SyntaxError) {
+      console.error(`[ACORN PARSE ERROR] Skipping script "${scriptName}" due to malformed code`);
+      return [];
+    }
+    throw e;
+  }
+
+    walk(ast, {
+    enter(node) {
+        if (node.type === "CallExpression") {
+        const callee = node.callee;
+        
+        // Helper function to reconstruct the property chain (e.g., "api.access.deny")
+        function getMemberExpressionPath(expr) {
+            if (expr.type === "Identifier") return expr.name;
+            if (expr.type === "MemberExpression") {
+            const obj = getMemberExpressionPath(expr.object);
+            const prop = expr.property.name;
+            return obj ? `${obj}.${prop}` : prop;
+            }
+            return null;
+        }
+
+        const path = getMemberExpressionPath(callee);
+
+        // This will now catch api.access.deny regardless of how Acorn nests the objects
+        if (path === "api.access.deny") {
+            findings.push({
+            scriptName: scriptName,
+            field: "user_enumeration_vulnerability",
+            status: CONSTANTS.WARN,
+            line: node.loc?.start?.line || "N/A",
+            column: node.loc?.start?.column || "N/A",
+            // We add this to match the grouping logic in report.js
+            variableName: "api.access.deny" 
+            });
+        }
+        }
+    },
+    });
+
+  return findings;
+}
+
+/**
+ * Main validator for Actions targeting the pre-user-registration trigger.
+ */
+function checkPreRegistrationUserEnumeration(options) {
+  const { actions } = options || [];
+  
+  return executeCheck("checkPreRegistrationUserEnumeration", (callback) => {
+    const actionsList = _.isArray(actions) ? actions : actions.actions;
+    const reports = [];
+
+    if (_.isEmpty(actionsList)) {
+      return callback(reports);
+    }
+
+    for (const action of actionsList) {
+      const triggers = action.supported_triggers || [];
+   
+      const isPreReg = triggers.some(t => t.id === "pre-user-registration");
+      // Only scan if the action is part of the pre-user-registration trigger
+      if (!isPreReg) continue;
+
+      const actionName = `${action.name} (pre-user-registration)`;
+
+      try {
+        const findings = detectAccessDeny(action.code, actionName);
+        if (findings.length > 0) {
+          reports.push({ name: actionName, report: findings });
+        }
+      } catch (e) {
+        console.error(`[CHECK ERROR] Skipping Actions "${actionName}" due to error: ${e.message}`);
+        continue;
+      }
+    }
+    return callback(reports);
+  });
+}
+
+module.exports = checkPreRegistrationUserEnumeration;

package/analyzer/lib/clients/checkAllowedLogoutUrl.js

@@ -77,6 +77,11 @@ function checkURLsForApp(app) {
     return report;
   }
   allowed_logout_urls.forEach((url) => {
+    if (!url) {
+      // Skip null/undefined/empty URLs and log warning
+      console.warn(`[WARNING] App "${app.name}" (${app.client_id}) has null/undefined URL in allowed_logout_urls`);
+      return;
+    }
     const subArr = insecurePatterns.filter((str) => url.includes(str));
     if (subArr.length > 0) {
       report.push({

package/analyzer/report.js

@@ -307,6 +307,8 @@ async function generateReport(locale, tenantConfig, config) {
             });
           });
           break;
+        case "checkPasswordResetMFA":  
+        case "checkPreRegistrationUserEnumeration":
         case "checkActionsHardCodedValues":
         case "checkDASHardCodedValues":
           report.disclaimer = i18n.__(`${report.name}.disclaimer`);

package/locales/en.json

@@ -135,7 +135,9 @@
 			"items": [
 				"NPM Dependencies",
 				"Actions Runtime",
-				"Hardcoded Artifacts"
+				"Hardcoded Artifacts",
+				"Information Leakage in Signup Flow",
+				"MFA for Password Reset"
 			]
 		},
 		{
@@ -1369,6 +1371,67 @@
 		"hard_coded_value_detected": "Variable name <b>%s</b> at line <b>%d</b> and column <b>%d</b>.",
 		"action_script_title": "Identified potential hardcoded credentials in <b>\"%s\"</b> script at:"
 	},
+	"checkPreRegistrationUserEnumeration": {
+		"title": "Information Leakage in Signup Flow",
+		"category": "Actions",
+		"advisory": {
+			"issue": "Exposing sensitive information during a signup attempt",
+			"description": {
+				"what_it_is": "User enumeration occurs when an application reveals whether a user exists in the system based on the response provided during actions like registration.",
+				"why_its_risky": [
+					"Using 'api.access.deny' in a Pre-User Registration Action to block signups from existing accounts may allow attackers to programmatically 'scrape' or verify which of your customers have accounts.",
+					"If a Pre-User Registration Action is rejecting a signup attempt based on internal risk scoring then threat actors may leverage this information to tune their methods to evade detection.",
+					"Disclosing account existance or or exposing risk scoring approaches in the Action, enables threat actors to more easily perform targeted attacks like phishing and credential stuffing, "
+				]
+			},
+			"how_to_fix": [
+				"Avoid using 'api.access.deny' in Pre-Registration Actions to notify users that an account is already registered or to notify them that risk level of the request was assessed to be too great.",
+				"All registration attempts should receive a generic success response. If an account already exists, consider triggering a secure, automated email to the registered address informing the user of the attempt. This maintains a seamless user experience while protecting account privacy."
+			]
+		},
+		"description": "Analyzes Pre-User Registration Actions for the use of 'api.access.deny', which can leak information or enable user enumeration.",
+		"docsPath": [
+			"https://auth0.com/docs/customize/actions/action-coding-guidelines"
+		],
+		"severity": "Low",
+		"status": "green",
+		"severity_message": "Potential user enumeration detected in a Pre User Registration Action.",
+		"user_enumeration_vulnerability": "Found <b>%s</b> at line <b>%d</b>, column <b>%d</b> which may leak information.",
+		"action_script_title": "Identified usage of api.access.deny in <b>\"%s\"</b> Action script:",
+		"disclaimer": "Please review the Action to determine if any information is exposed that may be useful to a threat actor."
+	},
+	"checkPasswordResetMFA": {
+		"title": "MFA for Password Reset",
+		"category": "Actions",
+		"advisory": {
+			"issue": "Missing MFA Challenge during Password Reset",
+			"description": {
+				"what_it_is": "This check verifies if your Password Reset Post Challenge Action requires a second factor before allowing a user to change their password.",
+				"why_its_risky": [
+					"If an attacker gains access to a user's email account, they can trigger a password reset and take over the identity without any further verification.",
+					"MFA during password reset ensures that even with a compromised email, the attacker has to overcome the secondary factor challenge."
+				]
+			},
+			"how_to_fix": [
+				"Create or update an Action in the Password Reset Post Challenge flow.",
+				"Use 'api.authentication.challengeWith()' to trigger an MFA challenge for users who have enrolled factors.",
+				"Ensure the Action is 'Deployed' and attached to the Password Reset trigger in the Auth0 Pipeline."
+			]
+		},
+		"description": "Analyzes Password Reset Actions to ensure MFA is being enforced as an additional security layer.",
+		"docsPath": [
+			"https://auth0.com/docs/customize/actions/explore-triggers/password-reset-triggers"
+		],
+		"severity": "Moderate",
+		"status": "yellow",
+		"severity_message": "an MFA Challenge is not detected in the Password Reset flow.",
+		"mfa_challenge_detected": "MFA Challenge (<b>%s</b>) correctly implemented at line <b>%d</b>.",
+		"missing_mfa_step": "Action script exists but does not appear to trigger an MFA challenge.",
+		"no_password_reset_action": "No Action is currently configured for the Password Reset trigger. Password resets are only protected by email access.",
+		"no_actions_configured": "No Actions found in tenant.",
+		"disclaimer": "This finding may be a false positive if Identity Proofing or similar mitigation is enforced elsewhere in the authentication or password reset workflow. Verify any alternative security controls are active before dismissing this recommendation.",
+		"action_script_title": "A deployed Password Reset Action that triggers an MFA challenge was not found based on searching for the 'api.authentication.challengeWith()' or equivalent method."
+	},
 	"checkCanonicalDomain": {
 		"title": "Auth0 Domain Check",
 		"category": "Canonical Domain",
@@ -1414,4 +1477,4 @@
 			"https://auth0.com/docs/customize/events/event-testing-observability-and-failure-recovery"
 		]
 	}
-}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@auth0/auth0-checkmate",
-  "version": "1.6.13",
+  "version": "1.6.15",
   "description": "A command line tool for checking configuration of your Auth0 tenant",
   "main": "analyzer/report.js",
   "scripts": {

package/tests/actions/checkPasswordResetMFA.test.js

@@ -0,0 +1,122 @@
+const chai = require("chai");
+const expect = chai.expect;
+const checkPasswordResetMFA = require("../../analyzer/lib/actions/checkPasswordResetMFA"); 
+
+describe("checkPasswordResetMFA", function () {
+  // Mock Database Connection to trigger the validator's logic
+  const mockDbConnections = [{ id: "con_1", strategy: "auth0", name: "Username-Password-Authentication" }];
+  // Mock Social Connection only
+  const mockSocialConnections = [{ id: "con_2", strategy: "google-oauth2", name: "google" }];
+
+  it("should return SUCCESS when a password-reset-post-challenge action correctly implements MFA challenges", async function () {
+    const input = {
+      databases: mockDbConnections, 
+      actions: {
+        actions: [
+          {
+            id: "pw-reset-mfa-ok",
+            name: "Secure Reset",
+            supported_triggers: [{ id: "password-reset-post-challenge", version: "v1" }],
+            code: `exports.onExecutePostChallenge = async (event, api) => {
+              api.authentication.challengeWithAny();
+            };`,
+          },
+        ],
+      },
+    };
+
+    const reports = await checkPasswordResetMFA(input);
+    expect(reports.details).to.have.lengthOf(0);
+  });
+
+  it("should return WARN when a password-reset-post-challenge action exists but is missing the MFA challenge", async function () {
+    const input = {
+      databases: mockDbConnections, 
+      actions: {
+        actions: [
+          {
+            id: "pw-reset-weak",
+            name: "Weak Reset",
+            supported_triggers: [{ id: "password-reset-post-challenge", version: "v1" }],
+            code: `exports.onExecutePostChallenge = async (event, api) => { return; };`,
+          },
+        ],
+      },
+    };
+
+    const reports = await checkPasswordResetMFA(input);
+    expect(reports.details).to.have.lengthOf(1);
+    expect(reports.details[0].report[0].field).to.equal("missing_mfa_step");
+  });
+
+  it("should return NO FINDINGS for a Social-Only tenant (Passwordless)", async function () {
+    const input = {
+      databases: mockSocialConnections, // Only Social
+      actions: {
+        actions: [
+          {
+            id: "action-1",
+            name: "Some Action",
+            supported_triggers: [{ id: "password-reset-post-challenge", version: "v1" }],
+            code: `exports.onExecutePostChallenge = async (event, api) => { return; };`,
+          },
+        ],
+      },
+    };
+
+    const reports = await checkPasswordResetMFA(input);
+    // Should be empty because password reset doesn't apply to Social-only tenants
+    expect(reports.details).to.be.an("array").that.is.empty;
+  });
+
+  it("should ignore MFA challenges in actions that are NOT part of the password-reset flow", async function () {
+    const input = {
+      databases: mockDbConnections, 
+      actions: {
+        actions: [
+          {
+            id: "login-mfa",
+            name: "Login MFA",
+            supported_triggers: [{ id: "post-login", version: "v3" }],
+            code: 'exports.onExecutePostLogin = async (event, api) => { api.authentication.challengeWithAny(); };',
+          },
+        ],
+      },
+    };
+
+    const reports = await checkPasswordResetMFA(input);
+    expect(reports.details).to.have.lengthOf(1);
+    expect(reports.details[0].report[0].field).to.equal("no_password_reset_action");
+  });
+
+  it("should detect alternate challenge methods like challengeWith", async function () {
+    const input = {
+      databases: mockDbConnections, 
+      actions: {
+        actions: [
+          {
+            id: "pw-reset-otp",
+            name: "OTP Reset",
+            supported_triggers: [{ id: "password-reset-post-challenge", version: "v1" }],
+            code: `exports.onExecutePostChallenge = async (event, api) => {
+              api.authentication.challengeWith({ type: 'otp' });
+            };`,
+          },
+        ],
+      },
+    };
+
+    const reports = await checkPasswordResetMFA(input);
+    expect(reports.details).to.have.lengthOf(0);
+  });
+
+  it("should return a warning if the actions list is entirely empty but DB connections exist", async function () {
+    const input = { 
+      databases: mockDbConnections, 
+      actions: { actions: [] } 
+    };
+    const reports = await checkPasswordResetMFA(input);
+    
+    expect(reports.details[0].report[0].field).to.equal("no_actions_configured");
+  });
+});

package/tests/actions/checkUserEnumeration.test.js

@@ -0,0 +1,102 @@
+const chai = require("chai");
+const expect = chai.expect;
+const checkPreRegistrationUserEnumeration = require("../../analyzer/lib/actions/checkUserEnumeration"); 
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkPreRegistrationUserEnumeration", function () {
+  it("should return an empty array when no pre-registration actions use api.access.deny", async function () {
+    const input = {
+      actions: {
+        actions: [
+          {
+            id: "12345",
+            name: "Safe Action",
+            supported_triggers: [{ id: "pre-user-registration", version: "v1" }],
+            code: "exports.onExecutePreUserRegistration = async (event, api) => { return; };",
+          },
+        ],
+      },
+    };
+
+    const reports = await checkPreRegistrationUserEnumeration(input);
+    expect(reports.details).to.be.an("array").that.is.empty;
+  });
+
+  it("should ignore api.access.deny in actions that are NOT pre-user-registration", async function () {
+    const input = {
+      actions: {
+        actions: [
+          {
+            id: "67890",
+            name: "Post Login Deny",
+            supported_triggers: [{ id: "post-login", version: "v3" }],
+            code: 'exports.onExecutePostLogin = async (event, api) => { api.access.deny("Access Denied"); };',
+          },
+        ],
+      },
+    };
+
+    const reports = await checkPreRegistrationUserEnumeration(input);
+    expect(reports.details).to.be.an("array").that.is.empty;
+  });
+
+  it("should detect api.access.deny in pre-user-registration action code", async function () {
+    const input = {
+      actions: {
+        actions: [
+          {
+            id: "auth0-vulnerability-test",
+            name: "User Check",
+            supported_triggers: [{ id: "pre-user-registration", version: "v1" }],
+            code: `exports.onExecutePreUserRegistration = async (event, api) => {
+              if(event.user.email === "test@example.com") {
+                api.access.deny("User already exists", "Testing user enumeration vuln");
+              }
+            };`,
+          },
+        ],
+      },
+    };
+
+    const reports = await checkPreRegistrationUserEnumeration(input);
+    
+    expect(reports.details).to.have.lengthOf(1);
+    const detail = reports.details[0];
+    
+    expect(detail.name).to.equal("User Check (pre-user-registration)");
+    expect(detail.report).to.have.lengthOf(1);
+    
+    const finding = detail.report[0];
+    expect(finding.variableName).to.equal("api.access.deny");
+    expect(finding.field).to.equal("user_enumeration_vulnerability");
+    expect(finding.status).to.equal(CONSTANTS.WARN);
+    // Line 3 is where the call starts in the template string above
+    expect(finding.line).to.equal(3); 
+  });
+
+  it("should flag multiple occurrences of api.access.deny in the same action", async function () {
+    const input = {
+      actions: {
+        actions: [
+          {
+            id: "multi-deny",
+            name: "Strict Validation",
+            supported_triggers: [{ id: "pre-user-registration", version: "v1" }],
+            code: `exports.onExecutePreUserRegistration = async (event, api) => {
+              if (!event.user.email) api.access.deny("duplicate emaill");
+              if (event.user.name === 'admin') api.access.deny("high risk");
+            };`,
+          },
+        ],
+      },
+    };
+
+    const reports = await checkPreRegistrationUserEnumeration(input);
+    
+    expect(reports.details).to.have.lengthOf(1);
+    const reportList = reports.details[0].report;
+    expect(reportList).to.have.lengthOf(2);
+    expect(reportList[0].variableName).to.equal("api.access.deny");
+    expect(reportList[1].variableName).to.equal("api.access.deny");
+  });
+});

package/tests/clients/checkAllowedLogoutUrl.test.js

@@ -146,4 +146,47 @@ describe("checkAllowedLogoutUrl", function () {
       ]);
     });
   });
+
+  it("should handle null/undefined URLs in allowed_logout_urls array without crashing", function () {
+    const options = {
+      clients: [
+        {
+          name: "Test App with Null URLs",
+          client_id: "client_with_null",
+          allowed_logout_urls: ["https://contoso.com", null, "http://localhost:3000", undefined], // Contains null and undefined
+          app_type: "spa",
+          is_first_party: false,
+        },
+      ],
+    };
+
+    checkAllowedLogoutUrl(options, (reports) => {
+      // Should only process valid URLs and skip null/undefined
+      expect(reports).to.deep.equal([
+        {
+          name: "Test App with Null URLs (client_with_null)",
+          report: [
+            {
+              name: "Test App with Null URLs (client_with_null)",
+              client_id: "client_with_null",
+              field: "insecure_allowed_logout_urls",
+              value: "http://localhost:3000",
+              status: CONSTANTS.FAIL,
+              app_type: "spa",
+              is_first_party: false,
+            },
+            {
+              name: "Test App with Null URLs (client_with_null)",
+              client_id: "client_with_null",
+              field: "secure_allowed_logout_urls",
+              status: CONSTANTS.SUCCESS,
+              value: "https://contoso.com",
+              app_type: "spa",
+              is_first_party: false,
+            },
+          ],
+        },
+      ]);
+    });
+  });
 });