@auth0/auth0-checkmate 1.6.18 → 1.7.0

package/analyzer/lib/clients/checkDPoP.js

@@ -0,0 +1,71 @@
+/*
+{
+  clients: [
+  {
+    "tenant": "contos0",
+    "global": false,
+    "name": "Default App",
+    "is_first_party": true,
+    "client_id": "client_id",
+    "app_type": "
+    ",
+    "grant_types": [
+      "authorization_code",
+      "refresh_token"
+    ],
+    "require_proof_of_possession": true
+  }
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+const DPOP_RELEVANT_GRANT_TYPES = [
+    "authorization_code",
+    "refresh_token",
+    "client_credentials",
+    "password",
+    "urn:ietf:params:oauth:grant-type:device_code",
+];
+
+function validateDPoPForApp(app) {
+    const enabledGrantTypes = app.grant_types || [];
+    const report = [];
+
+    const hasDPoPRelevantGrant = DPOP_RELEVANT_GRANT_TYPES.some((g) =>
+        enabledGrantTypes.includes(g)
+    );
+
+    if (hasDPoPRelevantGrant && app.require_proof_of_possession !== true) {
+        report.push({
+            name: app.client_id ? app.name.concat(` (${app.client_id})`) : app.name,
+            client_id: app.client_id,
+            field: "require_proof_of_possession",
+            status: CONSTANTS.FAIL,
+            value: app.require_proof_of_possession ?? false,
+            is_first_party: app.is_first_party
+        });
+    }
+
+    return report;
+}
+
+function checkDPoP(options) {
+    return executeCheck("checkDPoP", (callback) => {
+        const { clients } = options || [];
+        const reports = [];
+        if (_.isEmpty(clients)) {
+            return callback(reports);
+        }
+        clients.forEach((client) => {
+            var report = validateDPoPForApp(client);
+            var name = client.name.concat(` (${client.client_id})`);
+            reports.push({ name: name, report: report });
+        });
+        return callback(reports);
+    });
+}
+
+module.exports = checkDPoP;

package/analyzer/lib/resource_servers/checkAPISigningAlgorithm.js

@@ -0,0 +1,76 @@
+/*
+  {
+    "id": "xxxxxxxxxxxx",
+    "name": "test wrong alg",
+    "identifier": "test1",
+    "allow_offline_access": false,
+    "skip_consent_for_verifiable_first_party_clients": true,
+    "subject_type_authorization": {
+      "user": {
+        "policy": "require_client_grant"
+      },
+      "client": {
+        "policy": "require_client_grant"
+      }
+    },
+    "token_lifetime": 86400,
+    "token_lifetime_for_web": 7200,
+    "signing_alg": "HS256",
+    "signing_secret": "xxxxxxxxxxxxxxxxxx",
+    "token_dialect": "access_token"
+  }
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkAPISigningAlgorithm(options) {
+  return executeCheck("checkAPISigningAlgorithm", (callback) => {
+    const { resourceServers } = options;
+    const reports = [];
+
+    if (_.isEmpty(resourceServers)) {
+      return callback(reports);
+    }
+
+    resourceServers.forEach((api) => {
+      // Skip the Auth0 Management API (system API)
+      if (api.is_system) {
+        return;
+      }
+
+      const report = [];
+      const apiDisplayName = api.identifier
+        ? `${api.name} (${api.identifier})`
+        : api.name;
+
+      if (api.signing_alg === "HS256") {
+        report.push({
+          name: apiDisplayName,
+          api_name: api.name,
+          field: "using_symmetric_alg",
+          status: CONSTANTS.FAIL,
+          value: api.signing_alg,
+          identifier: api.identifier,
+        });
+      } else {
+        report.push({
+          name: apiDisplayName,
+          api_name: api.name,
+          field: "using_asymmetric_alg",
+          status: CONSTANTS.SUCCESS,
+          value: api.signing_alg || "RS256",
+          identifier: api.identifier,
+        });
+      }
+
+      if (report.length > 0) {
+        reports.push({ name: apiDisplayName, report: report });
+      }
+    });
+
+    return callback(reports);
+  });
+}
+
+module.exports = checkAPISigningAlgorithm;

package/analyzer/lib/resource_servers/checkAPITokenLifetime.js

@@ -0,0 +1,111 @@
+/*
+  {
+    "id": "xxxxxxxxx",
+    "name": "Test long token",
+    "identifier": "test2",
+    "allow_offline_access": true,
+    "skip_consent_for_verifiable_first_party_clients": true,
+    "subject_type_authorization": {
+      "client": {
+        "policy": "require_client_grant"
+      },
+      "user": {
+        "policy": "allow_all"
+      }
+    },
+    "token_lifetime": 864000,
+    "token_lifetime_for_web": 7200,
+    "signing_alg": "RS256",
+    "signing_secret": "xxxxxxxxxxxxxx",
+    "enforce_policies": false,
+    "token_dialect": "access_token"
+  }
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+// Token lifetime thresholds (in seconds)
+const TOKEN_LIFETIME_DEFAULT = 86400; // 24 hours - Auth0 default
+const TOKEN_LIFETIME_WARNING = 604800; // 7 days
+
+function checkAPITokenLifetime(options) {
+  return executeCheck("checkAPITokenLifetime", (callback) => {
+    const { resourceServers } = options;
+    const reports = [];
+
+    if (_.isEmpty(resourceServers)) {
+      return callback(reports);
+    }
+
+    resourceServers.forEach((api) => {
+      // Skip the Auth0 Management API (system API)
+      if (api.is_system) {
+        return;
+      }
+
+      const report = [];
+      const apiDisplayName = api.identifier
+        ? `${api.name} (${api.identifier})`
+        : api.name;
+
+      const tokenLifetime = api.token_lifetime || TOKEN_LIFETIME_DEFAULT;
+
+      if (tokenLifetime >= TOKEN_LIFETIME_WARNING) {
+        report.push({
+          name: apiDisplayName,
+          api_name: api.name,
+          field: "token_lifetime_too_long",
+          status: CONSTANTS.FAIL,
+          value: formatDuration(tokenLifetime),
+          identifier: api.identifier,
+        });
+      } else if (tokenLifetime > TOKEN_LIFETIME_DEFAULT) {
+        report.push({
+          name: apiDisplayName,
+          api_name: api.name,
+          field: "token_lifetime_extended",
+          status: CONSTANTS.WARN,
+          value: formatDuration(tokenLifetime),
+          identifier: api.identifier,
+        });
+      } else {
+        report.push({
+          name: apiDisplayName,
+          api_name: api.name,
+          field: "token_lifetime_appropriate",
+          status: CONSTANTS.SUCCESS,
+          value: formatDuration(tokenLifetime),
+          identifier: api.identifier,
+        });
+      }
+
+      if (report.length > 0) {
+        reports.push({ name: apiDisplayName, report: report });
+      }
+    });
+
+    return callback(reports);
+  });
+}
+
+/**
+ * Format duration in seconds to human-readable string
+ * @param {number} seconds - Duration in seconds
+ * @returns {string} - Formatted duration (e.g., "24 hours", "7 days")
+ */
+function formatDuration(seconds) {
+  if (seconds >= 86400) {
+    const days = Math.floor(seconds / 86400);
+    return `${days} day${days > 1 ? "s" : ""} (${seconds} seconds)`;
+  } else if (seconds >= 3600) {
+    const hours = Math.floor(seconds / 3600);
+    return `${hours} hour${hours > 1 ? "s" : ""} (${seconds} seconds)`;
+  } else if (seconds >= 60) {
+    const minutes = Math.floor(seconds / 60);
+    return `${minutes} minute${minutes > 1 ? "s" : ""} (${seconds} seconds)`;
+  }
+  return `${seconds} seconds`;
+}
+
+module.exports = checkAPITokenLifetime;

package/analyzer/report.js

@@ -24,6 +24,7 @@ const {
   getLogs,
   getNetworkACL,
   getEventStreams,
+  getResourceServers,
 } = require("./tools/auth0");
 
 const logger = require("./lib/logger");
@@ -165,7 +166,13 @@ async function generateReport(locale, tenantConfig, config) {
         config.auth0Domain,
         config.auth0MgmtToken
       );
+
+      tenantConfig.resourceServers = await getResourceServers(
+        config.auth0Domain,
+        config.auth0MgmtToken
+      );
     }
+    
     const statusOrder = ["green", "amber", "red"];
     let fullReport =
       (await runProductionChecks(tenantConfig, config.selectedValidators)) ||
@@ -381,6 +388,19 @@ async function generateReport(locale, tenantConfig, config) {
           // Replace original report.details with the new structure
           report.details = transformedDetails;
           break;
+        case "checkDPoP":
+          report.disclaimer = i18n.__(`${report.name}.disclaimer`);
+          report.advisory = i18n.__(`${report.name}.advisory`);
+          grouped = _.groupBy(report.details, "name");
+          res = tranformReport(grouped);
+          res.forEach((item) => {
+            item.values.forEach((detail) => {
+              detail.report.forEach((c) => {
+                c.message = i18n.__(`${report.name}.${c.field}`, c.value);
+              });
+            });
+          });
+          break;
         case "checkDependencies":
           report.details.forEach((cd) => {
             cd.message = i18n.__(`${report.name}.${cd.field}`, cd.value);
@@ -393,6 +413,24 @@ async function generateReport(locale, tenantConfig, config) {
             cd.message = i18n.__(`${report.name}.${cd.field}`, cd.value);
           });
           break;
+        case "checkAPISigningAlgorithm":
+        case "checkAPITokenLifetime":
+          report.advisory = i18n.__(`${report.name}.advisory`);
+          grouped = _.groupBy(report.details, "name");
+          res = tranformReport(grouped);
+          res.forEach((api) => {
+            api.values.forEach((detail) => {
+              detail.report.forEach((c) => {
+                c.name = api.name;
+                c.message = i18n.__(
+                  `${report.name}.${c.field}`,
+                  c.api_name,
+                  c.value
+                );
+              });
+            });
+          });
+          break;
         default:
           report.details.forEach((cd) => {
             cd.message = i18n.__(`${report.name}.${cd.field}`, cd.value);

package/analyzer/tools/auth0.js

@@ -463,6 +463,20 @@ async function getEventStreams(domain, accessToken) {
     return [error.response.data];
   }
 }
+
+async function getResourceServers(domain, accessToken) {
+  const url = `https://${domain}/api/v2/resource-servers`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting resource servers (APIs)`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get resource servers ${error.message}`);
+    return [];
+  }
+}
 module.exports = {
   getAccessToken,
   getCustomDomains,
@@ -486,4 +500,5 @@ module.exports = {
   getLogs,
   getNetworkACL,
   getEventStreams,
+  getResourceServers,
 };

package/locales/en.json

@@ -50,7 +50,8 @@
 				"Grant Types",
 				"JWT Signing Algorithm",
 				"Cross Origin Authentication",
-				"Refresh Tokens"
+				"Refresh Tokens",
+				"Token Sender-Constraining"
 			]
 		},
 		{
@@ -154,6 +155,14 @@
 			"title": "Event Streams (Early Access Capability)",
 			"required_scope": "read:event_streamss",
 			"items": []
+		},
+		{
+			"title": "Resource Servers (APIs)",
+			"required_scope": "read:resource_servers",
+			"items": [
+				"Signing Algorithm",
+				"Token Lifetime"
+			]
 		}
 	],
 	"validator_summary": "Checked <b>%s</b> validators against tenant <b>%s</b> in total.",
@@ -1476,5 +1485,89 @@
 			"https://auth0.com/docs/customize/events/events-best-practices",
 			"https://auth0.com/docs/customize/events/event-testing-observability-and-failure-recovery"
 		]
+	},
+	"checkAPISigningAlgorithm": {
+		"title": "Resource Servers (APIs) - Signing Algorithm",
+		"category": "Resource Servers (APIs)",
+		"description": "Validates that APIs use RS256 signing algorithm instead of HS256.",
+		"docsPath": [
+			"https://auth0.com/docs/get-started/apis/api-settings"
+		],
+		"severity": "Moderate",
+		"status": "yellow",
+		"severity_message": "%s API(s) using insecure signing algorithm",
+		"advisory": {
+			"issue": "Insecure Token Signing Algorithm",
+			"description": {
+				"what_it_is": "The signing algorithm determines how access tokens are cryptographically signed.",
+				"why_its_risky": [
+					"HS256 requires sharing the signing secret with your API, increasing the risk of secret exposure. Anyone with the HS256 secret can forge valid tokens."
+				]
+			},
+			"how_to_fix": [
+				"Use RS256 (asymmetric) signing algorithm for new APIs. It is recommended because the token will be signed with your tenant private key."
+			]
+		},
+		"using_symmetric_alg": "API \"%s\" is using HS256 signing algorithm. RS256 is recommended for better security.",
+		"using_asymmetric_alg": "API \"%s\" is using %s signing algorithm."
+	},
+	"checkAPITokenLifetime": {
+		"title": "Resource Servers (APIs) - Token Lifetime",
+		"category": "Resource Servers (APIs)",
+		"description": "Validates that API access token lifetimes are appropriately configured. Shorter lifetimes reduce the window of opportunity if tokens are compromised. Auth0 recommends that sensitive APIs use shorter token lifetimes.",
+		"docsPath": [
+			"https://auth0.com/docs/get-started/apis/api-settings"
+		],
+		"severity": "Info",
+		"status": "blue",
+		"severity_message": "%s API(s) have extended token lifetimes",
+		"advisory": {
+			"issue": "Extended Access Token Lifetime",
+			"description": {
+				"what_it_is": "Token lifetime determines how long an access token remains valid. Auth0's default is 24 hours (86400 seconds), with a maximum of 30 days.",
+				"why_its_risky": [
+					"Long-lived tokens increase the window of opportunity for attackers if tokens are compromised.",
+					"Auth0 recommends that sensitive APIs use shorter token lifetimes (e.g., a banking API should expire more quickly than a to-do API)."
+				]
+			},
+			"how_to_fix": [
+				"Review token lifetime settings for each API based on sensitivity.",
+				"Use shorter lifetimes (e.g., 1 hour) for sensitive APIs."
+			]
+		},
+		"token_lifetime_too_long": "API \"%s\" has an access token lifetime of %s. This exceeds the recommended maximum of 7 days. Consider reducing the lifetime for sensitive APIs.",
+		"token_lifetime_extended": "API \"%s\" has an access token lifetime of %s. This exceeds the default of 24 hours. Review if this is appropriate for your security requirements.",
+		"token_lifetime_appropriate": "API \"%s\" has an access token lifetime of %s."
+	},
+	"checkDPoP": {
+		"title": "Applications - Token Sender-Constraining",
+		"category": "Applications",
+		"description": "Token Sender-Constraining cryptographically binds access tokens to the client that requested them, preventing stolen tokens from being replayed by an attacker. We recommend enabling Token Sender-Constraining for all applications using the authorization code, refresh token, client credentials, password (ROPC), or device code grant types.",
+		"docsPath": [
+			"https://auth0.com/docs/secure/sender-constraining"
+		],
+		"severity": "Low",
+		"status": "green",
+		"disclaimer": "Token Sender-Constraining for applications is available only to customers on an Enterprise plan.",
+		"advisory": {
+			"issue": "Token Sender-Constraining Not Enabled for Application",
+			"description": {
+				"what_it_is": "Token Sender-Constraining is an Auth0 security setting that cryptographically binds access tokens to the requesting client's key pair. When enabled, a token stolen in transit cannot be replayed by an attacker because they would also need possession of the client's private key.",
+				"why_its_risky": [
+					"Without Token Sender-Constraining, bearer tokens can be used by any party that obtains them, making token theft a critical threat vector.",
+					"Access tokens intercepted via network attacks, XSS, or compromised infrastructure can be replayed until expiry with no way to detect misuse.",
+					"Applications using refresh tokens without sender-constraining are particularly exposed if tokens are leaked from client storage or logs.",
+					"Bearer token misuse may go undetected since there is no cryptographic binding to identify the legitimate caller."
+				]
+			},
+			"how_to_fix": [
+				"In the Auth0 Dashboard navigate to Applications > [Your App] > Settings > Token Sender-Constraining and enable the setting.",
+				"An API (Resource Server) must also be configured to require the Sender Constraining Method such as DPoP or mTLS. If the API doesn't check for the cryptographic binding, the extra security is ignored",
+				"Ensure your client SDK or library supports generating and sending DPoP proofs with each token request."
+			]
+		},
+		"severity_message": "%s applications / clients do not have Token Sender-Constraining enabled",
+		"require_proof_of_possession": "Token Sender-Constraining is not enabled for this application (require_proof_of_possession: %s)",
+		"undefined": "Token Sender-Constraining is not enabled for this application"
 	}
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@auth0/auth0-checkmate",
-  "version": "1.6.18",
+  "version": "1.7.0",
   "description": "A command line tool for checking configuration of your Auth0 tenant",
   "main": "analyzer/report.js",
   "scripts": {

package/tests/clients/checkDPoP.test.js

@@ -0,0 +1,190 @@
+const chai = require("chai");
+const expect = chai.expect;
+
+const checkDPoP = require("../../analyzer/lib/clients/checkDPoP");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkDPoP", function() {
+
+    it("should report failure if authorization_code grant is used and Token Sender-Constraining is not enabled", function() {
+        const options = {
+            clients: [{
+                name: "Web App",
+                client_id: "client_web",
+                app_type: "regular_web",
+                is_first_party: true,
+                grant_types: ["authorization_code"],
+                require_proof_of_possession: false,
+            }]
+        };
+
+        checkDPoP(options, (result) => {
+            expect(result).to.be.an("array").with.lengthOf(1);
+            expect(result[0].name).to.equal("Web App (client_web)");
+            expect(result[0].report).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report[0]).to.include({
+                name: "Web App (client_web)",
+                client_id: "client_web",
+                field: "require_proof_of_possession",
+                status: CONSTANTS.FAIL,
+                value: false,
+            });
+        });
+    });
+
+    it("should report failure if refresh_token grant is used and Token Sender-Constraining is not enabled", function() {
+        const options = {
+            clients: [{
+                name: "SPA App",
+                client_id: "client_spa",
+                app_type: "spa",
+                is_first_party: true,
+                grant_types: ["authorization_code", "refresh_token"],
+                require_proof_of_possession: false,
+            }]
+        };
+
+        checkDPoP(options, (result) => {
+            expect(result).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report[0]).to.include({
+                field: "require_proof_of_possession",
+                status: CONSTANTS.FAIL,
+            });
+        });
+    });
+
+    it("should report failure if Token Sender-Constraining is absent", function() {
+        const options = {
+            clients: [{
+                name: "Legacy App",
+                client_id: "client_legacy",
+                app_type: "regular_web",
+                is_first_party: true,
+                grant_types: ["authorization_code"],
+            }]
+        };
+
+        checkDPoP(options, (result) => {
+            expect(result[0].report).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report[0]).to.include({
+                field: "require_proof_of_possession",
+                status: CONSTANTS.FAIL,
+                value: false,
+            });
+        });
+    });
+
+    it("should return empty report if Token Sender-Constraining is enabled", function() {
+        const options = {
+            clients: [{
+                name: "Secure App",
+                client_id: "client_secure",
+                app_type: "spa",
+                is_first_party: true,
+                grant_types: ["authorization_code", "refresh_token"],
+                require_proof_of_possession: true,
+            }]
+        };
+
+        checkDPoP(options, (result) => {
+            expect(result).to.be.an("array").with.lengthOf(1);
+            expect(result[0].name).to.equal("Secure App (client_secure)");
+            expect(result[0].report).to.be.an("array").that.is.empty;
+        });
+    });
+
+    it("should report failure if client_credentials grant is used and Token Sender-Constraining is not enabled", function() {
+        const options = {
+            clients: [{
+                name: "M2M App",
+                client_id: "client_m2m",
+                app_type: "non_interactive",
+                is_first_party: true,
+                grant_types: ["client_credentials"],
+                require_proof_of_possession: false,
+            }]
+        };
+
+        checkDPoP(options, (result) => {
+            expect(result).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report[0]).to.include({
+                field: "require_proof_of_possession",
+                status: CONSTANTS.FAIL,
+                value: false,
+            });
+        });
+    });
+
+    it("should report failure if password grant is used and Token Sender-Constraining is not enabled", function() {
+        const options = {
+            clients: [{
+                name: "ROPC App",
+                client_id: "client_ropc",
+                app_type: "regular_web",
+                is_first_party: true,
+                grant_types: ["password"],
+                require_proof_of_possession: false,
+            }]
+        };
+
+        checkDPoP(options, (result) => {
+            expect(result).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report[0]).to.include({
+                field: "require_proof_of_possession",
+                status: CONSTANTS.FAIL,
+                value: false,
+            });
+        });
+    });
+
+    it("should report failure if device_code grant is used and Token Sender-Constraining is not enabled", function() {
+        const options = {
+            clients: [{
+                name: "Device App",
+                client_id: "client_device",
+                app_type: "native",
+                is_first_party: true,
+                grant_types: ["urn:ietf:params:oauth:grant-type:device_code"],
+                require_proof_of_possession: false,
+            }]
+        };
+
+        checkDPoP(options, (result) => {
+            expect(result).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report[0]).to.include({
+                field: "require_proof_of_possession",
+                status: CONSTANTS.FAIL,
+                value: false,
+            });
+        });
+    });
+
+    it("should not flag clients with only implicit grant type", function() {
+        const options = {
+            clients: [{
+                name: "Legacy SPA",
+                client_id: "client_implicit",
+                app_type: "spa",
+                is_first_party: true,
+                grant_types: ["implicit"],
+                require_proof_of_possession: false,
+            }]
+        };
+
+        checkDPoP(options, (result) => {
+            expect(result).to.be.an("array").with.lengthOf(1);
+            expect(result[0].report).to.be.an("array").that.is.empty;
+        });
+    });
+
+    it("should return empty result if no clients are provided", function() {
+        const options = { clients: [] };
+        checkDPoP(options, (result) => {
+            expect(result).to.be.an("array").that.is.empty;
+        });
+    });
+});

package/tests/resource_servers/checkAPISigningAlgorithm.test.js

@@ -0,0 +1,132 @@
+const chai = require("chai");
+const expect = chai.expect;
+
+const checkAPISigningAlgorithm = require("../../analyzer/lib/resource_servers/checkAPISigningAlgorithm");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkAPISigningAlgorithm", function () {
+  it("should return an empty report when resourceServers is empty", async function () {
+    const options = { resourceServers: [] };
+
+    const result = await checkAPISigningAlgorithm(options);
+    expect(result.details).to.deep.equal([]);
+  });
+
+  it("should return an empty report when resourceServers is undefined", async function () {
+    const options = { resourceServers: undefined };
+
+    const result = await checkAPISigningAlgorithm(options);
+    expect(result.details).to.deep.equal([]);
+  });
+
+  it("should skip system APIs (Auth0 Management API)", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "system_api",
+          name: "Auth0 Management API",
+          identifier: "https://tenant.auth0.com/api/v2/",
+          is_system: true,
+          signing_alg: "RS256",
+        },
+      ],
+    };
+
+    const result = await checkAPISigningAlgorithm(options);
+    expect(result.details).to.deep.equal([]);
+  });
+
+  it("should return fail for API using HS256 signing algorithm", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "api_1",
+          name: "My API",
+          identifier: "https://api.example.com",
+          is_system: false,
+          signing_alg: "HS256",
+        },
+      ],
+    };
+
+    const result = await checkAPISigningAlgorithm(options);
+    const report = result.details[0].report;
+
+    expect(report).to.have.lengthOf(1);
+    expect(report[0].field).to.equal("using_symmetric_alg");
+    expect(report[0].status).to.equal(CONSTANTS.FAIL);
+    expect(report[0].value).to.equal("HS256");
+  });
+
+  it("should return success for API using RS256 signing algorithm", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "api_1",
+          name: "My API",
+          identifier: "https://api.example.com",
+          is_system: false,
+          signing_alg: "RS256",
+        },
+      ],
+    };
+
+    const result = await checkAPISigningAlgorithm(options);
+    const report = result.details[0].report;
+
+    expect(report).to.have.lengthOf(1);
+    expect(report[0].field).to.equal("using_asymmetric_alg");
+    expect(report[0].status).to.equal(CONSTANTS.SUCCESS);
+    expect(report[0].value).to.equal("RS256");
+  });
+
+  it("should default to RS256 when signing_alg is not specified", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "api_1",
+          name: "My API",
+          identifier: "https://api.example.com",
+          is_system: false,
+        },
+      ],
+    };
+
+    const result = await checkAPISigningAlgorithm(options);
+    const report = result.details[0].report;
+
+    expect(report[0].field).to.equal("using_asymmetric_alg");
+    expect(report[0].status).to.equal(CONSTANTS.SUCCESS);
+    expect(report[0].value).to.equal("RS256");
+  });
+
+  it("should handle multiple APIs with different signing algorithms", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "api_1",
+          name: "Secure API",
+          identifier: "https://secure.api.com",
+          is_system: false,
+          signing_alg: "RS256",
+        },
+        {
+          id: "api_2",
+          name: "Legacy API",
+          identifier: "https://legacy.api.com",
+          is_system: false,
+          signing_alg: "HS256",
+        },
+      ],
+    };
+
+    const result = await checkAPISigningAlgorithm(options);
+    expect(result.details).to.have.lengthOf(2);
+
+    const secureApiReport = result.details.find((d) => d.name.includes("Secure API"));
+    expect(secureApiReport.report[0].status).to.equal(CONSTANTS.SUCCESS);
+
+    const legacyApiReport = result.details.find((d) => d.name.includes("Legacy API"));
+    expect(legacyApiReport.report[0].status).to.equal(CONSTANTS.FAIL);
+  });
+});

package/tests/resource_servers/checkAPITokenLifetime.test.js

@@ -0,0 +1,181 @@
+const chai = require("chai");
+const expect = chai.expect;
+
+const checkAPITokenLifetime = require("../../analyzer/lib/resource_servers/checkAPITokenLifetime");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkAPITokenLifetime", function () {
+  it("should return an empty report when resourceServers is empty", async function () {
+    const options = { resourceServers: [] };
+
+    const result = await checkAPITokenLifetime(options);
+    expect(result.details).to.deep.equal([]);
+  });
+
+  it("should return an empty report when resourceServers is undefined", async function () {
+    const options = { resourceServers: undefined };
+
+    const result = await checkAPITokenLifetime(options);
+    expect(result.details).to.deep.equal([]);
+  });
+
+  it("should skip system APIs (Auth0 Management API)", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "system_api",
+          name: "Auth0 Management API",
+          identifier: "https://tenant.auth0.com/api/v2/",
+          is_system: true,
+          token_lifetime: 86400,
+        },
+      ],
+    };
+
+    const result = await checkAPITokenLifetime(options);
+    expect(result.details).to.deep.equal([]);
+  });
+
+  it("should return fail for API with token lifetime >= 7 days", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "api_1",
+          name: "My API",
+          identifier: "https://api.example.com",
+          is_system: false,
+          token_lifetime: 604800, // 7 days
+        },
+      ],
+    };
+
+    const result = await checkAPITokenLifetime(options);
+    const report = result.details[0].report;
+
+    expect(report).to.have.lengthOf(1);
+    expect(report[0].field).to.equal("token_lifetime_too_long");
+    expect(report[0].status).to.equal(CONSTANTS.FAIL);
+  });
+
+  it("should return fail for API with token lifetime at maximum (30 days)", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "api_1",
+          name: "My API",
+          identifier: "https://api.example.com",
+          is_system: false,
+          token_lifetime: 2592000, // 30 days (max)
+        },
+      ],
+    };
+
+    const result = await checkAPITokenLifetime(options);
+    const report = result.details[0].report;
+
+    expect(report[0].field).to.equal("token_lifetime_too_long");
+    expect(report[0].status).to.equal(CONSTANTS.FAIL);
+  });
+
+  it("should return warn for API with token lifetime > 24 hours but < 7 days", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "api_1",
+          name: "My API",
+          identifier: "https://api.example.com",
+          is_system: false,
+          token_lifetime: 172800, // 2 days
+        },
+      ],
+    };
+
+    const result = await checkAPITokenLifetime(options);
+    const report = result.details[0].report;
+
+    expect(report).to.have.lengthOf(1);
+    expect(report[0].field).to.equal("token_lifetime_extended");
+    expect(report[0].status).to.equal(CONSTANTS.WARN);
+  });
+
+  it("should return success for API with token lifetime <= 24 hours", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "api_1",
+          name: "My API",
+          identifier: "https://api.example.com",
+          is_system: false,
+          token_lifetime: 86400, // 24 hours (default)
+        },
+      ],
+    };
+
+    const result = await checkAPITokenLifetime(options);
+    const report = result.details[0].report;
+
+    expect(report).to.have.lengthOf(1);
+    expect(report[0].field).to.equal("token_lifetime_appropriate");
+    expect(report[0].status).to.equal(CONSTANTS.SUCCESS);
+  });
+
+  it("should return success for API with short token lifetime (1 hour)", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "api_1",
+          name: "My API",
+          identifier: "https://api.example.com",
+          is_system: false,
+          token_lifetime: 3600, // 1 hour
+        },
+      ],
+    };
+
+    const result = await checkAPITokenLifetime(options);
+    const report = result.details[0].report;
+
+    expect(report[0].field).to.equal("token_lifetime_appropriate");
+    expect(report[0].status).to.equal(CONSTANTS.SUCCESS);
+  });
+
+  it("should use default token lifetime (24h) when not specified", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "api_1",
+          name: "My API",
+          identifier: "https://api.example.com",
+          is_system: false,
+        },
+      ],
+    };
+
+    const result = await checkAPITokenLifetime(options);
+    const report = result.details[0].report;
+
+    expect(report[0].field).to.equal("token_lifetime_appropriate");
+    expect(report[0].status).to.equal(CONSTANTS.SUCCESS);
+    expect(report[0].value).to.include("86400");
+  });
+
+  it("should format duration correctly in the value field", async function () {
+    const options = {
+      resourceServers: [
+        {
+          id: "api_1",
+          name: "My API",
+          identifier: "https://api.example.com",
+          is_system: false,
+          token_lifetime: 172800, // 2 days
+        },
+      ],
+    };
+
+    const result = await checkAPITokenLifetime(options);
+    const report = result.details[0].report;
+
+    expect(report[0].value).to.include("2 days");
+    expect(report[0].value).to.include("172800 seconds");
+  });
+});