supasec 1.0.3 → 1.0.5

package/dist/scanners/auth/analyzer.js

@@ -0,0 +1,673 @@
+"use strict";
+/**
+ * Auth Configuration Analyzer
+ * Scans for authentication and authorization misconfigurations
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeAuth = analyzeAuth;
+exports.getMockAuthConfig = getMockAuthConfig;
+const finding_js_1 = require("../../models/finding.js");
+/**
+ * Analyze auth configuration for security issues
+ */
+async function analyzeAuth(options) {
+    const findings = [];
+    let findingCounter = 1;
+    let checksPerformed = 0;
+    let score = 100;
+    // Check 1: Email verification
+    checksPerformed++;
+    if (!options.config.emailVerificationRequired) {
+        findings.push(createNoEmailVerificationFinding(findingCounter++));
+        score -= 15;
+    }
+    // Check 2: Password policy
+    checksPerformed++;
+    if (options.config.passwordMinLength < 8) {
+        findings.push(createWeakPasswordPolicyFinding(options.config.passwordMinLength, findingCounter++));
+        score -= 10;
+    }
+    // Check 3: Password strength
+    checksPerformed++;
+    if (options.config.passwordStrength === 'weak') {
+        findings.push(createWeakPasswordStrengthFinding(findingCounter++));
+        score -= 10;
+    }
+    // Check 4: MFA
+    checksPerformed++;
+    if (!options.config.mfaEnabled) {
+        findings.push(createNoMFAFinding(findingCounter++));
+        score -= 10;
+    }
+    else if (!options.config.mfaEnforced) {
+        findings.push(createMFAOptionalFinding(findingCounter++));
+        score -= 5;
+    }
+    // Check 5: JWT expiry
+    checksPerformed++;
+    if (options.config.jwtExpirySeconds > 3600) {
+        findings.push(createLongJWTExpiryFinding(options.config.jwtExpirySeconds, findingCounter++));
+        score -= 5;
+    }
+    // Check 6: Refresh token rotation
+    checksPerformed++;
+    if (!options.config.refreshTokenRotation) {
+        findings.push(createNoTokenRotationFinding(findingCounter++));
+        score -= 10;
+    }
+    // Check 7: Session timeout
+    checksPerformed++;
+    if (options.config.sessionTimeoutSeconds > 86400) {
+        findings.push(createLongSessionTimeoutFinding(options.config.sessionTimeoutSeconds, findingCounter++));
+        score -= 5;
+    }
+    // Check 8: Anonymous sign-ins
+    checksPerformed++;
+    if (options.config.allowAnonymousSignIns) {
+        findings.push(createAnonymousSignInFinding(findingCounter++));
+        score -= 5;
+    }
+    // Check 9: Secure email change
+    checksPerformed++;
+    if (!options.config.secureEmailChange) {
+        findings.push(createInsecureEmailChangeFinding(findingCounter++));
+        score -= 10;
+    }
+    // Check 10: Password reuse prevention
+    checksPerformed++;
+    if (options.config.passwordReusePrevention < 3) {
+        findings.push(createNoPasswordReusePreventionFinding(findingCounter++));
+        score -= 5;
+    }
+    // Check 11: OAuth providers security
+    checksPerformed++;
+    const insecureProviders = options.config.providers.filter(p => p.toLowerCase().includes('facebook') ||
+        (p.toLowerCase().includes('twitter') && !p.toLowerCase().includes('oauth2')));
+    if (insecureProviders.length > 0) {
+        findings.push(createInsecureOAuthProviderFinding(insecureProviders, findingCounter++));
+        score -= 5;
+    }
+    return {
+        findings,
+        checksPerformed,
+        misconfigurations: findings.length,
+        score: Math.max(0, score)
+    };
+}
+/**
+ * Create finding for missing email verification
+ */
+function createNoEmailVerificationFinding(counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'HIGH',
+        category: 'auth',
+        subcategory: 'no_email_verification',
+        title: 'Email verification is not required',
+        description: 'New users can access the application without verifying their email address. This allows account takeover through email typos or fake emails.',
+        evidence: {
+            email_verification_required: false
+        },
+        impact: {
+            severity_score: 7.5,
+            description: 'Account takeover risk - unverified users can access the application',
+            affected_resources: ['auth.users', 'auth.config'],
+            compliance_violations: ['OWASP-A07-2021', 'NIST-800-63B']
+        },
+        remediation: {
+            summary: 'Enable email verification requirement',
+            priority: 'HIGH',
+            effort: 'LOW',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Enable email confirmation in Supabase Dashboard',
+                    code: 'Go to Authentication > Settings > Email > Enable "Confirm email"'
+                },
+                {
+                    order: 2,
+                    action: 'Update client code to handle unverified users',
+                    code: `// Check if email is verified before allowing access
+const { data: { user } } = await supabase.auth.getUser();
+if (!user?.email_confirmed_at) {
+  // Redirect to verification pending page
+}`
+                }
+            ],
+            auto_fixable: true
+        },
+        references: [
+            {
+                title: 'Supabase Email Auth',
+                url: 'https://supabase.com/docs/guides/auth/auth-email'
+            }
+        ],
+        false_positive_likelihood: 'LOW',
+        confidence: 0.95
+    };
+}
+/**
+ * Create finding for weak password policy
+ */
+function createWeakPasswordPolicyFinding(minLength, counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'MEDIUM',
+        category: 'auth',
+        subcategory: 'weak_password_policy',
+        title: `Weak password minimum length (${minLength} characters)`,
+        description: `The password policy only requires ${minLength} characters. NIST recommends at least 8 characters for passwords.`,
+        evidence: {
+            password_min_length: minLength,
+            recommended_min_length: 8
+        },
+        impact: {
+            severity_score: 5.0,
+            description: 'Short passwords are easier to crack through brute force',
+            affected_resources: ['auth.config'],
+            compliance_violations: ['NIST-800-63B']
+        },
+        remediation: {
+            summary: 'Increase minimum password length to 8+ characters',
+            priority: 'MEDIUM',
+            effort: 'LOW',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Update password policy in Supabase Dashboard',
+                    code: 'Go to Authentication > Policies > Set "Minimum password length" to 8+'
+                }
+            ],
+            auto_fixable: true
+        },
+        references: [
+            {
+                title: 'NIST Password Guidelines',
+                url: 'https://pages.nist.gov/800-63-3/sp800-63b.html#sec5'
+            }
+        ],
+        false_positive_likelihood: 'LOW',
+        confidence: 0.9
+    };
+}
+/**
+ * Create finding for weak password strength
+ */
+function createWeakPasswordStrengthFinding(counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'MEDIUM',
+        category: 'auth',
+        subcategory: 'weak_password_strength',
+        title: 'Password strength policy is set to weak',
+        description: 'The password strength policy is set to "weak", allowing common passwords and simple patterns.',
+        evidence: {
+            password_strength: 'weak'
+        },
+        impact: {
+            severity_score: 5.5,
+            description: 'Weak passwords increase risk of account compromise',
+            affected_resources: ['auth.config']
+        },
+        remediation: {
+            summary: 'Strengthen password policy',
+            priority: 'MEDIUM',
+            effort: 'LOW',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Set password strength to "strong"',
+                    code: 'Go to Authentication > Policies > Set "Password strength" to Strong'
+                }
+            ],
+            auto_fixable: true
+        },
+        references: [
+            {
+                title: 'OWASP Password Security',
+                url: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
+            }
+        ],
+        false_positive_likelihood: 'LOW',
+        confidence: 0.9
+    };
+}
+/**
+ * Create finding for missing MFA
+ */
+function createNoMFAFinding(counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'MEDIUM',
+        category: 'auth',
+        subcategory: 'no_mfa',
+        title: 'Multi-factor authentication is not enabled',
+        description: 'MFA is not enabled for the project. Users can only authenticate with a single factor (password).',
+        evidence: {
+            mfa_enabled: false
+        },
+        impact: {
+            severity_score: 6.0,
+            description: 'Single factor authentication - password compromise leads to account takeover',
+            affected_resources: ['auth.config'],
+            compliance_violations: ['NIST-800-63B', 'SOC2-CC6.1']
+        },
+        remediation: {
+            summary: 'Enable multi-factor authentication',
+            priority: 'MEDIUM',
+            effort: 'MEDIUM',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Enable MFA in Supabase Dashboard',
+                    code: 'Go to Authentication > Settings > MFA > Enable MFA'
+                },
+                {
+                    order: 2,
+                    action: 'Implement MFA enrollment flow in your app',
+                    code: `// Enroll MFA
+const { data, error } = await supabase.auth.mfa.enroll({
+  factorType: 'totp'
+});
+
+// Verify MFA
+const { data, error } = await supabase.auth.mfa.verify({
+  factorId,
+  code: '123456'
+});`
+                }
+            ],
+            auto_fixable: false
+        },
+        references: [
+            {
+                title: 'Supabase MFA Guide',
+                url: 'https://supabase.com/docs/guides/auth/auth-mfa'
+            }
+        ],
+        false_positive_likelihood: 'MEDIUM',
+        confidence: 0.85
+    };
+}
+/**
+ * Create finding for optional MFA
+ */
+function createMFAOptionalFinding(counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'LOW',
+        category: 'auth',
+        subcategory: 'mfa_optional',
+        title: 'Multi-factor authentication is optional',
+        description: 'MFA is enabled but not enforced. Users can choose whether to enable it.',
+        evidence: {
+            mfa_enabled: true,
+            mfa_enforced: false
+        },
+        impact: {
+            severity_score: 3.0,
+            description: 'Users may skip MFA, leaving accounts vulnerable',
+            affected_resources: ['auth.config']
+        },
+        remediation: {
+            summary: 'Consider enforcing MFA for sensitive operations',
+            priority: 'LOW',
+            effort: 'MEDIUM',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Require MFA for sensitive operations',
+                    code: `// Check MFA status before sensitive operations
+const { data: { user } } = await supabase.auth.getUser();
+const aal = user?.aal;
+
+if (aal !== 'aal2') {
+  // Require MFA verification
+  await supabase.auth.mfa.challenge({ factorId });
+}`
+                }
+            ],
+            auto_fixable: false
+        },
+        references: [
+            {
+                title: 'Supabase AAL (Authenticator Assurance Level)',
+                url: 'https://supabase.com/docs/guides/auth/auth-mfa#enforcing-mfa-for-a-user'
+            }
+        ],
+        false_positive_likelihood: 'HIGH',
+        confidence: 0.7
+    };
+}
+/**
+ * Create finding for long JWT expiry
+ */
+function createLongJWTExpiryFinding(expirySeconds, counter) {
+    const hours = Math.round(expirySeconds / 3600);
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'LOW',
+        category: 'auth',
+        subcategory: 'long_jwt_expiry',
+        title: `JWT tokens expire after ${hours} hours`,
+        description: `JWT tokens have a long expiry time (${hours} hours). Shorter expiry times reduce the window of opportunity for token theft.`,
+        evidence: {
+            jwt_expiry_seconds: expirySeconds,
+            jwt_expiry_hours: hours
+        },
+        impact: {
+            severity_score: 3.0,
+            description: 'Long-lived tokens increase risk if stolen',
+            affected_resources: ['auth.config']
+        },
+        remediation: {
+            summary: 'Reduce JWT expiry time to 1 hour or less',
+            priority: 'LOW',
+            effort: 'LOW',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Set JWT expiry to 3600 seconds (1 hour)',
+                    code: 'Go to Authentication > Settings > JWT Settings > JWT expiry limit: 3600'
+                }
+            ],
+            auto_fixable: true
+        },
+        references: [
+            {
+                title: 'JWT Security Best Practices',
+                url: 'https://tools.ietf.org/html/rfc8725'
+            }
+        ],
+        false_positive_likelihood: 'HIGH',
+        confidence: 0.6
+    };
+}
+/**
+ * Create finding for no token rotation
+ */
+function createNoTokenRotationFinding(counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'MEDIUM',
+        category: 'auth',
+        subcategory: 'no_token_rotation',
+        title: 'Refresh token rotation is disabled',
+        description: 'Refresh tokens are not rotated on use. If a refresh token is stolen, it can be used indefinitely.',
+        evidence: {
+            refresh_token_rotation: false
+        },
+        impact: {
+            severity_score: 6.0,
+            description: 'Stolen refresh tokens remain valid indefinitely',
+            affected_resources: ['auth.config']
+        },
+        remediation: {
+            summary: 'Enable refresh token rotation',
+            priority: 'MEDIUM',
+            effort: 'LOW',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Enable token rotation in Supabase Dashboard',
+                    code: 'Go to Authentication > Settings > Security > Enable "Refresh token rotation"'
+                }
+            ],
+            auto_fixable: true
+        },
+        references: [
+            {
+                title: 'OWASP Token Security',
+                url: 'https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html'
+            }
+        ],
+        false_positive_likelihood: 'LOW',
+        confidence: 0.9
+    };
+}
+/**
+ * Create finding for long session timeout
+ */
+function createLongSessionTimeoutFinding(timeoutSeconds, counter) {
+    const days = Math.round(timeoutSeconds / 86400);
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'LOW',
+        category: 'auth',
+        subcategory: 'long_session_timeout',
+        title: `Sessions expire after ${days} days`,
+        description: `User sessions remain active for ${days} days. Shorter timeouts reduce risk on shared devices.`,
+        evidence: {
+            session_timeout_seconds: timeoutSeconds,
+            session_timeout_days: days
+        },
+        impact: {
+            severity_score: 2.5,
+            description: 'Long sessions increase risk on shared devices',
+            affected_resources: ['auth.config']
+        },
+        remediation: {
+            summary: 'Reduce session timeout to 24 hours or less',
+            priority: 'LOW',
+            effort: 'LOW',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Set session timeout to 86400 seconds (24 hours)',
+                    code: 'Go to Authentication > Settings > Sessions > Inactivity timeout: 86400'
+                }
+            ],
+            auto_fixable: true
+        },
+        references: [
+            {
+                title: 'Session Management Best Practices',
+                url: 'https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html'
+            }
+        ],
+        false_positive_likelihood: 'HIGH',
+        confidence: 0.6
+    };
+}
+/**
+ * Create finding for anonymous sign-ins
+ */
+function createAnonymousSignInFinding(counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'LOW',
+        category: 'auth',
+        subcategory: 'anonymous_signin',
+        title: 'Anonymous sign-ins are enabled',
+        description: 'Anonymous sign-ins allow users to access the application without providing any credentials.',
+        evidence: {
+            allow_anonymous_signins: true
+        },
+        impact: {
+            severity_score: 3.0,
+            description: 'Anonymous users may abuse resources or access restricted features',
+            affected_resources: ['auth.config']
+        },
+        remediation: {
+            summary: 'Review if anonymous sign-ins are necessary',
+            priority: 'LOW',
+            effort: 'LOW',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Disable anonymous sign-ins if not needed',
+                    code: 'Go to Authentication > Settings > Enable anonymous sign-ins: OFF'
+                }
+            ],
+            auto_fixable: true
+        },
+        references: [
+            {
+                title: 'Supabase Anonymous Sign-Ins',
+                url: 'https://supabase.com/docs/guides/auth/auth-anonymous'
+            }
+        ],
+        false_positive_likelihood: 'HIGH',
+        confidence: 0.7
+    };
+}
+/**
+ * Create finding for insecure email change
+ */
+function createInsecureEmailChangeFinding(counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'HIGH',
+        category: 'auth',
+        subcategory: 'insecure_email_change',
+        title: 'Secure email change is disabled',
+        description: 'Users can change their email address without verification. This enables account takeover.',
+        evidence: {
+            secure_email_change: false
+        },
+        impact: {
+            severity_score: 8.0,
+            description: 'Account takeover through email change - attacker can lock out legitimate user',
+            affected_resources: ['auth.config'],
+            compliance_violations: ['OWASP-A07-2021']
+        },
+        remediation: {
+            summary: 'Enable secure email change requiring confirmation',
+            priority: 'HIGH',
+            effort: 'LOW',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Enable secure email change',
+                    code: 'Go to Authentication > Settings > Email > Enable "Secure email change"'
+                }
+            ],
+            auto_fixable: true
+        },
+        references: [
+            {
+                title: 'Supabase Email Security',
+                url: 'https://supabase.com/docs/guides/auth/auth-email'
+            }
+        ],
+        false_positive_likelihood: 'LOW',
+        confidence: 0.95
+    };
+}
+/**
+ * Create finding for no password reuse prevention
+ */
+function createNoPasswordReusePreventionFinding(counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'LOW',
+        category: 'auth',
+        subcategory: 'password_reuse',
+        title: 'Password reuse prevention is weak',
+        description: 'The system does not prevent users from reusing recent passwords.',
+        evidence: {
+            password_reuse_prevention: 'insufficient'
+        },
+        impact: {
+            severity_score: 3.0,
+            description: 'Users can cycle through same passwords, defeating password rotation policies',
+            affected_resources: ['auth.config']
+        },
+        remediation: {
+            summary: 'Increase password history retention',
+            priority: 'LOW',
+            effort: 'LOW',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Set password history to at least 3 previous passwords',
+                    code: 'Configure password history in your auth policies'
+                }
+            ],
+            auto_fixable: false
+        },
+        references: [
+            {
+                title: 'NIST Password Guidelines',
+                url: 'https://pages.nist.gov/800-63-3/sp800-63b.html#sec5'
+            }
+        ],
+        false_positive_likelihood: 'HIGH',
+        confidence: 0.6
+    };
+}
+/**
+ * Create finding for insecure OAuth providers
+ */
+function createInsecureOAuthProviderFinding(providers, counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('auth', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'LOW',
+        category: 'auth',
+        subcategory: 'insecure_oauth',
+        title: 'Potentially insecure OAuth providers configured',
+        description: `The following OAuth providers may have weaker security: ${providers.join(', ')}. Consider using OAuth 2.0 providers with PKCE.`,
+        evidence: {
+            providers
+        },
+        impact: {
+            severity_score: 2.5,
+            description: 'Some OAuth providers have weaker security guarantees',
+            affected_resources: ['auth.config']
+        },
+        remediation: {
+            summary: 'Review OAuth provider security',
+            priority: 'LOW',
+            effort: 'MEDIUM',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Use OAuth 2.0 with PKCE',
+                    code: 'Configure providers to use OAuth 2.0 with PKCE flow'
+                }
+            ],
+            auto_fixable: false
+        },
+        references: [
+            {
+                title: 'OAuth 2.0 Security Best Practices',
+                url: 'https://tools.ietf.org/html/rfc6819'
+            }
+        ],
+        false_positive_likelihood: 'HIGH',
+        confidence: 0.6
+    };
+}
+/**
+ * Mock auth config for testing
+ */
+function getMockAuthConfig() {
+    return {
+        emailVerificationRequired: false,
+        emailConfirmationRequired: false,
+        passwordMinLength: 6,
+        passwordStrength: 'weak',
+        mfaEnabled: false,
+        mfaEnforced: false,
+        providers: ['google', 'github', 'facebook'],
+        jwtExpirySeconds: 7200,
+        refreshTokenRotation: false,
+        sessionTimeoutSeconds: 604800,
+        allowAnonymousSignIns: true,
+        secureEmailChange: false,
+        passwordReusePrevention: 0
+    };
+}
+//# sourceMappingURL=analyzer.js.map