verification-layer 0.21.0 → 0.22.0

package/dist/scanners/authentication/index.js

@@ -0,0 +1,107 @@
+/**
+ * Multi-Factor Authentication (MFA) Scanner
+ * Detects missing or bypassed MFA in authentication flows
+ */
+import * as fs from 'fs/promises';
+import { ALL_MFA_PATTERNS } from './patterns.js';
+export const authenticationScanner = {
+    name: 'Multi-Factor Authentication Scanner',
+    category: 'access-control', // Map to existing category for now
+    async scan(files, options) {
+        const findings = [];
+        // Filter to code and config files
+        const relevantFiles = files.filter((f) => /\.(js|ts|jsx|tsx|json|yaml|yml|env)$/i.test(f));
+        // Common auth config file patterns
+        const authConfigFiles = relevantFiles.filter((f) => /(?:auth|clerk|supabase|next-auth).*\.(?:ts|js|json|config)/i.test(f));
+        for (const file of relevantFiles) {
+            try {
+                const content = await fs.readFile(file, 'utf-8');
+                const lines = content.split('\n');
+                for (const pattern of ALL_MFA_PATTERNS) {
+                    // Special handling for MFA-001 (auth config files)
+                    if (pattern.id === 'MFA-001') {
+                        await scanAuthConfig(file, content, lines, pattern, findings);
+                        continue;
+                    }
+                    // Standard pattern matching for MFA-002 and MFA-003
+                    for (let i = 0; i < lines.length; i++) {
+                        const line = lines[i];
+                        const lineNumber = i + 1;
+                        // Skip comments
+                        if (/^\s*(?:\/\/|#|\*)/.test(line))
+                            continue;
+                        // Check if line matches violation pattern
+                        const matched = pattern.patterns.some((p) => p.test(line));
+                        if (!matched)
+                            continue;
+                        // Check if negative patterns indicate compliance
+                        const isCompliant = pattern.negativePatterns?.some((p) => {
+                            // Check current line and next 5 lines for compliance indicators
+                            const context = lines.slice(i, i + 6).join('\n');
+                            return p.test(context);
+                        });
+                        if (isCompliant)
+                            continue;
+                        // Create finding
+                        findings.push({
+                            id: pattern.id,
+                            category: 'access-control',
+                            severity: pattern.severity,
+                            title: pattern.name,
+                            description: `${pattern.description}\n\nCode: ${line.trim()}`,
+                            file: file,
+                            line: lineNumber,
+                            recommendation: pattern.recommendation,
+                            hipaaReference: pattern.hipaaReference,
+                            confidence: 'high',
+                        });
+                    }
+                }
+            }
+            catch (error) {
+                // Skip files that can't be read
+            }
+        }
+        return findings;
+    },
+};
+/**
+ * Scan auth configuration files for missing MFA
+ */
+async function scanAuthConfig(file, content, lines, pattern, findings) {
+    // Check if this is an auth-related file
+    const isAuthFile = /(?:auth|clerk|supabase|next-auth)/i.test(file) ||
+        pattern.patterns.some((p) => p.test(content));
+    if (!isAuthFile)
+        return;
+    // Check if file has any auth provider configuration
+    const hasAuthConfig = pattern.patterns.some((p) => p.test(content));
+    if (!hasAuthConfig)
+        return;
+    // Check if MFA is configured
+    const hasMfaConfig = pattern.negativePatterns?.some((p) => p.test(content));
+    if (hasMfaConfig)
+        return;
+    // Find the line with auth configuration
+    let configLine = 1;
+    for (let i = 0; i < lines.length; i++) {
+        if (pattern.patterns.some((p) => p.test(lines[i]))) {
+            configLine = i + 1;
+            break;
+        }
+    }
+    // Create finding for auth config without MFA
+    findings.push({
+        id: pattern.id,
+        category: 'access-control',
+        severity: pattern.severity,
+        title: pattern.name,
+        description: `${pattern.description}\n\nFile contains auth configuration but no MFA setup detected.`,
+        file: file,
+        line: configLine,
+        recommendation: pattern.recommendation,
+        hipaaReference: pattern.hipaaReference,
+        confidence: 'high',
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/scanners/authentication/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/authentication/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAElC,OAAO,EAAE,gBAAgB,EAAmB,MAAM,eAAe,CAAC;AAElE,MAAM,CAAC,MAAM,qBAAqB,GAAY;IAC5C,IAAI,EAAE,qCAAqC;IAC3C,QAAQ,EAAE,gBAAgB,EAAE,mCAAmC;IAE/D,KAAK,CAAC,IAAI,CAAC,KAAe,EAAE,OAAoB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,kCAAkC;QAClC,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvC,uCAAuC,CAAC,IAAI,CAAC,CAAC,CAAC,CAChD,CAAC;QAEF,mCAAmC;QACnC,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACjD,6DAA6D,CAAC,IAAI,CAAC,CAAC,CAAC,CACtE,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBACjD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAElC,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;oBACvC,mDAAmD;oBACnD,IAAI,OAAO,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;wBAC7B,MAAM,cAAc,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;wBAC9D,SAAS;oBACX,CAAC;oBAED,oDAAoD;oBACpD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;wBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;wBACtB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC;wBAEzB,gBAAgB;wBAChB,IAAI,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAE7C,0CAA0C;wBAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;wBAC3D,IAAI,CAAC,OAAO;4BAAE,SAAS;wBAEvB,iDAAiD;wBACjD,MAAM,WAAW,GAAG,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;4BACvD,gEAAgE;4BAChE,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;4BACjD,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;wBACzB,CAAC,CAAC,CAAC;wBAEH,IAAI,WAAW;4BAAE,SAAS;wBAE1B,iBAAiB;wBACjB,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,OAAO,CAAC,EAAE;4BACd,QAAQ,EAAE,gBAAgB;4BAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,KAAK,EAAE,OAAO,CAAC,IAAI;4BACnB,WAAW,EAAE,GAAG,OAAO,CAAC,WAAW,aAAa,IAAI,CAAC,IAAI,EAAE,EAAE;4BAC7D,IAAI,EAAE,IAAI;4BACV,IAAI,EAAE,UAAU;4BAChB,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,UAAU,EAAE,MAAM;yBACnB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,KAAK,UAAU,cAAc,CAC3B,IAAY,EACZ,OAAe,EACf,KAAe,EACf,OAAmB,EACnB,QAAmB;IAEnB,wCAAwC;IACxC,MAAM,UAAU,GACd,oCAAoC,CAAC,IAAI,CAAC,IAAI,CAAC;QAC/C,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAEhD,IAAI,CAAC,UAAU;QAAE,OAAO;IAExB,oDAAoD;IACpD,MAAM,aAAa,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACpE,IAAI,CAAC,aAAa;QAAE,OAAO;IAE3B,6BAA6B;IAC7B,MAAM,YAAY,GAAG,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5E,IAAI,YAAY;QAAE,OAAO;IAEzB,wCAAwC;IACxC,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC;YACnB,MAAM;QACR,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC,EAAE;QACd,QAAQ,EAAE,gBAAgB;QAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,KAAK,EAAE,OAAO,CAAC,IAAI;QACnB,WAAW,EAAE,GAAG,OAAO,CAAC,WAAW,iEAAiE;QACpG,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,UAAU;QAChB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,UAAU,EAAE,MAAM;KACnB,CAAC,CAAC;AACL,CAAC"}

package/dist/scanners/authentication/index.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Tests for Multi-Factor Authentication Scanner
+ */
+export {};
+//# sourceMappingURL=index.test.d.ts.map

package/dist/scanners/authentication/index.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.d.ts","sourceRoot":"","sources":["../../../src/scanners/authentication/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/scanners/authentication/index.test.js

@@ -0,0 +1,379 @@
+/**
+ * Tests for Multi-Factor Authentication Scanner
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { authenticationScanner } from './index.js';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+describe('Authentication Scanner', () => {
+    let tempDir = '';
+    let testFiles = [];
+    beforeEach(async () => {
+        tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'auth-test-'));
+    });
+    afterEach(async () => {
+        // Cleanup
+        for (const file of testFiles) {
+            try {
+                await fs.unlink(file);
+            }
+            catch {
+                // Ignore
+            }
+        }
+        try {
+            await fs.rm(tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore
+        }
+        testFiles = [];
+    });
+    async function createTestFile(filename, content) {
+        const filePath = path.join(tempDir, filename);
+        await fs.writeFile(filePath, content, 'utf-8');
+        testFiles.push(filePath);
+        return filePath;
+    }
+    const scanOptions = {
+        path: tempDir,
+    };
+    describe('MFA-001: Auth Configuration Without MFA', () => {
+        it('should detect NextAuth without MFA', async () => {
+            const file = await createTestFile('auth.ts', `
+import NextAuth from 'next-auth';
+import CredentialsProvider from 'next-auth/providers/credentials';
+
+export default NextAuth({
+  providers: [
+    CredentialsProvider({
+      credentials: {
+        email: { label: "Email", type: "email" },
+        password: { label: "Password", type: "password" }
+      },
+      async authorize(credentials) {
+        const user = await verifyCredentials(credentials);
+        return user;
+      }
+    })
+  ],
+  session: {
+    strategy: 'jwt'
+  }
+});
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-001');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+            expect(mfaFindings[0].severity).toBe('critical');
+            expect(mfaFindings[0].hipaaReference).toContain('164.312(d)');
+        });
+        it('should not flag NextAuth with MFA enabled', async () => {
+            const file = await createTestFile('auth-secure.ts', `
+import NextAuth from 'next-auth';
+import CredentialsProvider from 'next-auth/providers/credentials';
+
+export default NextAuth({
+  providers: [
+    CredentialsProvider({
+      credentials: {
+        email: { label: "Email", type: "email" },
+        password: { label: "Password", type: "password" },
+        totpCode: { label: "TOTP Code", type: "text" }
+      },
+      async authorize(credentials) {
+        const user = await verifyCredentials(credentials);
+        // Verify MFA
+        if (user.mfaEnabled) {
+          const validTotp = await verifyTotp(user.id, credentials.totpCode);
+          if (!validTotp) return null;
+        }
+        return user;
+      }
+    })
+  ],
+  session: {
+    strategy: 'jwt'
+  }
+});
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-001');
+            expect(mfaFindings.length).toBe(0);
+        });
+        it('should detect Clerk configuration without MFA', async () => {
+            const file = await createTestFile('clerk-provider.tsx', `
+import { ClerkProvider } from '@clerk/nextjs';
+
+export default function RootLayout({ children }) {
+  return (
+    <ClerkProvider
+      appearance={{
+        variables: { colorPrimary: '#000' }
+      }}
+    >
+      {children}
+    </ClerkProvider>
+  );
+}
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-001');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+            expect(mfaFindings[0].severity).toBe('critical');
+        });
+        it('should detect Auth0 configuration without MFA', async () => {
+            const file = await createTestFile('auth0-config.ts', `
+import { Auth0Provider } from '@auth0/auth0-react';
+
+const Auth0Config = () => (
+  <Auth0Provider
+    domain="myapp.auth0.com"
+    clientId="abc123"
+    redirectUri={window.location.origin}
+  >
+    <App />
+  </Auth0Provider>
+);
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-001');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect Supabase Auth without MFA', async () => {
+            const file = await createTestFile('supabase-config.ts', `
+import { createClient } from '@supabase/supabase-js';
+
+const supabase = createClient(
+  'https://myproject.supabase.co',
+  'public-anon-key'
+);
+
+export async function signUp(email: string, password: string) {
+  const { data, error } = await supabase.auth.signUp({
+    email,
+    password,
+  });
+  return { data, error };
+}
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-001');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+        });
+    });
+    describe('MFA-002: Login Flow Without Second Factor', () => {
+        it('should detect signIn with only email+password', async () => {
+            const file = await createTestFile('login.ts', `
+export async function handleLogin(email: string, password: string) {
+  const result = await signIn('credentials', {
+    email,
+    password,
+    redirect: false,
+  });
+
+  if (result?.ok) {
+    router.push('/dashboard');
+  }
+}
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-002');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+            expect(mfaFindings[0].severity).toBe('high');
+        });
+        it('should detect login with credentials object', async () => {
+            const file = await createTestFile('auth-handler.ts', `
+async function authenticate(credentials: { email: string; password: string }) {
+  const user = await login(credentials);
+  return user;
+}
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-002');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+        });
+        it('should not flag login with MFA verification', async () => {
+            const file = await createTestFile('login-secure.ts', `
+export async function handleLogin(
+  email: string,
+  password: string,
+  mfaToken: string
+) {
+  const result = await signIn('credentials', {
+    email,
+    password,
+    mfaToken,
+    redirect: false,
+  });
+
+  if (result?.ok) {
+    router.push('/dashboard');
+  }
+}
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-002');
+            expect(mfaFindings.length).toBe(0);
+        });
+        it('should not flag login with TOTP code', async () => {
+            const file = await createTestFile('login-totp.ts', `
+async function authenticate(email: string, password: string, totpCode: string) {
+  const user = await verifyPassword(email, password);
+  if (!user) return null;
+
+  const validTotp = await verifyTotpCode(user.id, totpCode);
+  if (!validTotp) return null;
+
+  return user;
+}
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-002');
+            expect(mfaFindings.length).toBe(0);
+        });
+    });
+    describe('MFA-003: MFA Bypass Detected', () => {
+        it('should detect skipMfa function call', async () => {
+            const file = await createTestFile('bypass.ts', `
+async function login(user: User) {
+  if (process.env.NODE_ENV === 'development') {
+    return skipMfa(user);
+  }
+  return requireMfaVerification(user);
+}
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-003');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+            expect(mfaFindings[0].severity).toBe('critical');
+        });
+        it('should detect bypassMfa in code', async () => {
+            const file = await createTestFile('bypass-func.ts', `
+function authenticate(user: User, bypassMfa = false) {
+  if (bypassMfa) {
+    return grantAccess(user);
+  }
+  return checkMfaAndGrant(user);
+}
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-003');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect mfaEnabled=false', async () => {
+            const file = await createTestFile('config-bypass.ts', `
+const authConfig = {
+  providers: ['google', 'github'],
+  mfaEnabled: false,
+  sessionTimeout: 3600
+};
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-003');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect requireMfa=false', async () => {
+            const file = await createTestFile('mfa-disabled.ts', `
+export const authOptions = {
+  requireMfa: false,
+  allowPasswordReset: true
+};
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-003');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect environment-based MFA bypass', async () => {
+            const file = await createTestFile('env-bypass.ts', `
+const mfaRequired = !process.env.SKIP_MFA;
+
+if (process.env.DISABLE_MFA === 'true') {
+  console.log('MFA disabled');
+}
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-003');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+        });
+        it('should not flag MFA bypass in test files', async () => {
+            const file = await createTestFile('auth.test.ts', `
+describe('Auth', () => {
+  it('should allow skipMfa in tests', () => {
+    const user = skipMfa(testUser);
+    expect(user).toBeDefined();
+  });
+});
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-003');
+            expect(mfaFindings.length).toBe(0);
+        });
+        it('should not flag MFA bypass in error messages', async () => {
+            const file = await createTestFile('error-handler.ts', `
+function validateMfa(user: User) {
+  if (!user.mfaEnabled) {
+    throw new Error('MFA is disabled for this user. Please contact admin.');
+  }
+  console.warn('User has mfaEnabled: false in profile');
+}
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-003');
+            expect(mfaFindings.length).toBe(0);
+        });
+    });
+    describe('General Scanner Behavior', () => {
+        it('should only scan relevant file types', async () => {
+            await createTestFile('README.md', 'signIn(email, password)');
+            await createTestFile('data.json', '{"mfaEnabled": false}');
+            await createTestFile('code.ts', 'const user = signIn(email, password);');
+            const findings = await authenticationScanner.scan(testFiles, scanOptions);
+            // Should only find findings in .ts file
+            const mdFindings = findings.filter((f) => f.file.endsWith('.md'));
+            expect(mdFindings.length).toBe(0);
+        });
+        it('should skip comment lines', async () => {
+            const file = await createTestFile('commented.ts', `
+// This is how to skipMfa (don't do this!)
+/*
+ * bypassMfa should never be used
+ */
+const validCode = true;
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'MFA-003');
+            expect(mfaFindings.length).toBe(0);
+        });
+        it('should include confidence scores', async () => {
+            const file = await createTestFile('test.ts', `
+const config = {
+  mfaEnabled: false
+};
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            for (const finding of findings) {
+                expect(finding.confidence).toBeDefined();
+                expect(['high', 'medium', 'low']).toContain(finding.confidence);
+            }
+        });
+        it('should include proper HIPAA references', async () => {
+            const file = await createTestFile('auth.ts', `
+export default NextAuth({
+  providers: [
+    CredentialsProvider({
+      credentials: { email: {}, password: {} }
+    })
+  ]
+});
+        `);
+            const findings = await authenticationScanner.scan([file], scanOptions);
+            for (const finding of findings) {
+                expect(finding.hipaaReference).toBeDefined();
+                expect(finding.hipaaReference).toContain('164.312(d)');
+            }
+        });
+    });
+});
+//# sourceMappingURL=index.test.js.map

package/dist/scanners/authentication/index.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.js","sourceRoot":"","sources":["../../../src/scanners/authentication/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAEnD,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,IAAI,OAAO,GAAW,EAAE,CAAC;IACzB,IAAI,SAAS,GAAa,EAAE,CAAC;IAE7B,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,UAAU;QACV,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,KAAK,UAAU,cAAc,CAC3B,QAAgB,EAChB,OAAe;QAEf,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,OAAO;KACd,CAAC;IAEF,QAAQ,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACvD,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;YAClD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;;;;;;;;;;;;;;;;;;SAqBC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACjD,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;;;;;;;;;;;;;;;;;;;;;;SA2BC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,oBAAoB,EACpB;;;;;;;;;;;;;;SAcC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;;;;;;;;SAYC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,oBAAoB,EACpB;;;;;;;;;;;;;;;SAeC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACzD,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,UAAU,EACV;;;;;;;;;;;;SAYC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;SAKC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;;;;;;;;;;;;;SAiBC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;YACpD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;;;;;;SAUC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;QAC5C,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;YAC/C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;;;;SAMC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;SAKC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;YAC1D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;;SAMC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;QACxC,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;YACpD,MAAM,cAAc,CAAC,WAAW,EAAE,yBAAyB,CAAC,CAAC;YAC7D,MAAM,cAAc,CAAC,WAAW,EAAE,uBAAuB,CAAC,CAAC;YAC3D,MAAM,cAAc,CAAC,SAAS,EAAE,uCAAuC,CAAC,CAAC;YAEzE,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAC/C,SAAS,EACT,WAAW,CACZ,CAAC;YAEF,wCAAwC;YACxC,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAClE,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2BAA2B,EAAE,KAAK,IAAI,EAAE;YACzC,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;;SAMC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAE/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;SAIC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAEvE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;gBACzC,MAAM,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YAClE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;;;;;SAQC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAEvE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC7C,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;YACzD,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanners/authentication/patterns.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Multi-Factor Authentication (MFA) Detection Patterns
+ * Enforces MFA requirements per HIPAA NPRM §164.312(d)
+ */
+export interface MFAPattern {
+    id: string;
+    name: string;
+    description: string;
+    severity: 'critical' | 'high' | 'medium';
+    hipaaReference: string;
+    patterns: RegExp[];
+    negativePatterns?: RegExp[];
+    recommendation: string;
+    category: string;
+}
+/**
+ * MFA-001: Auth Provider Configuration Without MFA
+ * Detects NextAuth, Clerk, Auth0, Supabase Auth configs without MFA enabled
+ */
+export declare const AUTH_CONFIG_NO_MFA: MFAPattern;
+/**
+ * MFA-002: Login Flow Without Second Factor
+ * Detects signIn/login with only email+password without MFA verification
+ */
+export declare const LOGIN_NO_SECOND_FACTOR: MFAPattern;
+/**
+ * MFA-003: MFA Bypass in Code
+ * Detects code that explicitly bypasses or disables MFA requirements
+ */
+export declare const MFA_BYPASS: MFAPattern;
+export declare const ALL_MFA_PATTERNS: MFAPattern[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/scanners/authentication/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/scanners/authentication/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,EAAE,UA6ChC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,sBAAsB,EAAE,UAmCpC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,UAAU,EAAE,UA2CxB,CAAC;AAEF,eAAO,MAAM,gBAAgB,EAAE,UAAU,EAIxC,CAAC"}