signup validator and password reset mfa validator (#92)

shaunlamb-okta · web-flow · commit 503bb1e21d87 · 2026-03-04T13:22:06.000+11:00
* adding signup validator for info leakage

* fixing eslint issue

* adding password reset mfa validator

* Update checkPasswordResetMFA.js

* Update en.json
diff --git a/analyzer/lib/actions/checkPasswordResetMFA.js b/analyzer/lib/actions/checkPasswordResetMFA.js
@@ -0,0 +1,128 @@
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+const acorn = require("acorn");
+const walk = require("estree-walker").walk;
+
+/**
+ * Scans the Action code for calls to MFA challenge methods.
+ * Returns boolean if challenge is found.
+ */
+function hasMFAChallenge(code, scriptName) {
+  let challengeFound = false;
+  let ast;
+
+  try {
+    ast = acorn.parse(code || "", {
+      ecmaVersion: "latest",
+      locations: true,
+    });
+  } catch (e) {
+    if (e instanceof SyntaxError) {
+      console.error(`[ACORN PARSE ERROR] Skipping script "${scriptName}" due to malformed code`);
+      return [];
+    }
+    throw e;
+  }
+
+  walk(ast, {
+    enter(node) {
+      if (node.type === "CallExpression") {
+        const callee = node.callee;
+        
+        function getMemberExpressionPath(expr) {
+          if (expr.type === "Identifier") return expr.name;
+          if (expr.type === "MemberExpression") {
+            const obj = getMemberExpressionPath(expr.object);
+            const prop = expr.property.name;
+            return obj ? `${obj}.${prop}` : prop;
+          }
+          return null;
+        }
+
+        const path = getMemberExpressionPath(callee);
+        if (path === "api.authentication.challengeWith" || path === "api.authentication.challengeWithAny") {
+          challengeFound = true;
+        }
+      }
+    },
+  });
+
+  return challengeFound;
+}
+
+/**
+ * Main validator for Actions targeting the password-reset trigger.
+ */
+function checkPasswordResetMFA(options) {
+  const { actions, databases } = options || {};
+  
+  return executeCheck("checkPasswordResetMFA", (callback) => {
+    // 1. Check for Active Password DBs (Same as before)
+    const hasActivePasswordDb = _.some(databases, (db) => {
+      const authMethods = db.options?.authentication_methods;
+      return db.strategy === "auth0" && (!authMethods || authMethods.password?.enabled !== false);
+    });
+
+    if (!hasActivePasswordDb) return callback([]); 
+
+    const actionsList = _.isArray(actions) ? actions : actions.actions;
+    if (_.isEmpty(actionsList)) {
+      return callback([{ name: "Actions", report: [{ field: "no_actions_configured", status: CONSTANTS.WARN }] }]);
+    }
+
+    // 2. Aggregate scan across ALL relevant actions
+    let passwordResetActionsFound = [];
+    let anyActionHasMFA = false;
+
+    for (const action of actionsList) {
+      const triggers = action.supported_triggers || [];
+      const isPassReset = triggers.some(t => t.id === "password-reset-post-challenge");
+      if (isPassReset) { // deployed_version.deployed
+        passwordResetActionsFound.push(action.name);
+        if (hasMFAChallenge(action.code, action.name)) {
+          anyActionHasMFA = true;
+        }
+      }
+    }
+
+    const reports = [];
+    const flowName = "Password Reset Flow";
+
+    // 3. Logic for the single finding report
+    if (passwordResetActionsFound.length === 0) {
+      reports.push({ 
+        name: "Password Reset Flow", 
+        report: [{ 
+            scriptName: flowName,
+            name: flowName, 
+            status: CONSTANTS.WARN,
+            variableName: "api.authentication.challengeWith",
+            line: "N/A",
+            column: "N/A",
+            field: "no_password_reset_action",
+        }] 
+      });
+    } else if (!anyActionHasMFA) {
+      // NONE of the password reset actions had MFA
+      reports.push({ 
+        name: "Password Reset Flow", 
+        report: [{ 
+          scriptName: `${passwordResetActionsFound.join(", ")}`, 
+          status: CONSTANTS.WARN,
+          name: flowName,
+          variableName: "api.authentication.challengeWith",
+          line: "N/A",
+          column: "N/A",
+          field: "missing_mfa_step",
+        }]      
+      });
+    } else {
+        // found an MFA challenge on password reset
+    }
+
+    return callback(reports);
+  });
+}
+
+module.exports = checkPasswordResetMFA;
diff --git a/analyzer/lib/actions/checkUserEnumeration.js b/analyzer/lib/actions/checkUserEnumeration.js
@@ -0,0 +1,102 @@
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+const acorn = require("acorn");
+const walk = require("estree-walker").walk;
+
+/**
+ * Scans the Action code for calls to api.access.deny()
+ * to warn about potential user enumeration vulnerabilities.
+ */
+function detectAccessDeny(code, scriptName) {
+  const findings = [];
+
+  let ast;
+  try {
+    ast = acorn.parse(code || "", {
+      ecmaVersion: "latest",
+      locations: true,
+    });
+  } catch (e) {
+    if (e instanceof SyntaxError) {
+      console.error(`[ACORN PARSE ERROR] Skipping script "${scriptName}" due to malformed code`);
+      return [];
+    }
+    throw e;
+  }
+
+    walk(ast, {
+    enter(node) {
+        if (node.type === "CallExpression") {
+        const callee = node.callee;
+        
+        // Helper function to reconstruct the property chain (e.g., "api.access.deny")
+        function getMemberExpressionPath(expr) {
+            if (expr.type === "Identifier") return expr.name;
+            if (expr.type === "MemberExpression") {
+            const obj = getMemberExpressionPath(expr.object);
+            const prop = expr.property.name;
+            return obj ? `${obj}.${prop}` : prop;
+            }
+            return null;
+        }
+
+        const path = getMemberExpressionPath(callee);
+
+        // This will now catch api.access.deny regardless of how Acorn nests the objects
+        if (path === "api.access.deny") {
+            findings.push({
+            scriptName: scriptName,
+            field: "user_enumeration_vulnerability",
+            status: CONSTANTS.WARN,
+            line: node.loc?.start?.line || "N/A",
+            column: node.loc?.start?.column || "N/A",
+            // We add this to match the grouping logic in report.js
+            variableName: "api.access.deny" 
+            });
+        }
+        }
+    },
+    });
+
+  return findings;
+}
+
+/**
+ * Main validator for Actions targeting the pre-user-registration trigger.
+ */
+function checkPreRegistrationUserEnumeration(options) {
+  const { actions } = options || [];
+  
+  return executeCheck("checkPreRegistrationUserEnumeration", (callback) => {
+    const actionsList = _.isArray(actions) ? actions : actions.actions;
+    const reports = [];
+
+    if (_.isEmpty(actionsList)) {
+      return callback(reports);
+    }
+
+    for (const action of actionsList) {
+      const triggers = action.supported_triggers || [];
+   
+      const isPreReg = triggers.some(t => t.id === "pre-user-registration");
+      // Only scan if the action is part of the pre-user-registration trigger
+      if (!isPreReg) continue;
+
+      const actionName = `${action.name} (pre-user-registration)`;
+
+      try {
+        const findings = detectAccessDeny(action.code, actionName);
+        if (findings.length > 0) {
+          reports.push({ name: actionName, report: findings });
+        }
+      } catch (e) {
+        console.error(`[CHECK ERROR] Skipping Actions "${actionName}" due to error: ${e.message}`);
+        continue;
+      }
+    }
+    return callback(reports);
+  });
+}
+
+module.exports = checkPreRegistrationUserEnumeration;
diff --git a/analyzer/report.js b/analyzer/report.js
@@ -307,6 +307,8 @@ async function generateReport(locale, tenantConfig, config) {
             });
           });
           break;
+        case "checkPasswordResetMFA":  
+        case "checkPreRegistrationUserEnumeration":
         case "checkActionsHardCodedValues":
         case "checkDASHardCodedValues":
           report.disclaimer = i18n.__(`${report.name}.disclaimer`);
diff --git a/locales/en.json b/locales/en.json
@@ -135,7 +135,9 @@
 			"items": [
 				"NPM Dependencies",
 				"Actions Runtime",
-				"Hardcoded Artifacts"
+				"Hardcoded Artifacts",
+				"Information Leakage in Signup Flow",
+				"MFA for Password Reset"
 			]
 		},
 		{
@@ -1369,6 +1371,67 @@
 		"hard_coded_value_detected": "Variable name <b>%s</b> at line <b>%d</b> and column <b>%d</b>.",
 		"action_script_title": "Identified potential hardcoded credentials in <b>\"%s\"</b> script at:"
 	},
+	"checkPreRegistrationUserEnumeration": {
+		"title": "Information Leakage in Signup Flow",
+		"category": "Actions",
+		"advisory": {
+			"issue": "Exposing sensitive information during a signup attempt",
+			"description": {
+				"what_it_is": "User enumeration occurs when an application reveals whether a user exists in the system based on the response provided during actions like registration.",
+				"why_its_risky": [
+					"Using 'api.access.deny' in a Pre-User Registration Action to block signups from existing accounts may allow attackers to programmatically 'scrape' or verify which of your customers have accounts.",
+					"If a Pre-User Registration Action is rejecting a signup attempt based on internal risk scoring then threat actors may leverage this information to tune their methods to evade detection.",
+					"Disclosing account existance or or exposing risk scoring approaches in the Action, enables threat actors to more easily perform targeted attacks like phishing and credential stuffing, "
+				]
+			},
+			"how_to_fix": [
+				"Avoid using 'api.access.deny' in Pre-Registration Actions to notify users that an account is already registered or to notify them that risk level of the request was assessed to be too great.",
+				"All registration attempts should receive a generic success response. If an account already exists, consider triggering a secure, automated email to the registered address informing the user of the attempt. This maintains a seamless user experience while protecting account privacy."
+			]
+		},
+		"description": "Analyzes Pre-User Registration Actions for the use of 'api.access.deny', which can leak information or enable user enumeration.",
+		"docsPath": [
+			"https://auth0.com/docs/customize/actions/action-coding-guidelines"
+		],
+		"severity": "Low",
+		"status": "green",
+		"severity_message": "Potential user enumeration detected in a Pre User Registration Action.",
+		"user_enumeration_vulnerability": "Found <b>%s</b> at line <b>%d</b>, column <b>%d</b> which may leak information.",
+		"action_script_title": "Identified usage of api.access.deny in <b>\"%s\"</b> Action script:",
+		"disclaimer": "Please review the Action to determine if any information is exposed that may be useful to a threat actor."
+	},
+	"checkPasswordResetMFA": {
+		"title": "MFA for Password Reset",
+		"category": "Actions",
+		"advisory": {
+			"issue": "Missing MFA Challenge during Password Reset",
+			"description": {
+				"what_it_is": "This check verifies if your Password Reset Post Challenge Action requires a second factor before allowing a user to change their password.",
+				"why_its_risky": [
+					"If an attacker gains access to a user's email account, they can trigger a password reset and take over the identity without any further verification.",
+					"MFA during password reset ensures that even with a compromised email, the attacker has to overcome the secondary factor challenge."
+				]
+			},
+			"how_to_fix": [
+				"Create or update an Action in the Password Reset Post Challenge flow.",
+				"Use 'api.authentication.challengeWith()' to trigger an MFA challenge for users who have enrolled factors.",
+				"Ensure the Action is 'Deployed' and attached to the Password Reset trigger in the Auth0 Pipeline."
+			]
+		},
+		"description": "Analyzes Password Reset Actions to ensure MFA is being enforced as an additional security layer.",
+		"docsPath": [
+			"https://auth0.com/docs/customize/actions/explore-triggers/password-reset-triggers"
+		],
+		"severity": "Moderate",
+		"status": "yellow",
+		"severity_message": "an MFA Challenge is not detected in the Password Reset flow.",
+		"mfa_challenge_detected": "MFA Challenge (<b>%s</b>) correctly implemented at line <b>%d</b>.",
+		"missing_mfa_step": "Action script exists but does not appear to trigger an MFA challenge.",
+		"no_password_reset_action": "No Action is currently configured for the Password Reset trigger. Password resets are only protected by email access.",
+		"no_actions_configured": "No Actions found in tenant.",
+		"disclaimer": "This finding may be a false positive if Identity Proofing or similar mitigation is enforced elsewhere in the authentication or password reset workflow. Verify any alternative security controls are active before dismissing this recommendation.",
+		"action_script_title": "A deployed Password Reset Action that triggers an MFA challenge was not found based on searching for the 'api.authentication.challengeWith()' or equivalent method."
+	},
 	"checkCanonicalDomain": {
 		"title": "Auth0 Domain Check",
 		"category": "Canonical Domain",
@@ -1414,4 +1477,4 @@
 			"https://auth0.com/docs/customize/events/event-testing-observability-and-failure-recovery"
 		]
 	}
-}
+}
diff --git a/tests/actions/checkPasswordResetMFA.test.js b/tests/actions/checkPasswordResetMFA.test.js
diff --git a/tests/actions/checkUserEnumeration.test.js b/tests/actions/checkUserEnumeration.test.js
