[CAUTH-1274]: feat(attack protection): add breached password detection endpoints

src/management/AttackProtectionManager.js

@@ -53,10 +53,17 @@ var AttackProtectionManager = function(options) {
  options.tokenProvider
  );
  this.suspiciousIpThrottling = new RetryRestClient(suspiciousIpThrottling, options.retry);
+
+ var breachedPasswordDetection = new Auth0RestClient(
+ options.baseUrl + '/attack-protection/breached-password-detection',
+ clientOptions,
+ options.tokenProvider
+ );
+ this.breachedPasswordDetection = new RetryRestClient(breachedPasswordDetection, options.retry);
 };
 
 /**
- * Get the brute force configuration.
+ * Get the Brute Force Protection configuration.
  *
  * @method getBruteForceConfig
  * @memberOf module:management.AttackProtectionManager.prototype
@@ -83,7 +90,7 @@ utils.wrapPropertyMethod(
 );
 
 /**
- * Update the brute force configuration.
+ * Update the Brute Force Protection configuration.
  *
  * @method updateBruteForceConfig
  * @memberOf module:management.AttackProtectionManager.prototype
@@ -111,7 +118,7 @@ utils.wrapPropertyMethod(
 );
 
 /**
- * Get the suspicious IP throttling configuration.
+ * Get the Suspicious IP Throttling configuration.
  *
  * @method getSuspiciousIpThrottlingConfig
  * @memberOf module:management.AttackProtectionManager.prototype
@@ -138,7 +145,7 @@ utils.wrapPropertyMethod(
 );
 
 /**
- * Update the suspicious IP throttling configuration.
+ * Update the Suspicious IP Throttling configuration.
  *
  * @method updateSuspiciousIpThrottlingConfig
  * @memberOf module:management.AttackProtectionManager.prototype
@@ -165,4 +172,59 @@ utils.wrapPropertyMethod(
  'suspiciousIpThrottling.patch'
 );
 
+/**
+ * Get the Breached Password Detection configuration.
+ *
+ * @method getBreachedPasswordDetectionConfig
+ * @memberOf module:management.AttackProtectionManager.prototype
+ *
+ * @example
+ * management.attackProtection.getBreachedPasswordDetectionConfig(params, function (err, breachedPasswordDetectionConfig) {
+ * if (err) {
+ * // Handle error.
+ * }
+ *
+ * // Access breached password detection configuration
+ * console.log(breachedPasswordDetectionConfig);
+ * });
+ *
+ * @param {Object} params Breached password detection parameters (leave empty).
+ * @param {Function} [cb] Callback function.
+ *
+ * @return {Promise|undefined}
+ */
+utils.wrapPropertyMethod(
+ AttackProtectionManager,
+ 'getBreachedPasswordDetectionConfig',
+ 'breachedPasswordDetection.get'
+);
+
+/**
+ * Update the breached password detection configuration.
+ *
+ * @method updateBreachedPasswordDetectionConfig
+ * @memberOf module:management.AttackProtectionManager.prototype
+ *
+ * @example
+ * management.attackProtection.updateBreachedPasswordDetectionConfig(params, data, function (err, breachedPasswordDetectionConfig) {
+ * if (err) {
+ * // Handle error.
+ * }
+ *
+ * // Access breached password detection configuration
+ * console.log(breachedPasswordDetectionConfig);
+ * });
+ *
+ * @param {Object} params Breached password detection parameters (leave empty).
+ * @param {Object} data Updated breached password detection configuration.
+ * @param {Function} [cb] Callback function.
+ *
+ * @return {Promise|undefined}
+ */
+utils.wrapPropertyMethod(
+ AttackProtectionManager,
+ 'updateBreachedPasswordDetectionConfig',
+ 'breachedPasswordDetection.patch'
+);
+
 module.exports = AttackProtectionManager;

test/management/attack-protection.tests.js

@@ -10,6 +10,7 @@ var ArgumentError = require('rest-facade').ArgumentError;
 describe('AttackProtectionManager', function() {
  var bruteForcePath = '/attack-protection/brute-force-protection';
  var suspiciousIpPath = '/attack-protection/suspicious-ip-throttling';
+ var breachedPasswordDetectionPath = '/attack-protection/breached-password-detection';
 
  before(function() {
  this.token = 'TOKEN';
@@ -48,15 +49,15 @@ describe('AttackProtectionManager', function() {
  });
 
  describe('Brute Force Protection', function() {
- describe('#getBruteForceConfig', function() {
- var data = {
- enabled: true,
- shields: ['user_notification', 'block'],
- mode: 'count_per_identifier_and_ip',
- allowlist: ['1.1.2.2'],
- max_attempts: 100
- };
+ var data = {
+ enabled: true,
+ shields: ['user_notification', 'block'],
+ mode: 'count_per_identifier_and_ip',
+ allowlist: ['1.1.2.2'],
+ max_attempts: 100
+ };
 
+ describe('#getBruteForceConfig', function() {
  beforeEach(function() {
  this.request = nock(API_URL)
  .get(bruteForcePath)
@@ -125,14 +126,6 @@ describe('AttackProtectionManager', function() {
  });
 
  describe('#updateBruteForceConfig', function() {
- var data = {
- enabled: true,
- shields: ['user_notification', 'block'],
- mode: 'count_per_identifier_and_ip',
- allowlist: ['1.1.2.2'],
- max_attempts: 100
- };
-
  beforeEach(function() {
  this.request = nock(API_URL)
  .patch(bruteForcePath)
@@ -166,7 +159,7 @@ describe('AttackProtectionManager', function() {
  });
  });
 
- it('should perform a PATCH request to /api/v2/attack-protection/brute-force-protection', function(done) {
+ it('should perform a PATCH request to /api/v2' + bruteForcePath, function(done) {
  var request = this.request;
 
  this.attackProtection.updateBruteForceConfig({}, {}).then(function() {
@@ -212,23 +205,23 @@ describe('AttackProtectionManager', function() {
  });
 
  describe('Suspicious IP Throttling', function() {
- describe('#getSuspiciousIpThrottlingConfig', function() {
- var data = {
- enabled: true,
- shields: ['admin_notification', 'block'],
- allowlist: ['1.1.1.0'],
- stage: {
- 'pre-login': {
- max_attempts: 1,
- rate: 864000
- },
- 'pre-user-registration': {
- max_attempts: 1,
- rate: 864000
- }
+ var data = {
+ enabled: true,
+ shields: ['admin_notification', 'block'],
+ allowlist: ['1.1.1.0'],
+ stage: {
+ 'pre-login': {
+ max_attempts: 1,
+ rate: 864000
+ },
+ 'pre-user-registration': {
+ max_attempts: 1,
+ rate: 864000
  }
- };
+ }
+ };
 
+ describe('#getSuspiciousIpThrottlingConfig', function() {
  beforeEach(function() {
  this.request = nock(API_URL)
  .get(suspiciousIpPath)
@@ -272,7 +265,7 @@ describe('AttackProtectionManager', function() {
  });
  });
 
- it('should perform a GET request to /api/v2/attack-protection/brute-force-protection', function(done) {
+ it('should perform a GET request to /api/v2' + suspiciousIpPath, function(done) {
  var request = this.request;
 
  this.attackProtection.getSuspiciousIpThrottlingConfig().then(function() {
@@ -299,22 +292,6 @@ describe('AttackProtectionManager', function() {
  });
 
  describe('#updateSuspiciousIpThrottlingConfig', function() {
- var data = {
- enabled: true,
- shields: ['admin_notification', 'block'],
- allowlist: ['1.1.1.0'],
- stage: {
- 'pre-login': {
- max_attempts: 1,
- rate: 864000
- },
- 'pre-user-registration': {
- max_attempts: 1,
- rate: 864000
- }
- }
- };
-
  beforeEach(function() {
  this.request = nock(API_URL)
  .patch(suspiciousIpPath)
@@ -394,4 +371,164 @@ describe('AttackProtectionManager', function() {
  });
  });
  });
+
+ describe('Breached Password Detection', function() {
+ var data = {
+ enabled: true,
+ shields: ['block', 'user_notification', 'admin_notification'],
+ admin_notification_frequency: ['immediately']
+ };
+
+ describe('#getBreachedPasswordDetectionConfig', function() {
+ beforeEach(function() {
+ this.request = nock(API_URL)
+ .get(breachedPasswordDetectionPath)
+ .reply(200, data);
+ });
+
+ it('should accept a callback', function(done) {
+ this.attackProtection.getBreachedPasswordDetectionConfig({}, function() {
+ done();
+ });
+ });
+
+ it('should return a promise if no callback is given', function(done) {
+ this.attackProtection
+ .getBreachedPasswordDetectionConfig()
+ .then(done.bind(null, null))
+ .catch(done.bind(null, null));
+ });
+
+ it('should pass any errors to the promise catch handler', function(done) {
+ nock.cleanAll();
+
+ var request = nock(API_URL)
+ .get(breachedPasswordDetectionPath)
+ .reply(500);
+
+ this.attackProtection.getBreachedPasswordDetectionConfig().catch(function(err) {
+ expect(err).to.exist;
+
+ done();
+ });
+ });
+
+ it('should pass the body of the response to the "then" handler', function(done) {
+ this.attackProtection
+ .getBreachedPasswordDetectionConfig()
+ .then(function(breachedPasswordDetectionConfig) {
+ expect(breachedPasswordDetectionConfig).to.deep.equal(data);
+
+ done();
+ });
+ });
+
+ it('should perform a GET request to /api/v2' + breachedPasswordDetectionPath, function(done) {
+ var request = this.request;
+
+ this.attackProtection.getBreachedPasswordDetectionConfig().then(function() {
+ expect(request.isDone()).to.be.true;
+
+ done();
+ });
+ });
+
+ it('should include the token in the Authorization header', function(done) {
+ nock.cleanAll();
+
+ var request = nock(API_URL)
+ .get(breachedPasswordDetectionPath)
+ .matchHeader('Authorization', 'Bearer ' + this.token)
+ .reply(200);
+
+ this.attackProtection.getBreachedPasswordDetectionConfig().then(function() {
+ expect(request.isDone()).to.be.true;
+
+ done();
+ });
+ });
+ });
+
+ describe('#updateBreachedPasswordDetectionConfig', function() {
+ beforeEach(function() {
+ this.request = nock(API_URL)
+ .patch(breachedPasswordDetectionPath)
+ .reply(200, data);
+ });
+
+ it('should accept a callback', function(done) {
+ this.attackProtection.updateBreachedPasswordDetectionConfig({}, data, function() {
+ done();
+ });
+ });
+
+ it('should return a promise if no callback is given', function(done) {
+ this.attackProtection
+ .updateBreachedPasswordDetectionConfig({}, data)
+ .then(done.bind(null, null))
+ .catch(done.bind(null, null));
+ });
+
+ it('should pass any errors to the promise catch handler', function(done) {
+ nock.cleanAll();
+
+ var request = nock(API_URL)
+ .patch(breachedPasswordDetectionPath)
+ .reply(500);
+
+ this.attackProtection.updateBreachedPasswordDetectionConfig({}, data).catch(function(err) {
+ expect(err).to.exist.to.be.an.instanceOf(Error);
+
+ done();
+ });
+ });
+
+ it('should perform a PATCH request to /api/v2' + breachedPasswordDetectionPath, function(
+ done
+ ) {
+ var request = this.request;
+
+ this.attackProtection.updateBreachedPasswordDetectionConfig({}, {}).then(function() {
+ expect(request.isDone()).to.be.true;
+
+ done();
+ });
+ });
+
+ it('should pass the data in the body of the request', function(done) {
+ var request = this.request;
+
+ this.attackProtection.updateBreachedPasswordDetectionConfig({}, data).then(function() {
+ expect(request.isDone()).to.be.true;
+
+ done();
+ });
+ });
+
+ it('should pass the body of the response to the "then" handler', function(done) {
+ this.attackProtection
+ .updateBreachedPasswordDetectionConfig({}, data)
+ .then(function(breachedPasswordDetectionConfig) {
+ expect(breachedPasswordDetectionConfig).to.deep.equal(data);
+
+ done();
+ });
+ });
+
+ it('should include the token in the Authorization header', function(done) {
+ nock.cleanAll();
+
+ var request = nock(API_URL)
+ .patch(breachedPasswordDetectionPath)
+ .matchHeader('Authorization', 'Bearer ' + this.token)
+ .reply(200);
+
+ this.attackProtection.updateBreachedPasswordDetectionConfig({}, data).then(function() {
+ expect(request.isDone()).to.be.true;
+
+ done();
+ });
+ });
+ });
+ });
 });