fix: bot detection and captcha files optional loading & CIDR validation (#1200)

* feat(attackProtection.ts): refactor bot detection and captcha update calls
- src/tools/auth0/handlers/attackProtection.ts: simplify update calls for bot detection, captcha, and other configurations

* feat(src/context/directory/handlers/attackProtection.ts): update bot detection and captcha loading logic
- src/context/directory/handlers/attackProtection.ts: refactor to check if bot detection and captcha files exist before loading
- src/context/yaml/handlers/attackProtection.ts: rename parseAndDump to separate parse and dump functions

Author: kushalshit27

src/context/directory/handlers/attackProtection.ts

@@ -1,7 +1,7 @@
 import path from 'path';
 import fs from 'fs-extra';
 import { constants } from '../../../tools';
-import { dumpJSON, existsMustBeDir, loadJSON } from '../../../utils';
+import { dumpJSON, existsMustBeDir, isFile, loadJSON } from '../../../utils';
 import { DirectoryHandler } from '.';
 import DirectoryContext from '..';
 import { ParsedAsset } from '../../../types';
@@ -39,10 +39,6 @@ function parse(context: DirectoryContext): ParsedAttackProtection {
     };
   }
 
-  const botDetection = loadJSON(files.botDetection, {
-    mappings: context.mappings,
-    disableKeywordReplacement: context.disableKeywordReplacement,
-  });
   const breachedPasswordDetection = loadJSON(files.breachedPasswordDetection, {
     mappings: context.mappings,
     disableKeywordReplacement: context.disableKeywordReplacement,
@@ -51,25 +47,33 @@ function parse(context: DirectoryContext): ParsedAttackProtection {
     mappings: context.mappings,
     disableKeywordReplacement: context.disableKeywordReplacement,
   });
-  const captcha = loadJSON(files.captcha, {
-    mappings: context.mappings,
-    disableKeywordReplacement: context.disableKeywordReplacement,
-  });
   const suspiciousIpThrottling = loadJSON(files.suspiciousIpThrottling, {
     mappings: context.mappings,
     disableKeywordReplacement: context.disableKeywordReplacement,
   });
 
-  const maskedAttackProtection = attackProtectionDefaults({
-    botDetection,
+  const attackProtection: AttackProtection = {
     breachedPasswordDetection,
     bruteForceProtection,
-    captcha,
     suspiciousIpThrottling,
-  });
+  };
+
+  if (isFile(files.botDetection)) {
+    attackProtection.botDetection = loadJSON(files.botDetection, {
+      mappings: context.mappings,
+      disableKeywordReplacement: context.disableKeywordReplacement,
+    });
+  }
+
+  if (isFile(files.captcha)) {
+    attackProtection.captcha = loadJSON(files.captcha, {
+      mappings: context.mappings,
+      disableKeywordReplacement: context.disableKeywordReplacement,
+    });
+  }
 
   return {
-    attackProtection: maskedAttackProtection,
+    attackProtection,
   };
 }
 
@@ -81,20 +85,22 @@ async function dump(context: DirectoryContext): Promise<void> {
   const files = attackProtectionFiles(context.filePath);
   fs.ensureDirSync(files.directory);
 
-  if (attackProtection.botDetection) {
-    dumpJSON(files.botDetection, attackProtection.botDetection);
+  const maskedAttackProtection = attackProtectionDefaults(attackProtection);
+
+  if (maskedAttackProtection.botDetection) {
+    dumpJSON(files.botDetection, maskedAttackProtection.botDetection);
   }
-  if (attackProtection.breachedPasswordDetection) {
-    dumpJSON(files.breachedPasswordDetection, attackProtection.breachedPasswordDetection);
+  if (maskedAttackProtection.breachedPasswordDetection) {
+    dumpJSON(files.breachedPasswordDetection, maskedAttackProtection.breachedPasswordDetection);
   }
-  if (attackProtection.bruteForceProtection) {
-    dumpJSON(files.bruteForceProtection, attackProtection.bruteForceProtection);
+  if (maskedAttackProtection.bruteForceProtection) {
+    dumpJSON(files.bruteForceProtection, maskedAttackProtection.bruteForceProtection);
   }
-  if (attackProtection.captcha) {
-    dumpJSON(files.captcha, attackProtection.captcha);
+  if (maskedAttackProtection.captcha) {
+    dumpJSON(files.captcha, maskedAttackProtection.captcha);
   }
-  if (attackProtection.suspiciousIpThrottling) {
-    dumpJSON(files.suspiciousIpThrottling, attackProtection.suspiciousIpThrottling);
+  if (maskedAttackProtection.suspiciousIpThrottling) {
+    dumpJSON(files.suspiciousIpThrottling, maskedAttackProtection.suspiciousIpThrottling);
   }
 }
 

src/context/yaml/handlers/attackProtection.ts

@@ -6,7 +6,17 @@ import { attackProtectionDefaults } from '../../defaults';
 
 type ParsedAttackProtection = ParsedAsset<'attackProtection', AttackProtection>;
 
-async function parseAndDump(context: YAMLContext): Promise<ParsedAttackProtection> {
+async function parse(context: YAMLContext): Promise<ParsedAttackProtection> {
+  const { attackProtection } = context.assets;
+
+  if (!attackProtection) return { attackProtection: null };
+
+  return {
+    attackProtection,
+  };
+}
+
+async function dump(context: YAMLContext): Promise<ParsedAttackProtection> {
   const { attackProtection } = context.assets;
 
   if (!attackProtection) return { attackProtection: null };
@@ -41,8 +51,8 @@ async function parseAndDump(context: YAMLContext): Promise<ParsedAttackProtectio
 }
 
 const attackProtectionHandler: YAMLHandler<ParsedAttackProtection> = {
-  parse: parseAndDump,
-  dump: parseAndDump,
+  parse: parse,
+  dump: dump,
 };
 
 export default attackProtectionHandler;

src/tools/auth0/handlers/attackProtection.ts

@@ -41,18 +41,6 @@ export const schema = {
           type: 'array',
           items: {
             type: 'string',
-            oneOf: [
-              {
-                type: 'string',
-                format: 'ipv4',
-                description: 'IPv4 address or CIDR block',
-              },
-              {
-                type: 'string',
-                format: 'ipv6',
-                description: 'IPv6 address or CIDR block',
-              },
-            ],
             description: 'IP address (IPv4 or IPv6) or CIDR block',
           },
           description: 'List of IP addresses or CIDR blocks to allowlist',
@@ -301,20 +289,15 @@ export default class AttackProtectionHandler extends DefaultAPIHandler {
 
     const updates: Promise<unknown>[] = [];
 
-    const attackProtectionClient = this.client.attackProtection;
-
     if (attackProtection.botDetection && Object.keys(attackProtection.botDetection).length) {
       updates.push(
-        attackProtectionClient.updateBotDetectionConfig.call(
-          attackProtectionClient,
-          attackProtection.botDetection
-        )
+        this.client.attackProtection.updateBotDetectionConfig(attackProtection.botDetection)
       );
     }
 
     if (attackProtection.breachedPasswordDetection) {
       updates.push(
-        attackProtectionClient.updateBreachedPasswordDetectionConfig(
+        this.client.attackProtection.updateBreachedPasswordDetectionConfig(
           attackProtection.breachedPasswordDetection
         )
       );
@@ -340,23 +323,18 @@ export default class AttackProtectionHandler extends DefaultAPIHandler {
 
       attackProtection.captcha = captcha;
 
-      updates.push(
-        attackProtectionClient.updateCaptchaConfig.call(
-          attackProtectionClient,
-          attackProtection.captcha
-        )
-      );
+      updates.push(this.client.attackProtection.updateCaptchaConfig(attackProtection.captcha));
     }
 
     if (attackProtection.bruteForceProtection) {
       updates.push(
-        attackProtectionClient.updateBruteForceConfig(attackProtection.bruteForceProtection)
+        this.client.attackProtection.updateBruteForceConfig(attackProtection.bruteForceProtection)
       );
     }
 
     if (attackProtection.suspiciousIpThrottling) {
       updates.push(
-        attackProtectionClient.updateSuspiciousIpThrottlingConfig(
+        this.client.attackProtection.updateSuspiciousIpThrottlingConfig(
           attackProtection.suspiciousIpThrottling
         )
       );