feat: support limit M2M usage - EA (#1093)

* feat: add token quota schema for client credentials in clients and organizations

* feat: add token quota configuration schema for clients and organizations

* feat: allow token quota to be null in clients and organizations schemas

* test: add token_quota property validation for clients, organizations, and tenants

* chore: update dependencies to latest versions

Author: kushalshit27

package-lock.json

@@ -33,7 +33,7 @@
   "homepage": "https://github.com/auth0/auth0-deploy-cli#readme",
   "dependencies": {
     "ajv": "^6.12.6",
-    "auth0": "^4.23.1",
+    "auth0": "^4.24.0",
     "dot-prop": "^5.3.0",
     "fs-extra": "^10.1.0",
     "js-yaml": "^4.1.0",
@@ -42,13 +42,13 @@
     "nconf": "^0.13.0",
     "promise-pool-executor": "^1.1.1",
     "sanitize-filename": "^1.6.3",
-    "undici": "^7.8.0",
+    "undici": "^7.10.0",
     "winston": "^3.17.0",
     "yargs": "^15.4.1"
   },
   "devDependencies": {
     "@types/fs-extra": "^9.0.13",
-    "@types/lodash": "^4.17.16",
+    "@types/lodash": "^4.17.17",
     "@types/mocha": "^10.0.10",
     "@types/nconf": "^0.10.7",
     "@typescript-eslint/parser": "^5.62.0",

package.json

@@ -82,6 +82,31 @@ export const schema = {
           policies: multiResourceRefreshTokenPolicies,
         },
       },
+      token_quota: {
+        type: ['object', 'null'],
+        properties: {
+          client_credentials: {
+            type: 'object',
+            properties: {
+              enforce: {
+                type: 'boolean',
+                default: true,
+              },
+              per_day: {
+                type: 'integer',
+                minimum: 1,
+              },
+              per_hour: {
+                type: 'integer',
+                minimum: 1,
+              },
+            },
+            additionalProperties: false,
+            minProperties: 1,
+          },
+        },
+        required: ['client_credentials'],
+      },
     },
     required: ['name'],
   },

src/tools/auth0/handlers/clients.ts

@@ -45,6 +45,31 @@ export const schema = {
         },
         default: [],
       },
+      token_quota: {
+        type: ['object', 'null'],
+        properties: {
+          client_credentials: {
+            type: 'object',
+            properties: {
+              enforce: {
+                type: 'boolean',
+                default: true,
+              },
+              per_day: {
+                type: 'integer',
+                minimum: 1,
+              },
+              per_hour: {
+                type: 'integer',
+                minimum: 1,
+              },
+            },
+            additionalProperties: false,
+            minProperties: 1,
+          },
+        },
+        required: ['client_credentials'],
+      },
     },
     required: ['name'],
   },

src/tools/auth0/handlers/organizations.ts

@@ -11,8 +11,45 @@ import { convertJsonToString } from '../../utils';
 import { Asset, Assets } from '../../../types';
 import log from '../../../logger';
 
+const tokenQuotaConfigurationSchema = {
+  type: 'object',
+  properties: {
+    client_credentials: {
+      type: 'object',
+      properties: {
+        enforce: {
+          type: 'boolean',
+          default: true,
+        },
+        per_day: {
+          type: 'integer',
+          minimum: 1,
+        },
+        per_hour: {
+          type: 'integer',
+          minimum: 1,
+        },
+      },
+      additionalProperties: false,
+      minProperties: 1,
+    },
+  },
+  required: ['client_credentials'],
+};
+
 export const schema = {
   type: 'object',
+  properties: {
+    default_token_quota: {
+      type: 'object',
+      properties: {
+        clients: tokenQuotaConfigurationSchema,
+        organizations: tokenQuotaConfigurationSchema,
+      },
+      additionalProperties: false,
+      minProperties: 1,
+    },
+  },
 };
 
 export type Tenant = TenantSettings;

src/tools/auth0/handlers/tenant.ts

@@ -184,6 +184,46 @@ describe('#clients handler', () => {
       await stageFn.apply(handler, [{ clients: [clientWithRefreshTokenPolicies] }]);
     });
 
+    it('should allow valid token_quota property in client', async () => {
+      const clientWithTokenQuota = {
+        name: 'clientWithTokenQuota',
+        token_quota: {
+          client_credentials: {
+            enforce: true,
+            per_day: 1000,
+            per_hour: 100,
+          },
+        },
+      };
+      let wasCreateCalled = false;
+      const auth0 = {
+        clients: {
+          create: function (data) {
+            wasCreateCalled = true;
+            expect(data).to.be.an('object');
+            expect(data.name).to.equal('clientWithTokenQuota');
+            expect(data.token_quota).to.deep.equal({
+              client_credentials: {
+                enforce: true,
+                per_day: 1000,
+                per_hour: 100,
+              },
+            });
+            return Promise.resolve({ data });
+          },
+          update: () => Promise.resolve({ data: [] }),
+          delete: () => Promise.resolve({ data: [] }),
+          getAll: (params) => mockPagedData(params, 'clients', []),
+        },
+        pool,
+      };
+      const handler = new clients.default({ client: pageClient(auth0), config });
+      const stageFn = Object.getPrototypeOf(handler).processChanges;
+      await stageFn.apply(handler, [{ clients: [clientWithTokenQuota] }]);
+      // eslint-disable-next-line no-unused-expressions
+      expect(wasCreateCalled).to.be.true;
+    });
+
     it('should get clients', async () => {
       const auth0 = {
         clients: {

test/tools/auth0/handlers/clients.tests.js

@@ -218,6 +218,58 @@ describe('#organizations handler', () => {
       ]);
     });
 
+    it('should allow valid token_quota property in organization', async () => {
+      const orgWithTokenQuota = {
+        name: 'orgWithTokenQuota',
+        token_quota: {
+          client_credentials: {
+            enforce: false,
+            per_day: 500,
+            per_hour: 50,
+          },
+        },
+      };
+      let wasCreateCalled = false;
+      const auth0 = {
+        organizations: {
+          create: function (data) {
+            wasCreateCalled = true;
+            expect(data).to.be.an('object');
+            expect(data.name).to.equal('orgWithTokenQuota');
+            expect(data.token_quota).to.deep.equal({
+              client_credentials: {
+                enforce: false,
+                per_day: 500,
+                per_hour: 50,
+              },
+            });
+            data.id = 'fake';
+            return Promise.resolve({ data });
+          },
+          update: () => Promise.resolve({ data: [] }),
+          delete: () => Promise.resolve({ data: [] }),
+          getAll: (params) => Promise.resolve(mockPagedData(params, 'organizations', [sampleOrg])),
+          getEnabledConnections: () => Promise.resolve({ data: [] }),
+          getOrganizationClientGrants: () => ({ data: [] }),
+        },
+        connections: {
+          getAll: (params) => mockPagedData(params, 'connections', []),
+        },
+        clients: {
+          getAll: (params) => mockPagedData(params, 'clients', sampleClients),
+        },
+        clientGrants: {
+          getAll: (params) => mockPagedData(params, 'client_grants', [sampleClientGrant]),
+        },
+        pool,
+      };
+      const handler = new organizations.default({ client: pageClient(auth0), config });
+      const stageFn = Object.getPrototypeOf(handler).processChanges;
+      await stageFn.apply(handler, [{ organizations: [orgWithTokenQuota] }]);
+      // eslint-disable-next-line no-unused-expressions
+      expect(wasCreateCalled).to.be.true;
+    });
+
     it('should get organizations', async () => {
       const auth0 = {
         organizations: {