`attackProtection` Directory Handler Broken - `parse()` does not include `files.botDetection`

[bt-chaos322]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this tool and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

When I install version 18.28.0 of auth0-deploy-cli and export my configs using the Directory stratey to my local environment (which does not yet have bot-detection.json), bot-detection.json is not downloaded as expected. Furthermore, when I manually add the file and deploy with version 18.28.0, my changes are not acknowledged on the web console.

When I downgrade to 18.20.1, everything works as expected.

It looks like the culprit may be attackProtection.ts::parse() starting here. There is not code block to handle files.botDetection.

Expectation

1. When I make changes to Bot Detection in the web console and then export my configs, I expect to see bot-detection.json in the results and for that file to have the config changes I just made in the web console
2. When I make changes to my local copy of bot-detection.json and I deploy my configs, I expect the changes I just made to the local file to be reflected in the web console.

Reproduction

Scenario: File doesn't exist and is not downloaded after export

1. Start with a repo that uses the Directory deployment strategy
2. Ensure that you do not yet have a bot-detection.json in the attack-protection directory
3. Ensure your exporter is running version 8.28.0 of auth0-deploy-cli
4. Make changes to your Bot Detection config in the web console
5. Export your configs from the tenant to your local
6. See that you still do not have bot-detection.json in the attack-protection directory

Scenario: File exists and has changes, changes not reflected on web console after deploy

1. Start with a repo that uses the Directory deployment strategy
2. Ensure that you do have a bot-detection.json in the attack-protection directory
3. Ensure your deploy script is running version 8.28.0 of auth0-deploy-cli
4. Make changes to your Bot Detection config in the local bot-detection.json file
5. Deploy your configs to the tenant
6. See that your freshly deployed configs are not represented in the web console

Deploy CLI version

8.28.0

Node version

10.9.2

[kushalshit27]

Hi, @bt-chaos322,
Please use Node version 20(v20.19.0) or greater

bot-detection.json should be exported under attack-protection. We have verified with version 8.28.0. See more example #1189. We are unable to reproduce this issue.

I would appreciate it if you could test this with the new node version. If the problem still persists, we can re-evaluate. Thanks

[bt-chaos322]

Hi, @kushalshit27

Thanks for your quick reply! I apologize for giving bad information yesterday. The node version we use in our pipeline is actually 22.16.0. We use the official node:22.16.0 image when building our deployment container. To be clear, 22.16.0 is the version of node that was used that led to my bug report.

Looking at the "enhance attack protection" feature back in November, the file in question appears to have the expected botDetection block.

However, looking at the current version of that same file, it appears that same code block is now gone.

Obviously, I'm not at all familiar with this code base, so it's perfectly possible that I'm missing something. But, hopefully that helps.

Thanks, again!

[bt-chaos322]

Oh. I see it's just that it was bumped down a little further in that function.

Hmmm...

[kushalshit27]

Hi, @bt-chaos322 ,
Are able to get bot-detection config via CURL https://auth0.com/docs/api/management/v2/attack-protection/get-bot-detection ?

[kushalshit27]

We appreciate your report. Feel free to contact the customer support team and share more context along with the tenant details.

I am going to close this issue for the meantime. If the issue persists or if you have any new information, please feel free to reopen it with more details.