fix(auth/security): harden against missing or null policy entries (#3076)

src/routes/(console)/project-[region]-[project]/auth/security/+page.ts

@@ -27,31 +27,39 @@ export const load: PageLoad = async ({ depends, params }) => {
 
     const { policies } = await sdk.forProject(params.region, params.project).project.listPolicies();
     const policiesById = Object.fromEntries(
-        (policies as ProjectPolicy[]).map((policy) => [policy.$id, policy])
+        (policies as ProjectPolicy[])
+            .filter((policy) => policy != null && policy.$id != null)
+            .map((policy) => [policy.$id, policy])
     ) as Partial<Record<ProjectPolicyId | EmailPolicyId, ProjectPolicy>>;
 
     return {
-        membershipPrivacyPolicy: policiesById[
-            ProjectPolicyId.Membershipprivacy
-        ] as Models.PolicyMembershipPrivacy,
-        passwordDictionaryPolicy: policiesById[
-            ProjectPolicyId.Passworddictionary
-        ] as Models.PolicyPasswordDictionary,
-        passwordHistoryPolicy: policiesById[
-            ProjectPolicyId.Passwordhistory
-        ] as Models.PolicyPasswordHistory,
-        passwordPersonalDataPolicy: policiesById[
-            ProjectPolicyId.Passwordpersonaldata
-        ] as Models.PolicyPasswordPersonalData,
-        sessionAlertPolicy: policiesById[ProjectPolicyId.Sessionalert] as Models.PolicySessionAlert,
-        sessionDurationPolicy: policiesById[
-            ProjectPolicyId.Sessionduration
-        ] as Models.PolicySessionDuration,
-        sessionInvalidationPolicy: policiesById[
-            ProjectPolicyId.Sessioninvalidation
-        ] as Models.PolicySessionInvalidation,
-        sessionLimitPolicy: policiesById[ProjectPolicyId.Sessionlimit] as Models.PolicySessionLimit,
-        userLimitPolicy: policiesById[ProjectPolicyId.Userlimit] as Models.PolicyUserLimit,
+        membershipPrivacyPolicy: policiesById[ProjectPolicyId.Membershipprivacy] as
+            | Models.PolicyMembershipPrivacy
+            | undefined,
+        passwordDictionaryPolicy: policiesById[ProjectPolicyId.Passworddictionary] as
+            | Models.PolicyPasswordDictionary
+            | undefined,
+        passwordHistoryPolicy: policiesById[ProjectPolicyId.Passwordhistory] as
+            | Models.PolicyPasswordHistory
+            | undefined,
+        passwordPersonalDataPolicy: policiesById[ProjectPolicyId.Passwordpersonaldata] as
+            | Models.PolicyPasswordPersonalData
+            | undefined,
+        sessionAlertPolicy: policiesById[ProjectPolicyId.Sessionalert] as
+            | Models.PolicySessionAlert
+            | undefined,
+        sessionDurationPolicy: policiesById[ProjectPolicyId.Sessionduration] as
+            | Models.PolicySessionDuration
+            | undefined,
+        sessionInvalidationPolicy: policiesById[ProjectPolicyId.Sessioninvalidation] as
+            | Models.PolicySessionInvalidation
+            | undefined,
+        sessionLimitPolicy: policiesById[ProjectPolicyId.Sessionlimit] as
+            | Models.PolicySessionLimit
+            | undefined,
+        userLimitPolicy: policiesById[ProjectPolicyId.Userlimit] as
+            | Models.PolicyUserLimit
+            | undefined,
         denyAliasedEmailPolicy:
             (policiesById[ProjectEmailPolicyId.DenyAliasedEmail] as EnabledPolicy) ??
             getDefaultEnabledPolicy(ProjectEmailPolicyId.DenyAliasedEmail),

src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte

@@ -17,9 +17,9 @@
         personalDataPolicy
     }: {
         project: Models.Project;
-        dictionaryPolicy: Models.PolicyPasswordDictionary;
-        historyPolicy: Models.PolicyPasswordHistory;
-        personalDataPolicy: Models.PolicyPasswordPersonalData;
+        dictionaryPolicy: Models.PolicyPasswordDictionary | undefined;
+        historyPolicy: Models.PolicyPasswordHistory | undefined;
+        personalDataPolicy: Models.PolicyPasswordPersonalData | undefined;
     } = $props();
 
     let lastValidLimit = $state(5);
@@ -30,15 +30,15 @@
 
     onMount(() => {
         // update initial states here in onMount.
-        const historyValue = historyPolicy.total;
+        const historyValue = historyPolicy?.total;
         if (historyValue && historyValue > 0) {
             passwordHistory = historyValue;
             lastValidLimit = historyValue;
         }
 
         passwordHistoryEnabled = (historyValue ?? 0) !== 0;
-        passwordDictionary = dictionaryPolicy.enabled;
-        authPersonalDataCheck = personalDataPolicy.enabled;
+        passwordDictionary = dictionaryPolicy?.enabled ?? false;
+        authPersonalDataCheck = personalDataPolicy?.enabled ?? false;
     });
 
     $effect(() => {
@@ -49,11 +49,11 @@
     });
 
     const hasChanges = $derived.by(() => {
-        const dictChanged = passwordDictionary !== dictionaryPolicy.enabled;
-        const dataCheckChanged = authPersonalDataCheck !== personalDataPolicy.enabled;
-        const historyChanged = passwordHistoryEnabled !== (historyPolicy.total !== 0);
+        const dictChanged = passwordDictionary !== (dictionaryPolicy?.enabled ?? false);
+        const dataCheckChanged = authPersonalDataCheck !== (personalDataPolicy?.enabled ?? false);
+        const historyChanged = passwordHistoryEnabled !== ((historyPolicy?.total ?? 0) !== 0);
         const limitChanged =
-            passwordHistoryEnabled && Number(passwordHistory) !== historyPolicy.total;
+            passwordHistoryEnabled && Number(passwordHistory) !== (historyPolicy?.total ?? 0);
 
         return historyChanged || dictChanged || dataCheckChanged || limitChanged;
     });

src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte

@@ -16,21 +16,22 @@
         sessionInvalidationPolicy
     }: {
         project: Models.Project;
-        sessionAlertPolicy: Models.PolicySessionAlert;
-        sessionInvalidationPolicy: Models.PolicySessionInvalidation;
+        sessionAlertPolicy: Models.PolicySessionAlert | undefined;
+        sessionInvalidationPolicy: Models.PolicySessionInvalidation | undefined;
     } = $props();
 
     let authSessionAlerts = $state(false);
     let sessionInvalidation = $state(false);
 
     onMount(() => {
-        authSessionAlerts = sessionAlertPolicy.enabled;
-        sessionInvalidation = sessionInvalidationPolicy.enabled;
+        authSessionAlerts = sessionAlertPolicy?.enabled ?? false;
+        sessionInvalidation = sessionInvalidationPolicy?.enabled ?? false;
     });
 
     const hasChanges = $derived.by(() => {
-        const alertsChanged = authSessionAlerts !== sessionAlertPolicy.enabled;
-        const invalidationChanged = sessionInvalidation !== sessionInvalidationPolicy.enabled;
+        const alertsChanged = authSessionAlerts !== (sessionAlertPolicy?.enabled ?? false);
+        const invalidationChanged =
+            sessionInvalidation !== (sessionInvalidationPolicy?.enabled ?? false);
         return alertsChanged || invalidationChanged;
     });
 

src/routes/(console)/project-[region]-[project]/auth/security/updateMembershipPrivacy.svelte

@@ -14,21 +14,21 @@
         policy
     }: {
         project: Models.Project;
-        policy: Models.PolicyMembershipPrivacy;
+        policy: Models.PolicyMembershipPrivacy | undefined;
     } = $props();
 
-    let authMembershipsMfa = $state(policy.userMFA);
-    let authMembershipsUserId = $state(policy.userId);
-    let authMembershipsUserName = $state(policy.userName);
-    let authMembershipsUserEmail = $state(policy.userEmail);
-    let authMembershipsUserPhone = $state(policy.userPhone);
+    let authMembershipsMfa = $state(policy?.userMFA ?? false);
+    let authMembershipsUserId = $state(policy?.userId ?? false);
+    let authMembershipsUserName = $state(policy?.userName ?? false);
+    let authMembershipsUserEmail = $state(policy?.userEmail ?? false);
+    let authMembershipsUserPhone = $state(policy?.userPhone ?? false);
 
     const isSubmitDisabled = $derived(
-        authMembershipsUserId === policy.userId &&
-            authMembershipsUserName === policy.userName &&
-            authMembershipsUserEmail === policy.userEmail &&
-            authMembershipsUserPhone === policy.userPhone &&
-            authMembershipsMfa === policy.userMFA
+        authMembershipsUserId === (policy?.userId ?? false) &&
+            authMembershipsUserName === (policy?.userName ?? false) &&
+            authMembershipsUserEmail === (policy?.userEmail ?? false) &&
+            authMembershipsUserPhone === (policy?.userPhone ?? false) &&
+            authMembershipsMfa === (policy?.userMFA ?? false)
     );
 
     async function updateMembershipsPrivacy() {

src/routes/(console)/project-[region]-[project]/auth/security/updateSessionLength.svelte

@@ -15,10 +15,11 @@
         policy
     }: {
         project: Models.Project;
-        policy: Models.PolicySessionDuration;
+        policy: Models.PolicySessionDuration | undefined;
     } = $props();
 
-    const { value, unit, baseValue, units } = $derived(createTimeUnitPair(policy.duration));
+    const policyDuration = $derived(policy?.duration ?? 0);
+    const { value, unit, baseValue, units } = $derived(createTimeUnitPair(policyDuration));
     const options = $derived(units.map((v) => ({ label: v.name, value: v.name })));
 
     async function updateSessionLength() {
@@ -53,7 +54,7 @@
         </Layout.Stack>
     </svelte:fragment>
     <svelte:fragment slot="actions">
-        <Button disabled={$baseValue === policy.duration} on:click={updateSessionLength}>
+        <Button disabled={$baseValue === policyDuration} on:click={updateSessionLength}>
             Update
         </Button>
     </svelte:fragment>

src/routes/(console)/project-[region]-[project]/auth/security/updateSessionsLimit.svelte

@@ -14,10 +14,11 @@
         policy
     }: {
         project: Models.Project;
-        policy: Models.PolicySessionLimit;
+        policy: Models.PolicySessionLimit | undefined;
     } = $props();
 
-    let maxSessions = $state(policy.total);
+    const policyTotal = $derived(policy?.total ?? 0);
+    let maxSessions = $state(policyTotal);
 
     async function updateSessionsLimit() {
         try {
@@ -56,7 +57,7 @@
                 bind:value={maxSessions} />
         </svelte:fragment>
         <svelte:fragment slot="actions">
-            <Button disabled={maxSessions === policy.total} submit>Update</Button>
+            <Button disabled={maxSessions === policyTotal} submit>Update</Button>
         </svelte:fragment>
     </CardGrid>
 </Form>

src/routes/(console)/project-[region]-[project]/auth/security/updateUsersLimit.svelte

@@ -15,17 +15,18 @@
         policy
     }: {
         project: Models.Project;
-        policy: Models.PolicyUserLimit;
+        policy: Models.PolicyUserLimit | undefined;
     } = $props();
 
     let maxUsersInputField: HTMLInputElement | null = $state(null);
 
-    let value = $state(policy.total !== 0 ? 'limited' : 'unlimited');
-    let newLimit = $state(policy.total !== 0 ? policy.total : 100);
+    const policyTotal = $derived(policy?.total ?? 0);
+    let value = $state(policyTotal !== 0 ? 'limited' : 'unlimited');
+    let newLimit = $state(policyTotal !== 0 ? policyTotal : 100);
 
     const isLimited = $derived(value === 'limited');
     const btnDisabled = $derived.by(() => {
-        return (!isLimited && policy.total === 0) || (isLimited && policy.total === newLimit);
+        return (!isLimited && policyTotal === 0) || (isLimited && policyTotal === newLimit);
     });
 
     async function updateLimit() {