Use extra/self-signed https certificates

[ianldgs]

Users behind corporate firewall typically have custom certificates used by the company to decrypt HTTPS traffic.

NodeJS will by default complain about those "self-signed" certificates and not perform the requests.

One workaround is to disable TLS completely for NodeJS, which is obviously dangerours or to export an environment variable on the bashrc/zshrc pointing to the custom certificates that you know to be safe:
https://nodejs.org/api/cli.html#node_extra_ca_certsfile

The latter doesn't work with this extension, likely for one of those reasons given in the NodeJS docs:

• Neither the well known nor extra certificates are used when the ca options property is explicitly specified for a TLS or HTTPS client or server.
• This environment variable is ignored when node runs as setuid root or has Linux file capabilities set.

So, to use this extension in such corporate environments without disabling TLS completely, have to manually read those files and inject them into the global HTTPS agent. That will mimic NodeJS's default behaviour.

Closes #243

[changeset-bot]

⚠️ No Changeset found

Latest commit: 68f5603

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[ianldgs]

@znck think you could review this PR pls?

[znck]

I am not sure what's happening here.

/cc @wachunga

[ianldgs]

@znck sorry about that, I should've written a good description. Please take a look again?

[ianldgs]

@znck friendly ping... I see github bot closed the issue as stale.

[znck]

I'll get this merged this week.

[znck]

Is there an easy way to test this?

[ianldgs]

Well, it's easy for me to test because I'm behind the company's firewall/vpn.
Maybe you could try following this, if you're on a mac.

And then what I did was:

test-certs.mjs:

import "./extra-certs.mjs";
import fetch from "node-fetch";

fetch("https://js.grammarly.com/grammarly-sdk");

extra-certs.mjs:

import https from "node:https";
import tls from "node:tls";
import fs from "node:fs";

if (typeof process.env.NODE_EXTRA_CA_CERTS === "string") {
  const extraCerts = process.env.NODE_EXTRA_CA_CERTS.split(",").map((certPath) =>
    fs.readFileSync(certPath, "utf8")
  );

  https.globalAgent.options.ca = [...tls.rootCertificates, ...extraCerts];
}

And run:

export NODE_EXTRA_CA_CERTS="/path/to/cert.pem"
node test-certs.mjs

[haydencbarnes]

Just pinging this space to see what the latest update is

[papb]

Hello, is there any way I can help to get this merged? :)