search

matrix-org / matrix-user-verification-service

Service to verify details of a user based on a Open ID token.
Other
22 stars 21 forks source link

Support verifying against a homeserver that's using self-signed certificates #28

Closed anoadragon453 closed 9 months ago

anoadragon453 commented 1 year ago

It should be possible to configure via an environment variable, UVS_DISABLE_CERTIFICATE_VERIFICATION, that when set to false will cause any axios.get calls to no longer fail if the server's SSL certificate cannot be verified. Mostly for local testing use-cases.

Such an option should come with a warning, especially if the UVS and the homeserver are on separate computers (as a Synapse admin access token is passed in the request).

The way to disable certificate verification checking with axios is:

    const axios = require('axios');
    const https = require('https');

    // ...

    const agent = new https.Agent({
        rejectUnauthorized: false,
        requestCert: false,
        agent: false,
     });

    const response = await axios.get(
        url,
        {
            headers,
            maxRedirects: 0,
            timeout: 10000,
            validateStatus: function (status) {
                // Include redirects as OK here, since we control that separately
                return status >= 200 && status < 400;
            },
            httpsAgent: agent,
        },
    )
jakicoll commented 1 year ago

Providing a switch to disable certificate verification is something I'd also like to have. And it would be good to have helpful log entires on failed certificate validation. Currently I'm just getting this:

message: 'No response received: [object Object]',

We could also document how to add custom CAs to the list of trusted CAs. At least on my host, NodeJS seems to ignore the system certificate store and use it's own?

If are running the matrix-user-verification-service in docker, you could mount a PEM file with additional trusted CAs into the container and point the NODE_EXTRA_CA_CERTS environment variable to it.

jakicoll commented 1 year ago

Actually, that switch already exists right now: Set NODE_TLS_REJECT_UNAUTHORIZED=0 and verification is disabled.

Half-Shot commented 9 months ago

I think the NODE_TLS_REJECT_UNAUTHORIZED is probably the right way for this.