search

npm / minipass-fetch

An implementation of window.fetch in Node.js using Minipass streams
Other
54 stars 11 forks source link

[BUG] Not Respecting NODE_TLS_REJECT_UNAUTHORIZED = 0 #61

Closed om-mani-padme-hum closed 5 months ago

om-mani-padme-hum commented 2 years ago

Is there an existing issue for this?

Current Behavior

It fails due to a self-signed certificate error, despite being told not to reject unauthorized certificates (my company can't get me the .pem file):

image

This prevents node-gyp and several other repos from being installed over npm for people such as me.

The workaround we've implemented is to edit your module and pass the option to not reject unauthorized:

image

Expected Behavior

To install the modules properly over npm, e.g.

image

Steps To Reproduce

  1. In this environment...

Have a self-signed certificate in your certificate chain.

  1. With this config...

export NODE_TLS_REJECT_UNAUTHORIZED=0

  1. Run '...'

npm i node-gyp

or

npm i smartsheet

  1. See error...

Environment

cdavid15 commented 1 year ago

We are experiencing the same issue which arose when we bumped out node-lts from 16 to 18 this week. What had worked previously using NODE_TLS_REJECT_UNAUTHORIZED=0 yarn install no longer works now.

The only way we can by pass the self signed certificate issue is by adding options.rejectUnauthorized = false; on line 71 of index.js.

garrettboone commented 1 year ago

This worked for me:

  return new Promise((resolve, reject) => {
    // build request object
    const request = new Request(url, opts)
    let options
    try {
      options = getNodeRequestOptions(request)
      options.agent.options.rejectUnauthorized = false
    } catch (er) {
      return reject(er)
    }
wlarch commented 1 year ago

We have encountered the same issue when updating Node v16.13.2 → v18.14.1. The same self-signed certificates have been used and are properly working when using Node v16.13.2 in a local environment.

Follow-up : our solution was to overwrite the fetcher of the Apollo Gateway buildService method.

const fetcher = require('make-fetch-happen');

const gateway = new ApolloGateway({
  buildService({name, url}) {
    return new RemoteGraphQLDataSource({
      name,
      url,
      fetcher: fetcher.defaults({strictSSL: false})
    });
  }
});

make-fetch-happen@11.0.3 has minipass "^4.0.0" and minipass-fetch "^3.0.0" dependencies.

casyalex commented 1 year ago

Anyone fix this?

======================

After my trace this lib did respect the NODE_TLS_REJECT_UNAUTHORIZED, but was overriden by node-gyp. That is not this libs fault

I opened an PR to fix this

wraithgar commented 1 year ago

Has anyone tried using the npm config that disables this behavior? https://docs.npmjs.com/cli/v7/using-npm/config#strict-ssl

om-mani-padme-hum commented 1 year ago

Setting strict-ssl to false was not sufficient to overcome the issue for me. The only resolution was to patch the minipass-fetch file with options.rejectUnauthorized = false; This has become a standard step in our development environment setup at this point, and confirmed among several developers as being the only option that works.

casyalex commented 1 year ago

The root cause is node-gyp use this package in plain node.js enviroment, so .npmrc won't work. But make-fetch-happen is pretty much written only for npm-cli usecase. That cause this issue.

wraithgar commented 1 year ago

cc @lukekarrys in case there is something node-gyp could be doing here to interpret that environment variable and update the params it sends to this module.

jbgomond commented 1 year ago

Seems like the issue is not in this library (that supports NODE_TLS_REJECT_UNAUTHORIZED), but in make-fetch-happen itself (overriding the strictSSL parameter)

seng1e commented 11 months ago

This worked for me:

  return new Promise((resolve, reject) => {
    // build request object
    const request = new Request(url, opts)
    let options
    try {
      options = getNodeRequestOptions(request)
      options.agent.options.rejectUnauthorized = false
    } catch (er) {
      return reject(er)
    }

Thanks @garrettboone answers.

When I changed options.agent.options.rejectUnauthorized = false to options.rejectUnauthorized = false , it actually worked!

enviroment: minipass-fetch@2.1.2, patched in index.js line 61.

pbeast commented 6 months ago

That is what I added to my local copy. At least works for me:

if (process.env['NODE_TLS_REJECT_UNAUTHORIZED'] == '0') {
      console.warn("-----------------------[ minipass-fetch ]-----------------------------");
      console.warn("- NODE_TLS_REJECT_UNAUTHORIZED is set to 0. This is not recommended. -");
      console.warn("----------------------------------------------------------------------");

      options.agent.options.rejectUnauthorized = false;
}

const req = send(options)
reggi commented 5 months ago

Hey all 👋 I've added a test that shows minipass-fetch currently honors the env var, I believe the issue is specific issue lies elsewhere, it's possible that node-gyp needs to pass the strictSSL option to make-fetch-happen