search

realm / realm-js

Realm is a mobile database: an alternative to SQLite & key-value stores
https://realm.io
Apache License 2.0
5.78k stars 573 forks source link

Allow users to (fully) ignore validation of SSL certificates #1464

Closed kraenhansen closed 6 years ago

kraenhansen commented 6 years ago

Goals

I would like to allow users of Studio to connect to ROS served via an SSL connection that uses an untrusted self-signed certificate (but show a warning when they do that).

This is currently supported by the sync client (via the validate_ssl, ssl_trust_certificate_path and open_ssl_verify_callback options) but the requests issued while authenticating Realm.Sync.User.login( uses the native fetch API with a fallback to the node-fetch package.

Expected Results

I expect that

  1. the Realm client can be told to issue an authentication request to ROS and not fail if the certificates cannot be trusted. Bonus: It would be awesome to have a similar fine-grained api as sync provides, where I can decide if I want to trust a specific certificate via a open_ssl_verify_callback.
  2. If for some reason the environment does not support the above ☝️ (ex. only the native fetch api is available and it cannot load the node-fetch module) I would expect an error thrown if I attempt to use the API in the above way, with a link to an explanation on why Realm JS cannot support this on the environment that I am at. I don't know of any such environments - Electron, RN and Node could all use the node-fetch module.

Bonus: It would be awesome if the native fetch API could be used whenever possible, because this integrates nicely with the developer tools on the platform, specifically the Chrome developer console when developing for Electron.

Actual Results

When authenticating against ROS using a self-signed certificate I get:

POST https://localhost:9443/auth net::ERR_INSECURE_RESPONSE in the Chrome console and the TypeError: Failed to fetch error thrown.

Steps to Reproduce

  1. Start ROS with a self-signed certificate.
  2. Try to login using Realm.Sync.User.login( on a platform that has the fetch api available (React Native or Electron).
  3. 😭

Version of Realm and Tooling

kneth commented 6 years ago

I think we need a mechanism to add certificates prior to open a Realm. The current API is primarily design with batch processing in mind, and Realm Studio is an interactive app.

kraenhansen commented 6 years ago

This probably also hits React Native users of Realm JS, that might want to test their app over HTTPs with a ROS running on their developer machine.

kneth commented 6 years ago

Yes, and they will have it even hard since it is not easy to copy the certificate to the file system. Maybe a cookbook recipe is what we need.

kraenhansen commented 6 years ago

I think Electrons API (and the API offered by Realm JS when using OpenSSL) is valuable: A handler that I can pass along to the session, which will get called when certificate validation fails. The handler gets called with a description of the certificate (issuer, subject, fingerprint, etc.) and callback that I can call to tell if the certificate should be trusted or not.

kraenhansen commented 6 years ago

Closing this, since an improvement to the API could still be valuable, but strictly not needed as certificate errors can be catched and controlled using https://github.com/electron/electron/blob/master/docs/api/app.md#event-certificate-error