Allow self-signed certificates for testing purposes #176

Open
wants to merge 1 commit into
from

Conversation

Projects
None yet
2 participants

When testing on my local machine passport-oauth2 against a self-signed server, I always received the following error:

Error: DEPTH_ZERO_SELF_SIGNED_CERT at OAuth2Strategy._createOAuthError (/home/ubuntu/reviewer/brivolabs-sam-cork/oauth-demo/node_modules/passport-oauth/node_modules/passport-oauth2/lib/strategy.js:340:17) 
at /home/ubuntu/reviewer/brivolabs-sam-cork/oauth-demo/node_modules/passport-oauth/node_modules/passport-oauth2/lib/strategy.js:173:43 
at /home/ubuntu/reviewer/brivolabs-sam-cork/oauth-demo/node_modules/passport-oauth/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:162:18 
at ClientRequest.<anonymous> (/home/ubuntu/reviewer/brivolabs-sam-cork/oauth-demo/node_modules/passport-oauth/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:133:5) 
at ClientRequest.EventEmitter.emit (events.js:95:17) 
at CleartextStream.socketErrorListener (http.js:1547:9) 
at CleartextStream.EventEmitter.emit (events.js:95:17) 
at SecurePair.<anonymous> (tls.js:1389:19) 
at SecurePair.EventEmitter.emit (events.js:92:17) 
at SecurePair.maybeInitFinished (tls.js:982:10)

This fix allows us to use a self-signed certificate if the env variable ALLOW_UNAUTHORIZED_CERTS is set.
I know that there is a env that some nodejs people use to avoid the issue (which is NODE_TLS_REJECT_UNAUTHORIZED set to "0"), but I thought it might be better to have it explicit on oauth.

My solution is to extend the existing class and save the options.ca passed into the constructor. Then, verify the self-signed server certificate with the provided cabundle.

OAuth2 = require('oauth').OAuth2

class OAuth2CA extends OAuth2
    constructor: (options) ->
        super(options.clientID,  options.clientSecret, options.baseSite, options.authorizationURL, options.tokenURL, options.customHeaders)
        @options = options
        @useAuthorizationHeaderforGET(true)

    _executeRequest: (http_library, options, post_body, callback) ->
        options.ca = @options.ca
        super(http_library, options, post_body, callback)

The cabundle is created with the following loop for all pem files under /etc/ssl/certs.

fs = require 'fs'

dir = '/etc/ssl/certs'
files = fs.readdirSync(dir).filter (file) -> /.*\.pem/i.test(file)
files = files.map (file) -> "#{dir}/#{file}"
ca = files.map (file) -> fs.readFileSync file

For your information.

I will look into it, but for the developer certificate that we have we do not have a certificate authority :)
It was created on a different server and then distributed to us

For my case on Debian linux, put the ca certificate "ca.crt" into "/usr/local/share/ca-certificates" and run "update-ca-certificates" to put it into the "/etc/ssl/certs". The above-mentioned code "ca = files.map ..." would loop for the directory to create the ca bundle for Oauth2CA to verify the oauth request. For your information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment