[BUG] Not Respecting NODE_TLS_REJECT_UNAUTHORIZED = 0 about minipass-fetch HOT 12 CLOSED

We are experiencing the same issue which arose when we bumped out node-lts from 16 to 18 this week. What had worked previously using NODE_TLS_REJECT_UNAUTHORIZED=0 yarn install no longer works now.

The only way we can by pass the self signed certificate issue is by adding options.rejectUnauthorized = false; on line 71 of index.js.

from minipass-fetch.

We have encountered the same issue when updating Node v16.13.2 → v18.14.1. The same self-signed certificates have been used and are properly working when using Node v16.13.2 in a local environment.

Follow-up : our solution was to overwrite the fetcher of the Apollo Gateway buildService method.

const fetcher = require('make-fetch-happen');

const gateway = new ApolloGateway({
  buildService({name, url}) {
    return new RemoteGraphQLDataSource({
      name,
      url,
      fetcher: fetcher.defaults({strictSSL: false})
    });
  }
});

[email protected] has minipass "^4.0.0" and minipass-fetch "^3.0.0" dependencies.

from minipass-fetch.

This worked for me:

  return new Promise((resolve, reject) => {
    // build request object
    const request = new Request(url, opts)
    let options
    try {
      options = getNodeRequestOptions(request)
      options.agent.options.rejectUnauthorized = false
    } catch (er) {
      return reject(er)
    }

from minipass-fetch.

Anyone fix this?

======================

After my trace this lib did respect the NODE_TLS_REJECT_UNAUTHORIZED, but was overriden by node-gyp. That is not this libs fault

I opened an PR to fix this

from minipass-fetch.

Has anyone tried using the npm config that disables this behavior? https://docs.npmjs.com/cli/v7/using-npm/config#strict-ssl

from minipass-fetch.

Setting strict-ssl to false was not sufficient to overcome the issue for me. The only resolution was to patch the minipass-fetch file with options.rejectUnauthorized = false; This has become a standard step in our development environment setup at this point, and confirmed among several developers as being the only option that works.

from minipass-fetch.

The root cause is node-gyp use this package in plain node.js enviroment, so .npmrc won't work. But make-fetch-happen is pretty much written only for npm-cli usecase. That cause this issue.

from minipass-fetch.

cc @lukekarrys in case there is something node-gyp could be doing here to interpret that environment variable and update the params it sends to this module.

from minipass-fetch.

Seems like the issue is not in this library (that supports NODE_TLS_REJECT_UNAUTHORIZED), but in make-fetch-happen itself (overriding the strictSSL parameter)

from minipass-fetch.

This worked for me:

  return new Promise((resolve, reject) => {
    // build request object
    const request = new Request(url, opts)
    let options
    try {
      options = getNodeRequestOptions(request)
      options.agent.options.rejectUnauthorized = false
    } catch (er) {
      return reject(er)
    }

Thanks @garrettboone answers.

When I changed options.agent.options.rejectUnauthorized = false to options.rejectUnauthorized = false , it actually worked!

enviroment: [email protected], patched in index.js line 61.

from minipass-fetch.

That is what I added to my local copy. At least works for me:

if (process.env['NODE_TLS_REJECT_UNAUTHORIZED'] == '0') {
      console.warn("-----------------------[ minipass-fetch ]-----------------------------");
      console.warn("- NODE_TLS_REJECT_UNAUTHORIZED is set to 0. This is not recommended. -");
      console.warn("----------------------------------------------------------------------");

      options.agent.options.rejectUnauthorized = false;
}

const req = send(options)

from minipass-fetch.

Hey all 👋 I've added a test that shows minipass-fetch currently honors the env var, I believe the issue is specific issue lies elsewhere, it's possible that node-gyp needs to pass the strictSSL option to make-fetch-happen

from minipass-fetch.