Use local-only HTTPS certs for the development neopass-server
I'm starting to work with the OpenID Connect stuff in NeoPass, and the library I'm using for discovery doesn't seem to want to do it over a plain `http://` connection. (I dug into the source files, and it just actually is hardcoded to only work with HTTPS, as far as I can tell?) So, I've added logic to `neopass-server` to try to make an HTTPS certificate with the `mkcert` utility (if installed), which is a tool that installs a root certificate authority on your local machine, then helps you create certificates via that authority that will work only on your local machine. I think I'll also be able to remove the "main" server in front of the backing server, because the library I'm using now will be able to "discover" the auth and token endpoints, so it won't matter that our local one uses different URLs than live NeoPass does? We'll find out! I also remove `neopass-server` from the `Procfile`, because I think it's a bit rude to have it auto-try to run `mkcert`. We could like, make the process just a no-op in that case? But I think I'd prefer to just run `neopass-server` by hand when I want it, for simplicity.
This commit is contained in:
parent
21bc4bcadc
commit
ffcfce2eb8
2 changed files with 55 additions and 2 deletions
|
|
@ -1,3 +1,2 @@
|
|||
web: unset PORT && env RUBY_DEBUG_OPEN=true bin/rails server
|
||||
js: yarn dev
|
||||
neopass: bin/neopass-server
|
||||
|
|
|
|||
|
|
@ -13,12 +13,65 @@
|
|||
* server uses.
|
||||
*/
|
||||
|
||||
const fs = require("node:fs/promises");
|
||||
const pathLib = require("node:path");
|
||||
const { spawn } = require("node:child_process");
|
||||
const urlLib = require("node:url");
|
||||
|
||||
const { OAuth2Server } = require("oauth2-mock-server");
|
||||
const express = require("express");
|
||||
|
||||
const certPath = pathLib.join(__dirname, "..", "tmp", "localhost.pem");
|
||||
const keyPath = pathLib.join(__dirname, "..", "tmp", "localhost-key.pem");
|
||||
|
||||
async function fileExists(path) {
|
||||
try {
|
||||
await fs.stat(path);
|
||||
} catch (error) {
|
||||
if (error.code === "ENOENT") {
|
||||
return false;
|
||||
}
|
||||
throw error;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
async function ensureCertsExist() {
|
||||
if (!(await fileExists(certPath)) || !(await fileExists(keyPath))) {
|
||||
console.log(
|
||||
"Using mkcert to create localhost.pem and localhost-key.pem in " +
|
||||
"the Rails tmp dir, to serve over HTTPS.",
|
||||
);
|
||||
|
||||
const mkcertProc = spawn("mkcert", [
|
||||
"-cert-file",
|
||||
certPath,
|
||||
"-key-file",
|
||||
keyPath,
|
||||
"localhost",
|
||||
], {stdio: ["ignore", process.stdout, process.stderr]});
|
||||
|
||||
// Wait for the process to finish, raising an error if it fails.
|
||||
await new Promise((resolve, reject) => {
|
||||
mkcertProc.on("close", (code) => {
|
||||
if (code === 0) {
|
||||
resolve();
|
||||
} else {
|
||||
reject(new Error(`mkcert returned status ${code}`));
|
||||
}
|
||||
});
|
||||
mkcertProc.on("error", (error) => {
|
||||
reject(error);
|
||||
});
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
async function startBackingServer(port) {
|
||||
const server = new OAuth2Server();
|
||||
const server = new OAuth2Server(
|
||||
keyPath,
|
||||
certPath,
|
||||
);
|
||||
await server.issuer.keys.add({
|
||||
// A key we generated for the NeoPass test server. It's okay for its
|
||||
// "secret" info to be here, because it's for development only!
|
||||
|
|
@ -81,6 +134,7 @@ async function startMainServer(port) {
|
|||
}
|
||||
|
||||
async function main() {
|
||||
await ensureCertsExist();
|
||||
await startBackingServer(8686);
|
||||
await startMainServer(8585);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue