fix(application-generic): Allow unauthorized certs for bridge url (#6717

)
novuhq · Oct 19, 2024 · 143dfce · 143dfce
1 parent 5b5b907
commit 143dfce
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 1 deletion.
diff --git a/.prettierignore b/.prettierignore
@@ -3,4 +3,4 @@ package.json
 apps/api/src/metadata.ts
 
 /.nx/cache
-/.nx/workspace-data
+/.nx/workspace-data
diff --git a/...application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts b/...application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts
@@ -11,6 +11,7 @@ import got, {
   HTTPError,
   MaxRedirectsError,
   OptionsOfTextResponseBody,
+  ParseError,
   ReadError,
   RequestError,
   TimeoutError,
@@ -130,6 +131,11 @@ export class ExecuteBridgeRequest {
         afterResponse:
           command.afterResponse !== undefined ? [command.afterResponse] : [],
       },
+      /*
+       * Reject self-signed and invalid certificates in Production environments but allow them in Development
+       * as it's common for developers to use self-signed certificates in local environments.
+       */
+      rejectUnauthorized: true,
     };
 
     const request = [PostActionEnum.EXECUTE, PostActionEnum.PREVIEW].includes(
@@ -315,6 +321,18 @@ export class ExecuteBridgeRequest {
         });
       }
 
+      if (error instanceof ParseError) {
+        Logger.error(
+          `Bridge URL response code is 2xx, but parsing body fails. \`${url}\``,
+          LOG_CONTEXT,
+        );
+        throw new BadRequestException({
+          message:
+            BRIDGE_EXECUTION_ERROR.MAXIMUM_REDIRECTS_EXCEEDED.message(url),
+          code: BRIDGE_EXECUTION_ERROR.MAXIMUM_REDIRECTS_EXCEEDED.code,
+        });
+      }
+
       if (body.code === TUNNEL_ERROR_CODE) {
         // Handle known tunnel errors
         const tunnelBody = body as TunnelResponseError;
@@ -328,6 +346,17 @@ export class ExecuteBridgeRequest {
         });
       }
 
+      if (error.code === 'DEPTH_ZERO_SELF_SIGNED_CERT') {
+        Logger.error(
+          `Bridge URL is uing a self-signed certificate that is not allowed for production environments. \`${url}\``,
+          LOG_CONTEXT,
+        );
+        throw new BadRequestException({
+          message: BRIDGE_EXECUTION_ERROR.SELF_SIGNED_CERTIFICATE.message(url),
+          code: BRIDGE_EXECUTION_ERROR.SELF_SIGNED_CERTIFICATE.code,
+        });
+      }
+
       if (error.response?.statusCode === 502) {
         /*
          * Tunnel was live, but the Bridge endpoint was down.

diff --git a/libs/application-generic/src/utils/bridge.ts b/libs/application-generic/src/utils/bridge.ts
@@ -68,6 +68,11 @@ export const BRIDGE_EXECUTION_ERROR = {
     code: 'BRIDGE_REQUEST_TIMEOUT',
     message: (url: string) => `Bridge request timeout for \`${url}\``,
   },
+  BRIDGE_PARSE_ERROR: {
+    code: 'BRIDGE_PARSE_ERROR',
+    message: (url: string) =>
+      `Bridge response for \`${url}\` is not valid JSON`,
+  },
   UNSUPPORTED_PROTOCOL: {
     code: 'UNSUPPORTED_PROTOCOL',
     message: (url: string) => `Unsupported protocol for \`${url}\``,
@@ -88,4 +93,9 @@ export const BRIDGE_EXECUTION_ERROR = {
     code: 'MAXIMUM_REDIRECTS_EXCEEDED',
     message: (url: string) => `Maximum redirects exceeded for \`${url}\``,
   },
+  SELF_SIGNED_CERTIFICATE: {
+    code: 'SELF_SIGNED_CERTIFICATE',
+    message: (url: string) =>
+      `Bridge Endpoint can't use a self signed certificate in production environments.`,
+  },
 } satisfies Record<string, { code: string; message: (url: string) => string }>;