From ee8d32f97cd5e5907c8cd9d815c7fe57a7031f7f Mon Sep 17 00:00:00 2001
From: Charmander <~@charmander.me>
Date: Wed, 15 Jan 2020 12:59:26 -0800
Subject: [PATCH] Deprecate implicit TLS `rejectUnauthorized: false` (#2075)

Yes, it treats `undefined` as `false`. Discussion in #2009. Introduced unintentionally in pg 0.8.7.
---
 packages/pg/lib/compat/warn-deprecation.js | 4 ++--
 packages/pg/lib/connection-fast.js         | 5 +++++
 packages/pg/lib/connection.js              | 5 +++++
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/packages/pg/lib/compat/warn-deprecation.js b/packages/pg/lib/compat/warn-deprecation.js
index 362183558..558275900 100644
--- a/packages/pg/lib/compat/warn-deprecation.js
+++ b/packages/pg/lib/compat/warn-deprecation.js
@@ -5,7 +5,7 @@ const util = require('util')
 const dummyFunctions = new Map()
 
 // Node 4 doesn’t support process.emitWarning(message, 'DeprecationWarning', code).
-const emitDeprecationWarning = (message, code) => {
+const warnDeprecation = (message, code) => {
   let dummy = dummyFunctions.get(code)
 
   if (dummy === undefined) {
@@ -16,4 +16,4 @@ const emitDeprecationWarning = (message, code) => {
   dummy()
 }
 
-module.exports = emitDeprecationWarning
+module.exports = warnDeprecation
diff --git a/packages/pg/lib/connection-fast.js b/packages/pg/lib/connection-fast.js
index 38f55bdcd..a31d92a20 100644
--- a/packages/pg/lib/connection-fast.js
+++ b/packages/pg/lib/connection-fast.js
@@ -15,6 +15,8 @@ var Writer = require('buffer-writer')
 // eslint-disable-next-line
 var PacketStream = require('pg-packet-stream')
 
+var warnDeprecation = require('./compat/warn-deprecation')
+
 var TEXT_MODE = 0
 
 // TODO(bmc) support binary mode here
@@ -105,6 +107,9 @@ Connection.prototype.connect = function (port, host) {
       secureOptions: self.ssl.secureOptions,
       NPNProtocols: self.ssl.NPNProtocols
     }
+    if (typeof self.ssl.rejectUnauthorized !== 'boolean') {
+      warnDeprecation('Implicit disabling of certificate verification is deprecated and will be removed in pg 8. Specify `rejectUnauthorized: true` to require a valid CA or `rejectUnauthorized: false` to explicitly opt out of MITM protection.', 'PG-SSL-VERIFY')
+    }
     if (net.isIP(host) === 0) {
       options.servername = host
     }
diff --git a/packages/pg/lib/connection.js b/packages/pg/lib/connection.js
index 4fae92083..435c1a965 100644
--- a/packages/pg/lib/connection.js
+++ b/packages/pg/lib/connection.js
@@ -14,6 +14,8 @@ var util = require('util')
 var Writer = require('buffer-writer')
 var Reader = require('packet-reader')
 
+var warnDeprecation = require('./compat/warn-deprecation')
+
 var TEXT_MODE = 0
 var BINARY_MODE = 1
 var Connection = function (config) {
@@ -103,6 +105,9 @@ Connection.prototype.connect = function (port, host) {
       secureOptions: self.ssl.secureOptions,
       NPNProtocols: self.ssl.NPNProtocols
     }
+    if (typeof self.ssl.rejectUnauthorized !== 'boolean') {
+      warnDeprecation('Implicit disabling of certificate verification is deprecated and will be removed in pg 8. Specify `rejectUnauthorized: true` to require a valid CA or `rejectUnauthorized: false` to explicitly opt out of MITM protection.', 'PG-SSL-VERIFY')
+    }
     if (net.isIP(host) === 0) {
       options.servername = host
     }