fix: do not reject unauthorized by default (#25)

gajus · Jun 1, 2020 · 11e2de5 · 11e2de5
1 parent 9e51756
commit 11e2de5
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/src/classes/Agent.js b/src/classes/Agent.js
@@ -3,6 +3,9 @@
 import {
   serializeError,
 } from 'serialize-error';
+import {
+  boolean,
+} from 'boolean';
 import Logger from '../Logger';
 import type {
   AgentType,
@@ -143,12 +146,21 @@ class Agent {
         key: configuration.key,
         passphrase: configuration.passphrase,
         pfx: configuration.pfx,
-        rejectUnauthorized: configuration.rejectUnauthorized || false,
+        rejectUnauthorized: configuration.rejectUnauthorized,
         secureOptions: configuration.secureOptions,
         secureProtocol: configuration.secureProtocol,
         servername: configuration.servername || connectionConfiguration.host,
         sessionIdContext: configuration.sessionIdContext,
       };
+
+      // This is not ideal because there is no way to override this setting using `tls` configuration if `NODE_TLS_REJECT_UNAUTHORIZED=0`.
+      // However, popular HTTP clients (such as https://github.com/sindresorhus/got) come with pre-configured value for `rejectUnauthorized`,
+      // which makes it impossible to override that value globally and respect `rejectUnauthorized` for specific requests only.
+      //
+      // eslint-disable-next-line no-process-env
+      if (typeof process.env.NODE_TLS_REJECT_UNAUTHORIZED === 'string' && boolean(process.env.NODE_TLS_REJECT_UNAUTHORIZED) === false) {
+        connectionConfiguration.tls = false;
+      }
     }
 
     // $FlowFixMe It appears that Flow is missing the method description.