-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read file for SSL (certs and keys) and add pfx support #2027
Conversation
🦋 Changeset detectedLatest commit: b667f81 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
To assist in the review, the following document describes the files modified, changes made, strategy, etc. Also, additional comments concerning this PR are contained in the original PR, #1662 Change SummarySvelteKit PR 2027dev/index.js
server/index.jsThe goal of the
Note: Specifying custom self-signed certificates never worked in preview mode. Now it does. The Vite option Vite allows the key, cert, ca, and pfx options to be specified as a filename, string, or buffer[]. For example, the "cert" can be specified as any of the following:
I copied/adapted Vite's code in function readFileIfExists (see below). function get_server(...)
If the
If the function readFileIfExists(...)This is Vite's code --- It's kludgy, but it works: If a string is passed as a ca/cert/key/pfx option, it can either be a filename, or a string that holds the certificate contents. A readFileSync is issued, and if successful, the resulting buffer[] is returned. If it fails, the string is assumed to be the actual certificate contents, and is returned as-is. If a non-string is passed, it's assumed that it's a buffer[] containing the actual certificate contents, and is returned as-is. Yes, the @param type specification has an preview/index.js
types/config.d.ts
TestingMy testing strategy included: HTTPS testing: All three variations of HTTPS options for cert/key/pfx -- filename, string and buffer[]. For "ca", I ensured (via debugger) that all three variations were formatted correctly when passed to HTTP testing: With and without vite.server.https options (ensures that HMR doesn't reload constantly) Verify the above in both dev and preview modes. For dev mode, ensure that HMR continues to work properly. Also ensure that the proper certificate is used in all test cases (i.e., Kit's generated certificate or the user-specified certificate). Cursory testing to ensure that --host and --port options are honored. And, of course, pnpm format, pnpm lint, pnpm build and pnpm test. |
Thanks! There's kind of three different things being done here:
To help separate the discussion, I cleaned up and committed the first part for you in #2036 Regarding the second part, Rich had suggested maybe it'd be better to leave it the way it is? #1798 (comment) I haven't looked at the |
If I understand correctly, you opened PR #2036 and only included code for the original issue -- preview using Kit options instead of (correctly) using Vite options. These changes have been merged into master. As far as 'reading the file: In non middleware mode, Vite allows the cert and key (as well as pfx and ca) to be specified using the filename, a string or a buffer. I wanted to duplicate the functionality that Vite had so that middleware mode could use this same flexible (but somewhat ambiguous) specification. However, going forward, it seems that Rich wants the cert and key values to be strings (such as the string returned by fs.readFileSync(). That's OK by me. For the 'pfx' option: If the key/cert options are not specified, Kit will populate the key/cert options with a self-signed certificate. I'm not sure what node will do, e.g., throw an error or let one option take precedence over the other. I'll test this out later today. If the 'pfx' option takes precedence, no changes may be needed. Otherwise I'll open an issue for that. So, is this PR 'dead'? Should I close it? Thanks. |
Yes
How does Vite differentiate between a filename and a string? I wonder if we should try to steal their logic for this. As far as I can see they only take a filename, but I could be missing something: https://github.com/vitejs/vite/blob/514e124b29597203cb90aac9d838cd9322f24451/packages/vite/src/node/server/http.ts#L43
I think we got the most important part in, but I'm happy to discuss if you want to pursue the other parts of this such as pfx support |
Vite's differentiation logic is contained within this function: If the option ('value' parameter) is not a string, it assumes that it's a buffer. It returns "value" as is.
The Node options cert, key, ca and pfx can be passed as a string or a buffer[] -- Create Secure Context Options Using Vite's strategy might be beneficial. The user need not specify the {encoding: 'utf-8') option for fs.readFileSync, or can eliminate the fs.readFileSync call by merely specifying the filename.
I believe that you prefer implementing PR's that resolve current open issues -- which is good for tracking/documentation/search purposes. Depending on what you'd like me to implement, I'd be happy to open the related issue(s) and open a separate PR to implement them. For me, it would be safest to open a new PR, avoiding the debacle of a couple days ago :) BTW, I tested what happens when only the pfx option is specified -- Kit creates a self-signed certificate, and Node uses this certificate and ignores the pfx certificate. Therefore, I think we can classify this as a issue (bug). |
Using Vite's strategy sounds like a good plan to me No need to file an issue. We've already discussed it here. You can just go ahead and create a PR if you'd like |
Btw, I see there's a PR pending to fix pfx support in Vite now: vitejs/vite#4496 |
Since you said you'd prefer opening a new PR to updating this one, I'll go ahead and close it. If you change your mind about that we can go ahead and reopen this one |
Thanks for closing this. I've been a bit busy with personal items, but I'll open up the new PR and make the changes soon. |
Fixes #1659.
This replaces PR #1662 due to my inexperience with Github.
The dev server passes the vite options (config.kit.vite) when creating the http(s) server. This is functioning correctly.
The preview server passes the kit options (config.kit) when creating the http(s) server. This is not functioning correctly.
In preview mode, when the user specifies a cert/key pair, the cert/key pair is ignored, since the logic is looking for the option in the wrong place. Instead, Kit will generate its own cert/key pair. You can observe this by examining the certificate details within the browser.
This change aligns where the dev and preview modes look for a user-specified cert/key pair.
For reference, here is an example of a user-specified cert/key pair in
svelte.config.js
Before submitting the PR, please make sure you do the following
Tests
pnpm test
and lint the project withpnpm lint
andpnpm check
Changesets
pnpx changeset
and following the prompts