Support configuration for rejectUnauthorized in grpc-js library

[norman-hopfeld-aa]

The grpc-js library supports to set a flag to configure rejecting unauthorized connections since version 1.12.0.

For testing purposes it is useful to open up security (e.g. testing with mocks on localhost), as otherwise connections will be refused.

Could this be considered as an enhancement in the future?

[pozil]

Hi @norman-hopfeld-aa, thanks for the suggestion. I can take a look at it after TDX.

[pozil]

Hi @norman-hopfeld-aa, thanks for your patience. I've released a new version which includes a rejectUnauthorizedSsl configuration field to support self-signed SSL certificate. See the readme for more details.

[norman-hopfeld-aa]

@pozil Thank you. This will be really helpful for testing purposes.
This feature will not be added to version 4 by any chance or could it be added their, too? We are unfortunately not ready to migrate there yet.

[pozil]

Sorry, I don't plan to release additional versions of v4. v5 has a lot of fixes and performance improvements so you should definitely consider migrating.

If you really need this feature, you could fork the v4 branch and backport the feature. All it takes is to modify this line:

grpc.credentials.createSsl(rootCert)

into something like this:

grpc.credentials.createSsl(rootCert, null, null, {
  rejectUnauthorized: (process.env.REJECT_UNAUTHORIZED_SSL?.toUppercase() === 'FALSE')
}),

and configure a REJECT_UNAUTHORIZED_SSL environment variable.