feat(http): add dangerous settings / disable ssl verification - issue tauri-apps#518 (tauri-apps#2204)

Author: RickeyWard

.changes/http-dangerous-settings.md

@@ -0,0 +1,6 @@
+---
+"http": minor
+"http-js": minor
+---
+
+Add `dangerous-settings` feature flag and new JS `danger` option to disable tls hostname/certificate validation.

plugins/http/Cargo.toml

@@ -73,3 +73,4 @@ charset = ["reqwest/charset"]
 macos-system-configuration = ["reqwest/macos-system-configuration"]
 unsafe-headers = []
 tracing = ["dep:tracing"]
+dangerous-settings = []

plugins/http/api-iife.js

@@ -84,6 +84,26 @@ export interface ClientOptions {
    * Configuration of a proxy that a Client should pass requests to.
    */
   proxy?: Proxy
+  /**
+   * Configuration for dangerous settings on the client such as disabling SSL verification.
+   */
+  danger?: DangerousSettings
+}
+
+/**
+ * Configuration for dangerous settings on the client such as disabling SSL verification.
+ *
+ * @since 2.3.0
+ */
+export interface DangerousSettings {
+  /**
+   * Disables SSL verification.
+   */
+  acceptInvalidCerts?: boolean
+  /**
+   * Disables hostname verification.
+   */
+  acceptInvalidHostnames?: boolean
 }
 
 const ERROR_REQUEST_CANCELLED = 'Request canceled'
@@ -115,12 +135,14 @@ export async function fetch(
   const maxRedirections = init?.maxRedirections
   const connectTimeout = init?.connectTimeout
   const proxy = init?.proxy
+  const danger = init?.danger
 
   // Remove these fields before creating the request
   if (init) {
     delete init.maxRedirections
     delete init.connectTimeout
     delete init.proxy
+    delete init.danger
   }
 
   const headers = init?.headers
@@ -172,7 +194,8 @@ export async function fetch(
       data,
       maxRedirections,
       connectTimeout,
-      proxy
+      proxy,
+      danger
     }
   })
 

plugins/http/guest-js/index.ts

@@ -75,6 +75,14 @@ pub struct FetchResponse {
     rid: ResourceId,
 }
 
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+#[allow(dead_code)] //feature flags shoudln't affect api
+pub struct DangerousSettings {
+    accept_invalid_certs: bool,
+    accept_invalid_hostnames: bool,
+}
+
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct ClientConfig {
@@ -85,6 +93,7 @@ pub struct ClientConfig {
     connect_timeout: Option<u64>,
     max_redirections: Option<usize>,
     proxy: Option<Proxy>,
+    danger: Option<DangerousSettings>,
 }
 
 #[derive(Debug, Deserialize)]
@@ -181,6 +190,7 @@ pub async fn fetch<R: Runtime>(
         connect_timeout,
         max_redirections,
         proxy,
+        danger,
     } = client_config;
 
     let scheme = url.scheme();
@@ -220,6 +230,24 @@ pub async fn fetch<R: Runtime>(
             {
                 let mut builder = reqwest::ClientBuilder::new();
 
+                if let Some(danger_config) = danger {
+                    #[cfg(not(feature = "dangerous-settings"))]
+                    {
+                        #[cfg(debug_assertions)]
+                        {
+                            eprintln!("[\x1b[33mWARNING\x1b[0m] using dangerous settings requires `dangerous-settings` feature flag in your Cargo.toml");
+                        }
+                        let _ = danger_config;
+                        return Err(Error::DangerousSettings);
+                    }
+                    #[cfg(feature = "dangerous-settings")]
+                    {
+                        builder = builder
+                            .danger_accept_invalid_certs(danger_config.accept_invalid_certs)
+                            .danger_accept_invalid_hostnames(danger_config.accept_invalid_hostnames)
+                    }
+                }
+
                 if let Some(timeout) = connect_timeout {
                     builder = builder.connect_timeout(Duration::from_millis(timeout));
                 }

plugins/http/src/commands.rs

@@ -41,6 +41,8 @@ pub enum Error {
     Tauri(#[from] tauri::Error),
     #[error(transparent)]
     Utf8(#[from] std::string::FromUtf8Error),
+    #[error("dangerous settings used but are not enabled")]
+    DangerousSettings,
 }
 
 impl Serialize for Error {