Skip to content

fix(devtools-connect): fix TLS error fallback mechanism MONGOSH-2488 #566

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 13, 2025
Merged

fix(devtools-connect): fix TLS error fallback mechanism MONGOSH-2488 #566

merged 1 commit into from
Aug 13, 2025

Conversation

addaleax
Copy link
Collaborator

Restructure our proxy integration logic to:

  • Avoid modifying the OIDC options – previously we were assigning to clientOptions.oidc, which meant that the fetch function created to read the system certificates was also used for the non-system-cert connect() call, breaking our fallback mechanism
  • Add a test that verifies that the fallback mechanism works both for TLS driver connections and HTTPS OIDC calls.
  • Deduplicate the logic for adding CA options to the DevtoolsProxyOptions instances.
  • Share log info from the OIDC agent instance, if a new one has been created.
  • Make sure that TLS errors passed through node-fetch are actually picked up by our "nested error" detection logic (they have a different toStringTag defined than regular Error instances).

Description

Open Questions

Checklist

@addaleax
fix(devtools-connect): fix TLS error fallback mechanism MONGOSH-2488
922e12d 
Restructure our proxy integration logic to:

- Avoid modifying the OIDC options – previously we were assigning to
  `clientOptions.oidc`, which meant that the `fetch` function created
  to read the system certificates was also used for the non-system-cert
  `connect()` call, breaking our fallback mechanism
- Add a test that verifies that the fallback mechanism works both for
  TLS driver connections and HTTPS OIDC calls.
- Deduplicate the logic for adding CA options to the `DevtoolsProxyOptions`
  instances.
- Share log info from the OIDC agent instance, if a new one has been
  created.
- Make sure that TLS errors passed through node-fetch are actually
  picked up by our "nested error" detection logic (they have a different
  `toStringTag` defined than regular `Error` instances).
addaleax
addaleax commented Aug 13, 2025
View reviewed changes
packages/devtools-connect/src/connect.ts
clientOptions.oidc = {
customFetch: createFetch(
oidcProxyOptions,
) as unknown as MongoDBOIDCPluginOptions['customFetch'],
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^ I think this statement was the core of the bug here, we were assigning to clientOptions.oidc, so the retry-without-system-certs call would use the same customFetch function as the initial one with system certs

@addaleax addaleax merged commit 11b3ac6 into main Aug 13, 2025
31 checks passed
@addaleax addaleax deleted the 2488-dev branch August 13, 2025 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kmruiz kmruiz kmruiz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@addaleax @kmruiz