feat(http): add dangerous settings / disable ssl verification - issue #518 (#2204)

Committed via a GitHub action: https://github.com/tauri-apps/plugins-workspace/actions/runs/12898482373

Co-authored-by: amrbashir <amrbashir@users.noreply.github.com>

Cargo.toml

@@ -73,3 +73,4 @@ charset = ["reqwest/charset"]
 macos-system-configuration = ["reqwest/macos-system-configuration"]
 unsafe-headers = []
 tracing = ["dep:tracing"]
+dangerous-settings = []

api-iife.js

@@ -1 +1 @@
-if("__TAURI__"in window){var __TAURI_PLUGIN_HTTP__=function(e){"use strict";async function t(e,t={},r){return window.__TAURI_INTERNALS__.invoke(e,t,r)}"function"==typeof SuppressedError&&SuppressedError;const r="Request canceled";return e.fetch=async function(e,n){const a=n?.signal;if(a?.aborted)throw new Error(r);const o=n?.maxRedirections,s=n?.connectTimeout,i=n?.proxy;n&&(delete n.maxRedirections,delete n.connectTimeout,delete n.proxy);const d=n?.headers?n.headers instanceof Headers?n.headers:new Headers(n.headers):new Headers,c=new Request(e,n),u=await c.arrayBuffer(),f=0!==u.byteLength?Array.from(new Uint8Array(u)):null;for(const[e,t]of c.headers)d.get(e)||d.set(e,t);const _=(d instanceof Headers?Array.from(d.entries()):Array.isArray(d)?d:Object.entries(d)).map((([e,t])=>[e,"string"==typeof t?t:t.toString()]));if(a?.aborted)throw new Error(r);const h=await t("plugin:http|fetch",{clientConfig:{method:c.method,url:c.url,headers:_,data:f,maxRedirections:o,connectTimeout:s,proxy:i}}),l=()=>t("plugin:http|fetch_cancel",{rid:h});if(a?.aborted)throw l(),new Error(r);a?.addEventListener("abort",(()=>{l()}));const{status:p,statusText:w,url:y,headers:T,rid:A}=await t("plugin:http|fetch_send",{rid:h}),g=await t("plugin:http|fetch_read_body",{rid:A}),R=new Response(g instanceof ArrayBuffer&&0!==g.byteLength?g:g instanceof Array&&g.length>0?new Uint8Array(g):null,{status:p,statusText:w});return Object.defineProperty(R,"url",{value:y}),Object.defineProperty(R,"headers",{value:new Headers(T)}),R},e}({});Object.defineProperty(window.__TAURI__,"http",{value:__TAURI_PLUGIN_HTTP__})}
+if("__TAURI__"in window){var __TAURI_PLUGIN_HTTP__=function(e){"use strict";async function t(e,t={},r){return window.__TAURI_INTERNALS__.invoke(e,t,r)}"function"==typeof SuppressedError&&SuppressedError;const r="Request canceled";return e.fetch=async function(e,n){const a=n?.signal;if(a?.aborted)throw new Error(r);const o=n?.maxRedirections,s=n?.connectTimeout,i=n?.proxy,d=n?.danger;n&&(delete n.maxRedirections,delete n.connectTimeout,delete n.proxy,delete n.danger);const c=n?.headers?n.headers instanceof Headers?n.headers:new Headers(n.headers):new Headers,u=new Request(e,n),f=await u.arrayBuffer(),_=0!==f.byteLength?Array.from(new Uint8Array(f)):null;for(const[e,t]of u.headers)c.get(e)||c.set(e,t);const h=(c instanceof Headers?Array.from(c.entries()):Array.isArray(c)?c:Object.entries(c)).map((([e,t])=>[e,"string"==typeof t?t:t.toString()]));if(a?.aborted)throw new Error(r);const l=await t("plugin:http|fetch",{clientConfig:{method:u.method,url:u.url,headers:h,data:_,maxRedirections:o,connectTimeout:s,proxy:i,danger:d}}),p=()=>t("plugin:http|fetch_cancel",{rid:l});if(a?.aborted)throw p(),new Error(r);a?.addEventListener("abort",(()=>{p()}));const{status:w,statusText:y,url:g,headers:T,rid:A}=await t("plugin:http|fetch_send",{rid:l}),R=await t("plugin:http|fetch_read_body",{rid:A}),b=new Response(R instanceof ArrayBuffer&&0!==R.byteLength?R:R instanceof Array&&R.length>0?new Uint8Array(R):null,{status:w,statusText:y});return Object.defineProperty(b,"url",{value:g}),Object.defineProperty(b,"headers",{value:new Headers(T)}),b},e}({});Object.defineProperty(window.__TAURI__,"http",{value:__TAURI_PLUGIN_HTTP__})}

dist-js/index.cjs

@@ -52,11 +52,13 @@ async function fetch(input, init) {
     const maxRedirections = init?.maxRedirections;
     const connectTimeout = init?.connectTimeout;
     const proxy = init?.proxy;
+    const danger = init?.danger;
     // Remove these fields before creating the request
     if (init) {
         delete init.maxRedirections;
         delete init.connectTimeout;
         delete init.proxy;
+        delete init.danger;
     }
     const headers = init?.headers
         ? init.headers instanceof Headers
@@ -97,7 +99,8 @@ async function fetch(input, init) {
             data,
             maxRedirections,
             connectTimeout,
-            proxy
+            proxy,
+            danger
         }
     });
     const abort = () => core.invoke('plugin:http|fetch_cancel', { rid });

dist-js/index.d.ts

@@ -52,6 +52,25 @@ export interface ClientOptions {
      * Configuration of a proxy that a Client should pass requests to.
      */
     proxy?: Proxy;
+    /**
+     * Configuration for dangerous settings on the client such as disabling SSL verification.
+     */
+    danger?: DangerousSettings;
+}
+/**
+ * Configuration for dangerous settings on the client such as disabling SSL verification.
+ *
+ * @since 2.3.0
+ */
+export interface DangerousSettings {
+    /**
+     * Disables SSL verification.
+     */
+    acceptInvalidCerts?: boolean;
+    /**
+     * Disables hostname verification.
+     */
+    acceptInvalidHostnames?: boolean;
 }
 /**
  * Fetch a resource from the network. It returns a `Promise` that resolves to the

dist-js/index.js

@@ -50,11 +50,13 @@ async function fetch(input, init) {
     const maxRedirections = init?.maxRedirections;
     const connectTimeout = init?.connectTimeout;
     const proxy = init?.proxy;
+    const danger = init?.danger;
     // Remove these fields before creating the request
     if (init) {
         delete init.maxRedirections;
         delete init.connectTimeout;
         delete init.proxy;
+        delete init.danger;
     }
     const headers = init?.headers
         ? init.headers instanceof Headers
@@ -95,7 +97,8 @@ async function fetch(input, init) {
             data,
             maxRedirections,
             connectTimeout,
-            proxy
+            proxy,
+            danger
         }
     });
     const abort = () => invoke('plugin:http|fetch_cancel', { rid });

guest-js/index.ts

@@ -84,6 +84,26 @@ export interface ClientOptions {
    * Configuration of a proxy that a Client should pass requests to.
    */
   proxy?: Proxy
+  /**
+   * Configuration for dangerous settings on the client such as disabling SSL verification.
+   */
+  danger?: DangerousSettings
+}
+
+/**
+ * Configuration for dangerous settings on the client such as disabling SSL verification.
+ *
+ * @since 2.3.0
+ */
+export interface DangerousSettings {
+  /**
+   * Disables SSL verification.
+   */
+  acceptInvalidCerts?: boolean
+  /**
+   * Disables hostname verification.
+   */
+  acceptInvalidHostnames?: boolean
 }
 
 const ERROR_REQUEST_CANCELLED = 'Request canceled'
@@ -115,12 +135,14 @@ export async function fetch(
   const maxRedirections = init?.maxRedirections
   const connectTimeout = init?.connectTimeout
   const proxy = init?.proxy
+  const danger = init?.danger
 
   // Remove these fields before creating the request
   if (init) {
     delete init.maxRedirections
     delete init.connectTimeout
     delete init.proxy
+    delete init.danger
   }
 
   const headers = init?.headers
@@ -172,7 +194,8 @@ export async function fetch(
       data,
       maxRedirections,
       connectTimeout,
-      proxy
+      proxy,
+      danger
     }
   })
 

src/commands.rs

@@ -75,6 +75,14 @@ pub struct FetchResponse {
     rid: ResourceId,
 }
 
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+#[allow(dead_code)] //feature flags shoudln't affect api
+pub struct DangerousSettings {
+    accept_invalid_certs: bool,
+    accept_invalid_hostnames: bool,
+}
+
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct ClientConfig {
@@ -85,6 +93,7 @@ pub struct ClientConfig {
     connect_timeout: Option<u64>,
     max_redirections: Option<usize>,
     proxy: Option<Proxy>,
+    danger: Option<DangerousSettings>,
 }
 
 #[derive(Debug, Deserialize)]
@@ -181,6 +190,7 @@ pub async fn fetch<R: Runtime>(
         connect_timeout,
         max_redirections,
         proxy,
+        danger,
     } = client_config;
 
     let scheme = url.scheme();
@@ -220,6 +230,24 @@ pub async fn fetch<R: Runtime>(
             {
                 let mut builder = reqwest::ClientBuilder::new();
 
+                if let Some(danger_config) = danger {
+                    #[cfg(not(feature = "dangerous-settings"))]
+                    {
+                        #[cfg(debug_assertions)]
+                        {
+                            eprintln!("[\x1b[33mWARNING\x1b[0m] using dangerous settings requires `dangerous-settings` feature flag in your Cargo.toml");
+                        }
+                        let _ = danger_config;
+                        return Err(Error::DangerousSettings);
+                    }
+                    #[cfg(feature = "dangerous-settings")]
+                    {
+                        builder = builder
+                            .danger_accept_invalid_certs(danger_config.accept_invalid_certs)
+                            .danger_accept_invalid_hostnames(danger_config.accept_invalid_hostnames)
+                    }
+                }
+
                 if let Some(timeout) = connect_timeout {
                     builder = builder.connect_timeout(Duration::from_millis(timeout));
                 }

src/error.rs

@@ -41,6 +41,8 @@ pub enum Error {
     Tauri(#[from] tauri::Error),
     #[error(transparent)]
     Utf8(#[from] std::string::FromUtf8Error),
+    #[error("dangerous settings used but are not enabled")]
+    DangerousSettings,
 }
 
 impl Serialize for Error {