@jsenv/https-local 2.0.0 → 3.0.1

package/README.md

@@ -61,13 +61,13 @@ node ./install_certificate_authority.mjs
  *
  * > node ./install_certificate_authority.mjs
  *
- * Read more in https://github.com/jsenv/https-local#requestCertificateForLocalhost
+ * Read more in https://github.com/jsenv/https-local#requestCertificate
  */
 
 import { createServer } from "node:https"
-import { requestCertificateForLocalhost } from "@jsenv/https-local"
+import { requestCertificate } from "@jsenv/https-local"
 
-const { certificate, privateKey } = requestCertificateForLocalhost()
+const { certificate, privateKey } = requestCertificate()
 
 const server = createServer(
   {
@@ -99,10 +99,10 @@ The rest of the documentation goes into details.
 
 # Certificate expiration
 
-| Certificate | Expires after | How to renew?                           |
-| ----------- | ------------- | --------------------------------------- |
-| server      | 1 year        | Re-run _requestCertificateForLocalhost_ |
-| authority   | 20 year       | Re-run _installCertificateAuthority_    |
+| Certificate | Expires after | How to renew?                        |
+| ----------- | ------------- | ------------------------------------ |
+| server      | 1 year        | Re-run _requestCertificate_          |
+| authority   | 20 year       | Re-run _installCertificateAuthority_ |
 
 The **server** certificate expires after one year which is the maximum duration allowed by web browsers. In the unlikely scenario where your local server is running for more than a year without interruption, restart it and you're good for one more year.
 
@@ -352,15 +352,15 @@ Check if certificate is trusted by firefox...
 
 </details>
 
-# requestCertificateForLocalhost
+# requestCertificate
 
-_requestCertificateForLocalhost_ function returns a certificate and private key that can be used to start a server in HTTPS.
+_requestCertificate_ function returns a certificate and private key that can be used to start a server in HTTPS.
 
 ```js
 import { createServer } from "node:https"
-import { requestCertificateForLocalhost } from "@jsenv/https-local"
+import { requestCertificate } from "@jsenv/https-local"
 
-const { certificate, privateKey } = requestCertificateForLocalhost({
+const { certificate, privateKey } = requestCertificate({
   altNames: ["localhost", "local.example"],
 })
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jsenv/https-local",
-  "version": "2.0.0",
+  "version": "3.0.1",
   "description": "A programmatic way to generate locally trusted certificates",
   "license": "MIT",
   "author": {
@@ -13,8 +13,7 @@
     "url": "https://github.com/jsenv/https-local"
   },
   "publishConfig": {
-    "access": "public",
-    "registry": "https://registry.npmjs.org"
+    "access": "public"
   },
   "engines": {
     "node": ">=16.13.0"
@@ -48,9 +47,9 @@
     "playwright-install": "npx playwright install-deps && npx playwright install"
   },
   "dependencies": {
-    "@jsenv/filesystem": "4.1.0",
-    "@jsenv/log": "2.0.1",
-    "@jsenv/urls": "1.2.6",
+    "@jsenv/filesystem": "4.1.2",
+    "@jsenv/log": "3.1.0",
+    "@jsenv/urls": "1.2.7",
     "command-exists": "1.2.9",
     "node-forge": "1.3.1",
     "sudo-prompt": "9.2.1",
@@ -58,15 +57,15 @@
   },
   "devDependencies": {
     "@jsenv/assert": "2.6.0",
-    "@jsenv/core": "27.0.0-alpha.92",
-    "@jsenv/eslint-config": "16.0.9",
+    "@jsenv/core": "28.0.2",
+    "@jsenv/eslint-config": "16.2.1",
     "@jsenv/eslint-import-resolver": "0.3.0",
-    "@jsenv/github-release-package": "1.4.0",
-    "@jsenv/package-publish": "1.7.5",
+    "@jsenv/github-release-package": "1.5.0",
+    "@jsenv/package-publish": "1.10.0",
     "@jsenv/performance-impact": "2.3.0",
-    "eslint": "8.18.0",
+    "eslint": "8.21.0",
     "eslint-plugin-import": "2.26.0",
-    "playwright": "1.22.2",
+    "playwright": "1.24.2",
     "prettier": "2.7.1"
   }
-}
+}

package/src/certificate_authority.js

@@ -231,13 +231,12 @@ export const installCertificateAuthority = async ({
   const rootCertificatePrivateKeyForgeObject = pki.privateKeyFromPem(
     rootCertificatePrivateKey,
   )
-
   const trustInfo = await platformMethods.executeTrustQuery({
     logger,
     certificateCommonName,
     certificateFileUrl: rootCertificateFileInfo.url,
     certificate: rootCertificate,
-    verb: tryToTrust ? "ADD_TRUST" : "CHECK_TRUST",
+    verb: tryToTrust ? "ENSURE_TRUST" : "CHECK_TRUST",
     NSSDynamicInstall,
   })
 

package/src/{certificate_for_localhost.js → certificate_request.js}

@@ -11,7 +11,7 @@ import { getAuthorityFileInfos } from "./internal/authority_file_infos.js"
 import { requestCertificateFromAuthority } from "./internal/certificate_generator.js"
 import { formatDuration } from "./internal/validity_formatting.js"
 
-export const requestCertificateForLocalhost = ({
+export const requestCertificate = ({
   logLevel,
   logger = createLogger({ logLevel }), // to be able to catch logs during unit tests
 
@@ -47,7 +47,7 @@ export const requestCertificateForLocalhost = ({
   } = getAuthorityFileInfos()
   if (!rootCertificateFileInfo.exists) {
     throw new Error(
-      `Certificate authority not found, "installCertificateAuthority" must be called before "requestCertificateForLocalhost"`,
+      `Certificate authority not found, "installCertificateAuthority" must be called before "requestServerCertificate"`,
     )
   }
   if (!rootCertificatePrivateKeyFileInfo.exists) {
@@ -81,10 +81,6 @@ export const requestCertificateForLocalhost = ({
     JSON.stringify({ serialNumber: serverCertificateSerialNumber }, null, "  "),
   )
 
-  if (!altNames.includes("localhost")) {
-    altNames.push("localhost")
-  }
-
   logger.debug(`Generating server certificate...`)
   const { certificateForgeObject, certificatePrivateKeyForgeObject } =
     requestCertificateFromAuthority({

package/src/internal/linux/linux_trust_store.js

@@ -10,6 +10,7 @@ import { createDetailedMessage, UNICODE } from "@jsenv/log"
 import {
   VERB_CHECK_TRUST,
   VERB_ADD_TRUST,
+  VERB_ENSURE_TRUST,
   VERB_REMOVE_TRUST,
 } from "../trust_query.js"
 import { exec } from "../exec.js"
@@ -100,7 +101,11 @@ export const executeTrustQueryOnLinux = async ({
   }
 
   logger.info(`${UNICODE.OK} certificate found in linux`)
-  if (verb === VERB_CHECK_TRUST || verb === VERB_ADD_TRUST) {
+  if (
+    verb === VERB_CHECK_TRUST ||
+    verb === VERB_ADD_TRUST ||
+    verb === VERB_ENSURE_TRUST
+  ) {
     return {
       status: "trusted",
       reason: REASON_FOUND_IN_LINUX,

package/src/internal/mac/firefox_mac.js

@@ -78,5 +78,6 @@ export const executeTrustQueryOnFirefox = ({
 }
 
 const isFirefoxOpen = () => {
-  return execSync("ps aux").includes("firefox")
+  const psAux = execSync("ps aux")
+  return psAux.includes("Firefox.app")
 }

package/src/internal/mac/mac_keychain.js

@@ -8,6 +8,7 @@ import { searchCertificateInCommandOutput } from "../search_certificate_in_comma
 import {
   VERB_CHECK_TRUST,
   VERB_ADD_TRUST,
+  VERB_ENSURE_TRUST,
   VERB_REMOVE_TRUST,
 } from "../trust_query.js"
 
@@ -52,6 +53,35 @@ export const executeTrustQueryOnMacKeychain = async ({
     certificate,
   )
 
+  const removeCert = async () => {
+    // https://ss64.com/osx/security-delete-cert.html
+    const removeTrustedCertCommand = `sudo security delete-certificate -c "${certificateCommonName}"`
+    logger.info(`Removing certificate from mac keychain...`)
+    logger.info(`${UNICODE.COMMAND} ${removeTrustedCertCommand}`)
+    try {
+      await exec(removeTrustedCertCommand)
+      logger.info(`${UNICODE.OK} certificate removed from mac keychain`)
+      return {
+        status: "not_trusted",
+        reason: REASON_REMOVE_FROM_KEYCHAIN_COMMAND_COMPLETED,
+      }
+    } catch (e) {
+      logger.error(
+        createDetailedMessage(
+          `${UNICODE.FAILURE} failed to remove certificate from mac keychain`,
+          {
+            "error stack": e.stack,
+            "certificate file url": certificateFileUrl,
+          },
+        ),
+      )
+      return {
+        status: "not_trusted",
+        reason: REASON_REMOVE_FROM_KEYCHAIN_COMMAND_FAILED,
+      }
+    }
+  }
+
   if (!certificateFoundInCommandOutput) {
     logger.info(`${UNICODE.INFO} certificate not found in mac keychain`)
     if (verb === VERB_CHECK_TRUST || verb === VERB_REMOVE_TRUST) {
@@ -60,7 +90,13 @@ export const executeTrustQueryOnMacKeychain = async ({
         reason: REASON_NOT_IN_KEYCHAIN,
       }
     }
-
+    if (verb === VERB_ENSURE_TRUST) {
+      // It seems possible for certificate PEM representation to be different
+      // in mackeychain and in the one we have written on the filesystem
+      // When it happens the certificate is not found but actually exists on mackeychain
+      // and must be deleted first
+      await removeCert()
+    }
     const certificateFilePath = fileURLToPath(certificateFileUrl)
     // https://ss64.com/osx/security-cert.html
     const addTrustedCertCommand = `sudo security add-trusted-cert -d -r trustRoot -k ${systemKeychainPath} "${certificateFilePath}"`
@@ -95,37 +131,16 @@ export const executeTrustQueryOnMacKeychain = async ({
   // but they shouldn't and I couldn't find an API to know if the cert is trusted or not
   // just if it's in the keychain
   logger.info(`${UNICODE.OK} certificate found in mac keychain`)
-  if (verb === VERB_CHECK_TRUST || verb === VERB_ADD_TRUST) {
+  if (
+    verb === VERB_CHECK_TRUST ||
+    verb === VERB_ADD_TRUST ||
+    verb === VERB_ENSURE_TRUST
+  ) {
     return {
       status: "trusted",
       reason: REASON_IN_KEYCHAIN,
     }
   }
 
-  // https://ss64.com/osx/security-delete-cert.html
-  const removeTrustedCertCommand = `sudo security delete-certificate -c "${certificateCommonName}"`
-  logger.info(`Removing certificate from mac keychain...`)
-  logger.info(`${UNICODE.COMMAND} ${removeTrustedCertCommand}`)
-  try {
-    await exec(removeTrustedCertCommand)
-    logger.info(`${UNICODE.OK} certificate removed from mac keychain`)
-    return {
-      status: "not_trusted",
-      reason: REASON_REMOVE_FROM_KEYCHAIN_COMMAND_COMPLETED,
-    }
-  } catch (e) {
-    logger.error(
-      createDetailedMessage(
-        `${UNICODE.FAILURE} failed to remove certificate from mac keychain`,
-        {
-          "error stack": e.stack,
-          "certificate file url": certificateFileUrl,
-        },
-      ),
-    )
-    return {
-      status: "not_trusted",
-      reason: REASON_REMOVE_FROM_KEYCHAIN_COMMAND_FAILED,
-    }
-  }
+  return removeCert()
 }

package/src/internal/nssdb_browser.js

@@ -11,7 +11,11 @@ import { assertAndNormalizeDirectoryUrl, collectFiles } from "@jsenv/filesystem"
 
 import { exec } from "./exec.js"
 import { searchCertificateInCommandOutput } from "./search_certificate_in_command_output.js"
-import { VERB_CHECK_TRUST, VERB_ADD_TRUST } from "./trust_query.js"
+import {
+  VERB_CHECK_TRUST,
+  VERB_ADD_TRUST,
+  VERB_ENSURE_TRUST,
+} from "./trust_query.js"
 
 export const executeTrustQueryOnBrowserNSSDB = async ({
   logger,
@@ -52,7 +56,7 @@ export const executeTrustQueryOnBrowserNSSDB = async ({
   const nssIsInstalled = await detectIfNSSIsInstalled({ logger })
   const cannotCheckMessage = `${UNICODE.FAILURE} cannot check if certificate is in ${browserName}`
   if (!nssIsInstalled) {
-    if (verb === VERB_ADD_TRUST) {
+    if (verb === VERB_ADD_TRUST || verb === VERB_ENSURE_TRUST) {
       const nssDynamicInstallInfo = await getNSSDynamicInstallInfo({ logger })
       if (!nssDynamicInstallInfo.isInstallable) {
         const reason = `"${nssCommandName}" is not installed and not cannot be installed`
@@ -209,7 +213,7 @@ export const executeTrustQueryOnBrowserNSSDB = async ({
     }
   }
 
-  if (verb === VERB_ADD_TRUST) {
+  if (verb === VERB_ADD_TRUST || verb === VERB_ENSURE_TRUST) {
     if (missingCount === 0 && outdatedCount === 0) {
       logger.info(`${UNICODE.OK} certificate found in ${browserName}`)
       return {

package/src/internal/trust_query.js

@@ -1,5 +1,4 @@
 export const VERB_CHECK_TRUST = "CHECK_TRUST"
-
 export const VERB_ADD_TRUST = "ADD_TRUST"
-
+export const VERB_ENSURE_TRUST = "ENSURE_TRUST"
 export const VERB_REMOVE_TRUST = "REMOVE_TRUST"

package/src/internal/windows/windows_certutil.js

@@ -10,6 +10,7 @@ import { exec } from "../exec.js"
 import {
   VERB_CHECK_TRUST,
   VERB_ADD_TRUST,
+  VERB_ENSURE_TRUST,
   VERB_REMOVE_TRUST,
 } from "../trust_query.js"
 
@@ -93,7 +94,11 @@ export const executeTrustQueryOnWindows = async ({
   }
 
   logger.info(`${UNICODE.OK} certificate found in windows`)
-  if (verb === VERB_CHECK_TRUST || verb === VERB_ADD_TRUST) {
+  if (
+    verb === VERB_CHECK_TRUST ||
+    verb === VERB_ADD_TRUST ||
+    verb === VERB_ENSURE_TRUST
+  ) {
     return {
       status: "trusted",
       reason: REASON_FOUND_IN_WINDOWS,

package/src/main.js

@@ -16,4 +16,4 @@ export {
 
 export { verifyHostsFile } from "./hosts_file_verif.js"
 
-export { requestCertificateForLocalhost } from "./certificate_for_localhost.js"
+export { requestCertificate } from "./certificate_request.js"