npm - localssl-cli - Versions diffs - 0.1.4 → 0.1.6 - Mend

localssl-cli 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -146,6 +146,13 @@ It never stores CA private keys.
 - Team file validation blocks private-key content in `localssl.json`
 - Never share root CA private key files
+## Windows permissions behavior
+- localssl-cli first trusts certs in `CurrentUser\\Root` (no admin expected)
+- if needed, it prompts: `Admin access needed for machine-wide trust. Continue? (y/N)`
+- choosing `No` keeps safe mode and skips machine-wide trust
+- rerunning `localssl-cli init` repairs trust if CA already exists
 ---
 ## Troubleshooting

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "localssl-cli",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "One-command local HTTPS setup for teams",
   "type": "commonjs",
   "main": "src/index.js",

package/src/bootstrap.js CHANGED Viewed

@@ -99,8 +99,8 @@ async function trustSystem(certPath) {
   }
   if (process.platform === 'win32') {
-    await trustWindows(certPath);
-    return 'Windows Root store';
+    const scope = await trustWindows(certPath);
+    return scope;
   }
   await trustLinux(certPath);
@@ -138,8 +138,21 @@ async function initMachine({ quiet = false } = {}) {
   const hasCA = await fs.pathExists(LOCALSSL_CA_PUBLIC);
   if (hasCA) {
+    let repairSummary = 'already configured';
+    try {
+      const systemResult = await trustSystem(LOCALSSL_CA_PUBLIC);
+      const firefoxResult = await trustInFirefox(LOCALSSL_CA_PUBLIC);
+      const chromiumResult = await trustInChromium(LOCALSSL_CA_PUBLIC);
+      const nodeResult = await configureNodeExtraCACerts();
+      repairSummary = `${systemResult}; ${nodeResult}; Firefox ${firefoxResult.trusted ? 'ok' : 'skipped'}; Chrome/Edge ${chromiumResult.trusted ? 'ok' : 'skipped'}`;
+    } catch (error) {
+      if (!quiet) {
+        warn(`Trust repair skipped: ${error.message}`);
+      }
+    }
     if (!quiet) {
-      step(1, 1, 'Machine CA setup', 'skip', '(already configured)');
+      step(1, 1, 'Machine CA setup', 'skip', `(${repairSummary})`);
     }
     return { mkcertPath, initialized: false };
   }

package/src/prompt.js ADDED Viewed

@@ -0,0 +1,22 @@
+const readline = require('readline');
+async function askYesNo(question, defaultNo = true) {
+  if (process.env.LOCALSSL_ASSUME_YES === '1') {
+    return true;
+  }
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    return !defaultNo;
+  }
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(question, (answer) => {
+      rl.close();
+      const normalized = String(answer || '').trim().toLowerCase();
+      resolve(normalized === 'y' || normalized === 'yes');
+    });
+  });
+}
+module.exports = { askYesNo };

package/src/trust/windows.js CHANGED Viewed

@@ -1,20 +1,57 @@
 const { execFile } = require('child_process');
+const { askYesNo } = require('../prompt');
+function run(file, args) {
+  return new Promise((resolve) => {
+    execFile(file, args, { windowsHide: true }, (error) => resolve(!error));
+  });
+}
+async function trustCurrentUserWithPowerShell(certPath) {
+  const command = `Import-Certificate -FilePath \"${certPath}\" -CertStoreLocation Cert:\\CurrentUser\\Root | Out-Null`;
+  return run('powershell', ['-NoProfile', '-NonInteractive', '-Command', command]);
+}
+async function trustMachineWithElevation(certPath) {
+  const command = `$p = Start-Process certutil -ArgumentList '-addstore','-f','ROOT','${certPath}' -Verb RunAs -Wait -PassThru; if ($p.ExitCode -eq 0) { exit 0 } else { exit 1 }`;
+  return run('powershell', ['-NoProfile', '-NonInteractive', '-Command', command]);
+}
 function trustCertificate(certPath) {
-  return new Promise((resolve, reject) => {
-    execFile('certutil', ['-addstore', '-f', 'ROOT', certPath], { windowsHide: true }, (error) => {
-      if (error) {
-        reject(new Error('Admin privileges required to install CA on Windows. Re-run terminal as Administrator.'));
-        return;
-      }
-      resolve();
-    });
+  return new Promise(async (resolve, reject) => {
+    const userViaCertutil = await run('certutil', ['-user', '-addstore', '-f', 'ROOT', certPath]);
+    if (userViaCertutil) {
+      resolve('Windows CurrentUser Root');
+      return;
+    }
+    const userViaPowerShell = await trustCurrentUserWithPowerShell(certPath);
+    if (userViaPowerShell) {
+      resolve('Windows CurrentUser Root (PowerShell)');
+      return;
+    }
+    const consent = await askYesNo('  Admin access needed for machine-wide trust. Continue? (y/N): ');
+    if (!consent) {
+      resolve('Windows trust skipped (user declined admin prompt)');
+      return;
+    }
+    const machineStore = await trustMachineWithElevation(certPath);
+    if (machineStore) {
+      resolve('Windows LocalMachine Root (elevated)');
+      return;
+    }
+    reject(new Error('Could not install CA in Windows trust stores. Safe mode preserved (no insecure fallback used).'));
   });
 }
 function untrustCertificate(certPath) {
   return new Promise((resolve) => {
-    execFile('certutil', ['-delstore', 'ROOT', certPath], { windowsHide: true }, () => resolve());
+    execFile('certutil', ['-user', '-delstore', 'ROOT', certPath], { windowsHide: true }, () => {
+      execFile('certutil', ['-delstore', 'ROOT', certPath], { windowsHide: true }, () => resolve());
+    });
   });
 }