Respect TLS override in WebID profile fetch

SarthakDudhe · SarthakDudhe · commit 604efb6b7808 · 2026-05-06T20:16:44.000+05:30
diff --git a/lib/webid/lib/get.mjs b/lib/webid/lib/get.mjs
@@ -1,19 +1,30 @@
-import { URL } from 'url'
-
-export default function get (webid, callback) {
-  let uri
+import { URL } from 'url'
+import { Agent } from 'undici'
+
+const insecureDispatcher = new Agent({
+  connect: {
+    rejectUnauthorized: false
+  }
+})
+
+export default function get (webid, callback) {
+  let uri
   try {
     uri = new URL(webid)
   } catch (err) {
     return callback(new Error('Invalid WebID URI: ' + webid + ': ' + err.message))
   }
-  const headers = {
-    Accept: 'text/turtle, application/ld+json'
-  }
-  fetch(uri.href, { method: 'GET', headers })
-    .then(async res => {
-      if (!res.ok) {
-        return callback(new Error('Failed to retrieve WebID from ' + uri.href + ': HTTP ' + res.status))
+  const headers = {
+    Accept: 'text/turtle, application/ld+json'
+  }
+  const options = { method: 'GET', headers }
+  if (uri.protocol === 'https:' && process.env.NODE_TLS_REJECT_UNAUTHORIZED === '0') {
+    options.dispatcher = insecureDispatcher
+  }
+  fetch(uri.href, options)
+    .then(async res => {
+      if (!res.ok) {
+        return callback(new Error('Failed to retrieve WebID from ' + uri.href + ': HTTP ' + res.status))
       }
       const contentType = res.headers.get('content-type')
       let body
diff --git a/test/unit/webid-get-test.mjs b/test/unit/webid-get-test.mjs
@@ -0,0 +1,70 @@
+import { expect } from 'chai'
+import get from '../../lib/webid/lib/get.mjs'
+
+describe('webid get()', () => {
+  const originalFetch = global.fetch
+  const originalTlsSetting = process.env.NODE_TLS_REJECT_UNAUTHORIZED
+
+  function callGet (webid) {
+    return new Promise((resolve, reject) => {
+      get(webid, (err, body, contentType) => {
+        if (err) {
+          reject(err)
+          return
+        }
+        resolve({ body, contentType })
+      })
+    })
+  }
+
+  afterEach(() => {
+    global.fetch = originalFetch
+    if (originalTlsSetting === undefined) {
+      delete process.env.NODE_TLS_REJECT_UNAUTHORIZED
+    } else {
+      process.env.NODE_TLS_REJECT_UNAUTHORIZED = originalTlsSetting
+    }
+  })
+
+  it('uses an insecure dispatcher for https fetches when TLS verification is disabled', async () => {
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
+
+    global.fetch = async (url, options) => {
+      expect(url).to.equal('https://example.com/profile/card#me')
+      expect(options.method).to.equal('GET')
+      expect(options.headers.Accept).to.equal('text/turtle, application/ld+json')
+      expect(options.dispatcher).to.exist
+
+      return {
+        ok: true,
+        headers: {
+          get: () => 'text/turtle'
+        },
+        text: async () => '@prefix ex: <http://example.com/> .'
+      }
+    }
+
+    const { body, contentType } = await callGet('https://example.com/profile/card#me')
+    expect(contentType).to.equal('text/turtle')
+    expect(body).to.include('@prefix ex:')
+  })
+
+  it('does not use an insecure dispatcher when TLS verification is enabled', async () => {
+    delete process.env.NODE_TLS_REJECT_UNAUTHORIZED
+
+    global.fetch = async (url, options) => {
+      expect(options.dispatcher).to.equal(undefined)
+
+      return {
+        ok: true,
+        headers: {
+          get: () => 'text/turtle'
+        },
+        text: async () => 'ok'
+      }
+    }
+
+    const { body } = await callGet('https://example.com/profile/card#me')
+    expect(body).to.equal('ok')
+  })
+})
