Search code examples
typescriptssl-certificateslackslack-apimitmproxy

Slack WebClient: "unable to verify certificate" through proxy despite rejectUnauthorized = false

  1. I'm using below code for creating Slack web client on-demand in some typescript REST endpoint of some webservice. The client uses https agent for communicating with slack.com API via proxy (mitmproxy is used):
 private createProxyAwareSlackClient(token: any) {
    const proxyUrl = process.env.HTTPS_PROXY || process.env.HTTP_PROXY;
    const slackClientOptions = { logLevel: LogLevel.DEBUG };

    if (proxyUrl) {
      slackClientOptions['agent'] =
        new URL(proxyUrl).protocol === 'http' ? new HttpProxyAgent(proxyUrl, {rejectUnauthorized: false}) : new HttpsProxyAgent(proxyUrl, {rejectUnauthorized: false});
    }

    return new WebClient(token, slackClientOptions);
  }

  async firstHandshake(settings: any) {
    const slackWebClient = this.createProxyAwareSlackClient(undefined);
    let response: WebAPICallResult;
    try {
      response = await slackWebClient.oauth.v2.access({
        client_id: process.env.SLACK_CLIENT_ID,
        client_secret: process.env.SLACK_CLIENT_SECRET,
        code: settings.slack_code,
        redirect_uri: settings.redirect_uri
      });
    } catch (e) {
      logger.error(e);
      throw createError(500, 'Cannot get slack api key');
    }
  1. rejectUnauthorized: false is used while instantiating the agent to avoid validating of the slack.com certificate. Nevertheless, the certificate validation occurs and fails with below error in the client (rest endpoint source code):
[WARN]  web-api:WebClient:8 http request failed unable to verify the first certificate
[DEBUG]  web-api:WebClient:8 http request url: https://slack.com/api/oauth.v2.access
[DEBUG]  web-api:WebClient:8 http request body: {"client_id":"id","client_secret":"secret","code":"some_code","redirect_uri":"some_url"}
[DEBUG]  web-api:WebClient:8 http request headers: {}
[WARN]  web-api:WebClient:8 http request failed unable to verify the first certificate

and below error is seen in the mitmproxy logs:


[23:02:09.731][127.0.0.1:59940] client connect
[23:02:09.826][127.0.0.1:59940] server connect slack.com:443 (some_ip:443)
[23:02:09.911][127.0.0.1:59940] Client TLS handshake failed. The client disconnected during the handshake. If this happens consistently for slack.com, this may indicate that the client does not trust the proxy's certificate.
[23:02:09.913][127.0.0.1:59940] client disconnect
[23:02:09.914][127.0.0.1:59940] server disconnect slack.com:443 (some_ip:443)

It's important to note that:

HTTPS_PROXY env var is https://localhost:8080 (where mitmproxy listens)

How to skip slack.com certificate validation when slack webclient is accessing it via a proxy?

There's no issue and slack API is successfully accessed via the proxy without certificate validation if NODE_TLS_REJECT_UNAUTHORIZED=0 env var is present in the web service environment. However, it's a bad practice to disable certificate validation globally.

Solution

  • Using tunnel npm package solved the issue for me.

      import tunnel from 'tunnel';

  private createProxyAwareSlackClient(token: any) {
    const proxyUrl = process.env.TEST_HTTPS_PROXY || process.env.TEST_HTTP_PROXY;
    const basicAuthCredentials =
      process.env.TEST_HTTP_PROXY_BASIC_AUTH || process.env.ENGINE_HTTP_PROXY_BASIC_AUTH_DETAILS;
    const slackClientOptions: Record<string, any> = { logLevel: LogLevel.DEBUG };

    if (proxyUrl) {
      const { hostname, port } = new URL(proxyUrl); // Extract host and port

      const tunnelOptions = {
        keepAlive: true,
        keepAliveMsecs: 1000,
        maxFreeSockets: 256,
        maxSockets: 256,
        proxy: {
          host: hostname,
          port: port ? parseInt(port, 10) : 80,
          proxyAuth: basicAuthCredentials
        },
        rejectUnauthorized: false
      };

      slackClientOptions.agent = tunnel.httpsOverHttp(tunnelOptions);
    }

    return new WebClient(token, slackClientOptions);
  }