feat: Rotate WebRTC Direct certificates #2997
Conversation
| @@ -154,20 +164,19 @@ export class WebRTCDirectListener extends TypedEventEmitter<ListenerEvents> impl | |||
| server: Promise.resolve() | |||
| .then(async (): Promise<StunServer> => { | |||
| // ensure we have a certificate | |||
| if (this.certificate == null) { | |||
| if (this.certificate == null || this.isCertificateExpiring()) { | |||
There was a problem hiding this comment.
This check will only run when the node is started.
If the certificate expires while the node is running it will continue using it and connections will start to fail.
Instead a timeout should be set that fires a short(ish) time before the certificate expiry that creates a new certificate, restarts the server with the new cert and emits the "listening" event.
| @@ -280,6 +280,7 @@ export interface TransportCertificate { | |||
| * The hash of the certificate | |||
| */ | |||
| certhash: string | |||
| notAfter: string | |||
There was a problem hiding this comment.
This would be better as a number so we don't have to convert the string back to a date in order to see if the cert is about to expire, instead it can just be compared to Date.now() - threshold .
| const expiryDate = new Date(this.certificate.notAfter) | ||
| const now = new Date() | ||
| const timeToExpiry = expiryDate.getTime() - now.getTime() | ||
| const threshold = 30 * 24 * 60 * 60 * 1000 |
There was a problem hiding this comment.
threshold should be configurable.
| peerId: { toB58String: () => 'QmPeerId' } as any, | ||
| privateKey: {} as any, | ||
| logger: { | ||
| forComponent: () => ({ | ||
| trace: () => {}, | ||
| error: () => {} | ||
| }) | ||
| } as any, |
There was a problem hiding this comment.
These fields can be filled using actual values, see other tests here for an example.
| error: () => {} | ||
| }) | ||
| } as any, | ||
| transportManager: {} as any |
There was a problem hiding this comment.
You can use stubInterface<TransportManager>() from sinon-ts here to avoid casting to any.
Title
Rotating web RTC certificate when expiring
Description
Fixes #2989
Notes & open questions
I know this PR is not be perfect. Please provide me suggestions or changes that needed to be done.
Change checklist