configurable ca_certs, simplify network list sent to clients

client/components/NetworkForm.vue

@@ -187,10 +187,10 @@
 					>
 						<option
 							v-for="network in store.state.serverConfiguration?.networks"
-							:key="network.name"
-							:value="network.name"
+							:key="network"
+							:value="network"
 						>
-							{{ network.name }}
+							{{ network }}
 						</option>
 					</select>
 				</div>

server/client.ts

@@ -313,6 +313,7 @@ class Client {
 			host: String(args.host || ""),
 			port: parseInt(String(args.port), 10),
 			tls: !!args.tls,
+			caCert: args.caCert,
 			userDisconnected: !!args.userDisconnected,
 			rejectUnauthorized: !!args.rejectUnauthorized,
 			password: String(args.password || ""),

server/config.ts

@@ -80,11 +80,22 @@ type StoragePolicy = {
 	deletionPolicy: "statusOnly" | "everything";
 };
 
-type NetworkTemplate = {
+type TemplateNetwork = {
+	name: string,
 	host: string,
 	port: number,
 	tls: boolean,
-	rejectUnauthorized: boolean // if TLS certificates are validated 
+	rejectUnauthorized: boolean,
+	caCert?: Buffer
+};
+
+type NetworkInConfig = {
+	name: string,
+	host: string,
+	port: number,
+	tls: boolean,
+	rejectUnauthorized?: boolean,
+	caCert?: string
 };
 
 export type ConfigType = {
@@ -107,7 +118,7 @@ export type ConfigType = {
 	leaveMessage: string;
 	defaults: Defaults;
 	lockNetwork: boolean;
-	networks: {[name: string]: NetworkTemplate};
+	networks: {[name: string]: NetworkInConfig};
 	messageStorage: string[];
 	storagePolicy: StoragePolicy;
 	useHexIp: boolean;
@@ -124,9 +135,7 @@ class Config {
 		path.join(__dirname, "..", "defaults", "config.js")
 	)) as ConfigType;
 	#homePath = "";
-	networks = Object.fromEntries(Object.entries(this.values.networks).map(([name, network]) => {
-		return [name, {...network, name}];
-	}));
+	networks: {[name: string]: TemplateNetwork} = this.parseNetworks();
 
 	getHomePath() {
 		return this.#homePath;
@@ -179,8 +188,30 @@ class Config {
 		);
 	}
 
+	getNetworks() {
+		return this.networks;
+	}
+
+	getNetworkNames() {
+		return Object.keys(this.networks);
+	}
+
+	parseNetworks() {
+		return Object.fromEntries(Object.entries(this.values.networks).map(([name, network]) => {
+			return [name, <TemplateNetwork>{
+				name,
+				host: network.host,
+				port: network.port,
+				tls: network.tls !== undefined ? network.tls : true,
+				rejectUnauthorized: network.rejectUnauthorized !== undefined ? network.rejectUnauthorized : true,
+				caCert: network.caCert ? fs.readFileSync(network.caCert) : undefined
+			}];
+		}));
+	}
+
 	merge(newConfig: ConfigType) {
 		this._merge_config_objects(this.values, newConfig);
+		this.networks = this.parseNetworks();
 	}
 
 	_merge_config_objects(oldConfig: ConfigType, newConfig: ConfigType) {

server/models/network.ts

@@ -21,6 +21,7 @@ type NetworkIrcOptions = {
 	username: string;
 	gecos: string;
 	tls: boolean;
+	ca_certificate?: Buffer;
 	rejectUnauthorized: boolean;
 	webirc: WebIRC | null;
 	client_certificate: ClientCertificateType | null;
@@ -94,6 +95,7 @@ class Network {
 	host!: string;
 	port!: number;
 	tls!: boolean;
+	caCert!: Buffer;
 	userDisconnected!: boolean;
 	rejectUnauthorized!: boolean;
 	password!: string;
@@ -247,7 +249,7 @@ class Network {
 		if (Config.values.lockNetwork) {
 			// This check is needed to prevent invalid user configurations
 
-			const allowedNetwork = Object.values(Config.networks).find((network) => {
+			const allowedNetwork = Object.values(Config.getNetworks()).find((network) => {
 				return (this.name === network.name || this.host === network.host);
 			});
 
@@ -261,6 +263,10 @@ class Network {
 			this.port = allowedNetwork.port;
 			this.tls = allowedNetwork.tls;
 			this.rejectUnauthorized = allowedNetwork.rejectUnauthorized;
+
+			if (allowedNetwork.caCert !== undefined) {
+				this.caCert = allowedNetwork.caCert;
+			}
 		}
 
 		if (this.host.length === 0) {
@@ -319,6 +325,7 @@ class Network {
 		this.irc.options.gecos = this.realname;
 		this.irc.options.tls = this.tls;
 		this.irc.options.rejectUnauthorized = this.rejectUnauthorized;
+		this.irc.options.ca_certificate = this.caCert;
 		this.irc.options.webirc = this.createWebIrc(client);
 		this.irc.options.client_certificate = null;
 

server/server.ts

@@ -873,7 +873,7 @@ function getClientConfiguration(data: AuthPerformData): SharedConfiguration | Lo
 		useHexIp: Config.values.useHexIp,
 		prefetch: Config.values.prefetch,
 		fileUploadMaxFileSize: Uploader ? Uploader.getMaxFileSize() : undefined, // TODO can't be undefined?
-		networks: Config.networks
+		networks: Config.getNetworkNames()
 	};
 
 	const defaultsOverride = {
@@ -891,9 +891,17 @@ function getClientConfiguration(data: AuthPerformData): SharedConfiguration | Lo
 
 	if (!Config.values.lockNetwork) {
 		const defaultNetwork = Config.values.networks[Config.values.defaults.name];
+
+		if (defaultNetwork.rejectUnauthorized === undefined) {
+			defaultNetwork.rejectUnauthorized = true;
+		}
+
 		const defaults: ConfigNetDefaults = {
 			..._.clone(Config.values.defaults),
-			..._.clone(defaultNetwork),
+			host: defaultNetwork.host,
+			port: defaultNetwork.port,
+			tls: defaultNetwork.tls,
+			rejectUnauthorized: defaultNetwork.rejectUnauthorized,
 			...defaultsOverride,
 		};
 		const result: SharedConfiguration = {

shared/types/config.ts

@@ -24,7 +24,7 @@ type SharedConfigurationBase = {
 	themes: ConfigTheme[];
 	defaultTheme: string;
 	fileUploadMaxFileSize?: number;
-	networks: {[name: string]: NetworkTemplate};
+	networks: string[];
 };
 
 export type ConfigNetDefaults = {