fix: empty options no longer disable certificate checks

evanshortiss · evanshortiss · commit 372d387b0ca0 · 2023-07-27T14:42:40.000-07:00
diff --git a/lib/eventsource.js b/lib/eventsource.js
@@ -103,7 +103,7 @@ function EventSource (url, eventSourceInitDict) {
 
     // Legacy: this should be specified as `eventSourceInitDict.https.rejectUnauthorized`,
     // but for now exists as a backwards-compatibility layer
-    options.rejectUnauthorized = !(eventSourceInitDict && !eventSourceInitDict.rejectUnauthorized)
+    options.rejectUnauthorized = !(eventSourceInitDict && typeof eventSourceInitDict.rejectUnauthorized === 'boolean' && !eventSourceInitDict.rejectUnauthorized)
 
     if (eventSourceInitDict && eventSourceInitDict.createConnection !== undefined) {
       options.createConnection = eventSourceInitDict.createConnection
diff --git a/test/eventsource_test.js b/test/eventsource_test.js
@@ -705,6 +705,20 @@ describe('HTTPS Support', function () {
       }
     })
   })
+
+  it('fails to connect to self signed servers when options are provided but options.rejectUnauthorized is not specified', function (done) {
+    createHttpsServer(function (err, server) {
+      if (err) return done(err)
+
+      var es = new EventSource(server.url, {})
+      es.onopen = function () {
+        done(new Error('the socket should not have been opened, since options.rejectUnauthorized was not set to true'))
+      }
+      es.onerror = function () {
+        done()
+      }
+    })
+  })
 })
 
 describe('HTTPS Client Certificate Support', function () {
