mirror of
https://github.com/openclaw/openclaw.git
synced 2026-06-03 17:54:04 +00:00
fix(apns): cap direct timeout paths
This commit is contained in:
Peter Steinberger
@@ -1,5 +1,6 @@
|
||||
import type http2 from "node:http2";
|
||||
import { beforeEach, describe, expect, it, vi } from "vitest";
|
||||
import { MAX_TIMER_TIMEOUT_MS } from "../shared/number-coercion.js";
|
||||
import type { HttpConnectTunnelParams } from "./net/http-connect-tunnel.js";
|
||||
import {
|
||||
resetActiveManagedProxyStateForTests,
|
||||
@@ -193,6 +194,21 @@ describe("connectApnsHttp2Session", () => {
|
||||
expect(createConnection?.(new URL("https://api.push.apple.com"), {})).toBe(fakeTlsSocket);
|
||||
});
|
||||
|
||||
it("caps oversized managed proxy timeouts before opening the APNs tunnel", async () => {
|
||||
const registration = registerActiveManagedProxyUrl(new URL("https://proxy.example:8443"), {
|
||||
loopbackMode: "gateway-only",
|
||||
});
|
||||
const { connectApnsHttp2Session } = await import("./push-apns-http2.js");
|
||||
|
||||
await connectApnsHttp2Session({
|
||||
authority: "https://api.push.apple.com",
|
||||
timeoutMs: Number.MAX_SAFE_INTEGER,
|
||||
});
|
||||
stopActiveManagedProxyRegistration(registration);
|
||||
|
||||
expect(lastTunnelCall().timeoutMs).toBe(MAX_TIMER_TIMEOUT_MS);
|
||||
});
|
||||
|
||||
it("ignores ambient proxy env when managed proxy is inactive", async () => {
|
||||
const originalHttpsProxy = process.env["HTTPS_PROXY"];
|
||||
process.env["HTTPS_PROXY"] = "http://ambient.example:8080";
|
||||
@@ -252,6 +268,18 @@ describe("connectApnsHttp2Session", () => {
|
||||
expect(fakeSession.close).toHaveBeenCalledOnce();
|
||||
});
|
||||
|
||||
it("caps oversized explicit proxy probe timeouts", async () => {
|
||||
const { probeApnsHttp2ReachabilityViaProxy } = await import("./push-apns-http2.js");
|
||||
|
||||
await probeApnsHttp2ReachabilityViaProxy({
|
||||
authority: "https://api.sandbox.push.apple.com",
|
||||
proxyUrl: "http://proxy.example:8080",
|
||||
timeoutMs: Number.MAX_SAFE_INTEGER,
|
||||
});
|
||||
|
||||
expect(lastTunnelCall().timeoutMs).toBe(MAX_TIMER_TIMEOUT_MS);
|
||||
});
|
||||
|
||||
it("rejects non-APNs authorities", async () => {
|
||||
const { connectApnsHttp2Session, probeApnsHttp2ReachabilityViaProxy } =
|
||||
await import("./push-apns-http2.js");
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import http2 from "node:http2";
|
||||
import { resolveTimerTimeoutMs } from "../shared/number-coercion.js";
|
||||
import { openHttpConnectTunnel } from "./net/http-connect-tunnel.js";
|
||||
import {
|
||||
getActiveManagedProxyUrl,
|
||||
@@ -17,6 +18,7 @@ const APNS_AUTHORITIES = new Set([
|
||||
type ApnsAuthority = "https://api.push.apple.com" | "https://api.sandbox.push.apple.com";
|
||||
|
||||
export const APNS_HTTP2_CANCEL_CODE = http2.constants.NGHTTP2_CANCEL;
|
||||
const APNS_HTTP2_MIN_TIMEOUT_MS = 1000;
|
||||
|
||||
export type ConnectApnsHttp2SessionParams = {
|
||||
authority: string;
|
||||
@@ -85,6 +87,7 @@ export async function connectApnsHttp2Session(
|
||||
params: ConnectApnsHttp2SessionParams,
|
||||
): Promise<http2.ClientHttp2Session> {
|
||||
const authority = assertApnsAuthority(params.authority);
|
||||
const timeoutMs = resolveApnsHttp2TimeoutMs(params.timeoutMs);
|
||||
const proxyUrl = getActiveManagedProxyUrl();
|
||||
if (!proxyUrl) {
|
||||
return http2.connect(authority);
|
||||
@@ -94,19 +97,24 @@ export async function connectApnsHttp2Session(
|
||||
authority,
|
||||
proxyUrl,
|
||||
proxyTls: getActiveManagedProxyTlsOptions(),
|
||||
timeoutMs: params.timeoutMs,
|
||||
timeoutMs,
|
||||
});
|
||||
}
|
||||
|
||||
function resolveApnsHttp2TimeoutMs(timeoutMs: number): number {
|
||||
return resolveTimerTimeoutMs(timeoutMs, APNS_HTTP2_MIN_TIMEOUT_MS, APNS_HTTP2_MIN_TIMEOUT_MS);
|
||||
}
|
||||
|
||||
export async function probeApnsHttp2ReachabilityViaProxy(
|
||||
params: ProbeApnsHttp2ReachabilityViaProxyParams,
|
||||
): Promise<ProbeApnsHttp2ReachabilityViaProxyResult> {
|
||||
const authority = assertApnsAuthority(params.authority);
|
||||
const timeoutMs = resolveApnsHttp2TimeoutMs(params.timeoutMs);
|
||||
const session = await openProxiedApnsHttp2Session({
|
||||
authority,
|
||||
proxyUrl: new URL(params.proxyUrl),
|
||||
...(params.proxyTls ? { proxyTls: params.proxyTls } : {}),
|
||||
timeoutMs: params.timeoutMs,
|
||||
timeoutMs,
|
||||
});
|
||||
|
||||
try {
|
||||
@@ -116,10 +124,8 @@ export async function probeApnsHttp2ReachabilityViaProxy(
|
||||
let status: number | undefined;
|
||||
let responseHeaders: Record<string, string> = {};
|
||||
const timeout = setTimeout(() => {
|
||||
fail(
|
||||
new Error(`APNs reachability probe timed out after ${Math.trunc(params.timeoutMs)}ms`),
|
||||
);
|
||||
}, Math.trunc(params.timeoutMs));
|
||||
fail(new Error(`APNs reachability probe timed out after ${timeoutMs}ms`));
|
||||
}, timeoutMs);
|
||||
timeout.unref?.();
|
||||
|
||||
const cleanup = () => {
|
||||
|
||||
@@ -3,6 +3,7 @@ import { createServer, type Server as HttpServer } from "node:http";
|
||||
import http2 from "node:http2";
|
||||
import net from "node:net";
|
||||
import { afterEach, describe, expect, it, vi } from "vitest";
|
||||
import { MAX_TIMER_TIMEOUT_MS } from "../shared/number-coercion.js";
|
||||
import { startProxy, stopProxy, type ProxyHandle } from "./net/proxy/proxy-lifecycle.js";
|
||||
import {
|
||||
sendApnsAlert,
|
||||
@@ -531,6 +532,30 @@ describe("push APNs send semantics", () => {
|
||||
});
|
||||
});
|
||||
|
||||
it("caps oversized direct send timeouts", async () => {
|
||||
const { send, registration, auth } = createDirectApnsSendFixture({
|
||||
nodeId: "ios-node-direct-timeout-cap",
|
||||
environment: "sandbox",
|
||||
sendResult: {
|
||||
status: 200,
|
||||
apnsId: "apns-timeout-cap-id",
|
||||
body: "{}",
|
||||
},
|
||||
});
|
||||
|
||||
await sendApnsAlert({
|
||||
registration,
|
||||
nodeId: "ios-node-direct-timeout-cap",
|
||||
title: "Wake",
|
||||
body: "Ping",
|
||||
auth,
|
||||
requestSender: send,
|
||||
timeoutMs: Number.MAX_SAFE_INTEGER,
|
||||
});
|
||||
|
||||
expect(requireSendRequest(send).timeoutMs).toBe(MAX_TIMER_TIMEOUT_MS);
|
||||
});
|
||||
|
||||
it("fails closed before sending when direct registrations carry invalid topics", async () => {
|
||||
const { send, registration, auth } = createDirectApnsSendFixture({
|
||||
nodeId: "ios-node-invalid-topic",
|
||||
|
||||
@@ -2,6 +2,7 @@ import { createHash, createPrivateKey, sign as signJwt } from "node:crypto";
|
||||
import fs from "node:fs/promises";
|
||||
import path from "node:path";
|
||||
import { resolveStateDir } from "../config/paths.js";
|
||||
import { resolveTimerTimeoutMs } from "../shared/number-coercion.js";
|
||||
import {
|
||||
normalizeLowercaseStringOrEmpty,
|
||||
normalizeOptionalString,
|
||||
@@ -766,9 +767,7 @@ async function sendApnsRequest(params: {
|
||||
}
|
||||
|
||||
function resolveApnsTimeoutMs(timeoutMs: number | undefined): number {
|
||||
return typeof timeoutMs === "number" && Number.isFinite(timeoutMs)
|
||||
? Math.max(1000, Math.trunc(timeoutMs))
|
||||
: DEFAULT_APNS_TIMEOUT_MS;
|
||||
return resolveTimerTimeoutMs(timeoutMs, DEFAULT_APNS_TIMEOUT_MS, 1000);
|
||||
}
|
||||
|
||||
function resolveDirectSendContext(params: {
|
||||
|
||||
Reference in New Issue
Block a user