Exposing peer client certificate within server calls (ie, as a context or metadata) about grpc-node HOT 4 OPEN

gRFC L35 proposes an API to expose this information to the application. PR #508 would have implemented it in the old Node gRPC library, but clearly it was never resolved. The implementation work for grpc-js just never happened.

That gRFC has a relatively restricted API because of constraints that no longer apply, namely needing to handle the intersection of the two libraries. At this point, that proposal could probably be modified to be more expressive in grpc-js in ways that are incompatible with the old library.

from grpc-node.

Thanks for the note. Seems like there is agreement that something should exist. :)

At the risk of sidetracking, but since it wasn't implemented yet: I'd ask whether we there's openness also to reconsider the implementation regarding passing raw cert buffers around. My thought is that for a server under load it wouldn't be ideal to decode the same cert multiple times per call or risk double copies of Buffers if that were to end up happening. Exposing the Http2Session or it's net.Socket | net.TLSSocket directly could allow for further flexibility for the developer to have useful information even on non-TLS connections. My big ask though is simply to have a performant way to get at the data, without being too prescriptive.

WDYT?

from grpc-node.

That's why I meant by modifying the proposal to make the API more expressive. For example, it could contain the full output of tlsSocket.getPeerCertificate, instead of just the raw cert. As I said, that limitation was the result of previous constraints that no longer apply.

from grpc-node.

Hi- I put together some thoughts here: grpc/proposal#440

from grpc-node.