(iggy) branch master updated: fix(js): use localhost instead of disabling hostname verification in … (#2913)

[gkoszyk]

This is an automated email from the ASF dual-hosted git repository.

gkoszyk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iggy.git


The following commit(s) were added to refs/heads/master by this push:
     new 5d3b7934f fix(js): use localhost instead of disabling hostname 
verification in … (#2913)
5d3b7934f is described below

commit 5d3b7934f645d2e16c1a200d7e878801692b1f47
Author: Atharva Lade <92752921+atharval...@users.noreply.github.com>
AuthorDate: Tue Mar 10 13:02:36 2026 -0500

    fix(js): use localhost instead of disabling hostname verification in … 
(#2913)
    
    ## Which issue does this PR close?
    
    Closes #2912
    
    ## Rationale
    
    The server certificate SAN is `DNS:localhost`. Disabling hostname
    verification (`checkServerIdentity: () => undefined`) bypasses a real
    security check. Python and C# TLS tests already connect via `localhost`
    for proper verification.
    
    ## What changed?
    
    The Node TLS e2e test connected to `127.0.0.1` and disabled hostname
    verification to avoid a cert mismatch. Replaced with `host: 'localhost'`
    so the TLS handshake validates the certificate properly, consistent with
    other SDKs.
---
 codecov.yml                            |  1 +
 foreign/node/src/e2e/tls.system.e2e.ts | 11 ++++-------
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/codecov.yml b/codecov.yml
index ce081754e..6320624d0 100644
--- a/codecov.yml
+++ b/codecov.yml
@@ -86,3 +86,4 @@ ignore:
   - "**/test/**"
   - "**/build/**"
   - "**/target/**"
+  - "**/e2e/**"
diff --git a/foreign/node/src/e2e/tls.system.e2e.ts 
b/foreign/node/src/e2e/tls.system.e2e.ts
index d6006ef31..1ec3f0389 100644
--- a/foreign/node/src/e2e/tls.system.e2e.ts
+++ b/foreign/node/src/e2e/tls.system.e2e.ts
@@ -50,20 +50,17 @@ const caCertPath = process.env.E2E_ROOT_CA_CERT
   || resolve(process.cwd(), '../../core/certs/iggy_ca_cert.pem');
 
 const getTlsClient = () => {
-  const [host, port] = getIggyAddress();
+  const [, port] = getIggyAddress();
   const caCert = readFileSync(caCertPath);
 
-  // The server certificate is issued for 'localhost'. When IGGY_TCP_ADDRESS 
uses
-  // an IP (e.g. 127.0.0.1), the default TLS hostname check would fail because
-  // the cert CN/SAN does not match an IP literal. Providing a custom
-  // checkServerIdentity that always succeeds works around this for local 
testing.
+  // The server certificate SAN is DNS:localhost, so we connect via 'localhost'
+  // for proper hostname verification (consistent with Python and C# TLS 
tests).
   return new Client({
     transport: 'TLS',
     options: {
       port,
-      host,
+      host: 'localhost',
       ca: caCert,
-      checkServerIdentity: () => undefined,
     },
     credentials: { username: 'iggy', password: 'iggy' },
   });