Server: forbid to make friends with a non https server

server/helpers/utils.js

@@ -6,7 +6,8 @@ const logger = require('./logger')
 
 const utils = {
   cleanForExit,
-  generateRandomString
+  generateRandomString,
+  isTestInstance
 }
 
 function generateRandomString (size, callback) {
@@ -22,6 +23,10 @@ function cleanForExit (webtorrentProcess) {
   process.kill(-webtorrentProcess.pid)
 }
 
+function isTestInstance () {
+  return (process.env.NODE_ENV === 'test')
+}
+
 // ---------------------------------------------------------------------------
 
 module.exports = utils

server/initializers/constants.js

@@ -152,7 +152,7 @@ const REQUEST_ENDPOINTS = {
 
 const REMOTE_SCHEME = {
   HTTP: 'https',
-  WS: 'WS'
+  WS: 'wss'
 }
 
 // Password encryption
@@ -220,6 +220,7 @@ module.exports = {
 
 // ---------------------------------------------------------------------------
 
+// This method exists in utils module but we want to let the constants module independent
 function isTestInstance () {
   return (process.env.NODE_ENV === 'test')
 }

server/middlewares/validators/pods.js

@@ -1,8 +1,10 @@
 'use strict'
 
 const checkErrors = require('./utils').checkErrors
+const constants = require('../../initializers/constants')
 const friends = require('../../lib/friends')
 const logger = require('../../helpers/logger')
+const utils = require('../../helpers/utils')
 
 const validatorsPod = {
   makeFriends,
@@ -10,6 +12,11 @@ const validatorsPod = {
 }
 
 function makeFriends (req, res, next) {
+  // Force https if the administrator wants to make friends
+  if (utils.isTestInstance() === false && constants.CONFIG.WEBSERVER.SCHEME === 'http') {
+    return res.status(400).send('Cannot make friends with a non HTTPS webserver.')
+  }
+
   req.checkBody('hosts', 'Should have an array of unique hosts').isEachUniqueHostValid()
 
   logger.debug('Checking makeFriends parameters', { parameters: req.body })