🔱: [acme] sync upgrade with 6 commits [trident-sync]

Bump v5.4.0 Bump dependencies Retry HTTP requests on server errors or when rate limited Forgot to refresh directory timestamp after successful get Add utility method tests
2026-04-24 04:17:25 +08:00 · 2024-07-16 19:24:08 +00:00
parent 86e64af35c
commit e5edfbfa6d
9 changed files with 382 additions and 52 deletions
@@ -3,10 +3,14 @@
 */

 const axios = require('axios');
+const { parseRetryAfterHeader } = require('./util');
+const { log } = require('./logger');
 const pkg = require('./../package.json');

+const { AxiosError } = axios;
+
 /**
- * Instance
+ * Defaults
 */

 const instance = axios.create();
@@ -19,6 +23,9 @@ instance.defaults.acmeSettings = {
    httpChallengePort: 80,
    httpsChallengePort: 443,
    tlsAlpnChallengePort: 443,
+
+    retryMaxAttempts: 5,
+    retryDefaultDelay: 5,
 };

 /**
@@ -30,6 +37,85 @@ instance.defaults.acmeSettings = {

 instance.defaults.adapter = 'http';

+/**
+ * Retry requests on server errors or when rate limited
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-6.6
+ */
+
+function isRetryableError(error) {
+    return (error.code !== 'ECONNABORTED')
+        && (error.code !== 'ERR_NOCK_NO_MATCH')
+        && (!error.response
+            || (error.response.status === 429)
+            || ((error.response.status >= 500) && (error.response.status <= 599)));
+}
+
+/* https://github.com/axios/axios/blob/main/lib/core/settle.js */
+function validateStatus(response) {
+    const validator = response.config.retryValidateStatus;
+
+    if (!response.status || !validator || validator(response.status)) {
+        return response;
+    }
+
+    throw new AxiosError(
+        `Request failed with status code ${response.status}`,
+        (Math.floor(response.status / 100) === 4) ? AxiosError.ERR_BAD_REQUEST : AxiosError.ERR_BAD_RESPONSE,
+        response.config,
+        response.request,
+        response,
+    );
+}
+
+/* Pass all responses through the error interceptor */
+instance.interceptors.request.use((config) => {
+    if (!('retryValidateStatus' in config)) {
+        config.retryValidateStatus = config.validateStatus;
+    }
+
+    config.validateStatus = () => false;
+    return config;
+});
+
+/* Handle request retries if applicable */
+instance.interceptors.response.use(null, async (error) => {
+    const { config, response } = error;
+
+    if (!config) {
+        return Promise.reject(error);
+    }
+
+    /* Pick up errors we want to retry */
+    if (isRetryableError(error)) {
+        const { retryMaxAttempts, retryDefaultDelay } = instance.defaults.acmeSettings;
+        config.retryAttempt = ('retryAttempt' in config) ? (config.retryAttempt + 1) : 1;
+
+        if (config.retryAttempt <= retryMaxAttempts) {
+            const code = response ? `HTTP ${response.status}` : error.code;
+            log(`Caught ${code}, retry attempt ${config.retryAttempt}/${retryMaxAttempts} to URL ${config.url}`);
+
+            /* Attempt to parse Retry-After header, fallback to default delay */
+            let retryAfter = response ? parseRetryAfterHeader(response.headers['retry-after']) : 0;
+
+            if (retryAfter > 0) {
+                log(`Found retry-after response header with value: ${response.headers['retry-after']}, waiting ${retryAfter} seconds`);
+            }
+            else {
+                retryAfter = (retryDefaultDelay * config.retryAttempt);
+                log(`Unable to locate or parse retry-after response header, waiting ${retryAfter} seconds`);
+            }
+
+            /* Wait and retry the request */
+            await new Promise((resolve) => { setTimeout(resolve, (retryAfter * 1000)); });
+            return instance(config);
+        }
+    }
+
+    /* Validate and return response */
+    return validateStatus(response);
+});
+
 /**
 * Export instance
 */
@@ -70,9 +70,11 @@ class HttpClient {
     */

    async getDirectory() {
-        const age = (Math.floor(Date.now() / 1000) - this.directoryTimestamp);
+        const now = Math.floor(Date.now() / 1000);
+        const age = (now - this.directoryTimestamp);

        if (!this.directoryCache || (age > this.directoryMaxAge)) {
+            log(`Refreshing ACME directory, age: ${age}`);
            const resp = await this.request(this.directoryUrl, 'get');

            if (resp.status >= 400) {
@@ -84,6 +86,7 @@ class HttpClient {
            }

            this.directoryCache = resp.data;
+            this.directoryTimestamp = now;
        }

        return this.directoryCache;
@@ -108,7 +111,7 @@ class HttpClient {
     *
     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.2
     *
-     * @returns {Promise<string>} nonce
+     * @returns {Promise<string>} Nonce
     */

    async getNonce() {
@@ -84,9 +84,12 @@ function retry(fn, { attempts = 5, min = 5000, max = 30000 } = {}) {
 }

 /**
- * Parse URLs from link header
+ * Parse URLs from Link header
 *
- * @param {string} header Link header contents
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2
+ * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Link
+ *
+ * @param {string} header Header contents
 * @param {string} rel Link relation, default: `alternate`
 * @returns {string[]} Array of URLs
 */
@@ -102,6 +105,37 @@ function parseLinkHeader(header, rel = 'alternate') {
    return results.filter((r) => r);
 }

+/**
+ * Parse date or duration from Retry-After header
+ *
+ * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After
+ *
+ * @param {string} header Header contents
+ * @returns {number} Retry duration in seconds
+ */
+
+function parseRetryAfterHeader(header) {
+    const sec = parseInt(header, 10);
+    const date = new Date(header);
+
+    /* Seconds into the future */
+    if (Number.isSafeInteger(sec) && (sec > 0)) {
+        return sec;
+    }
+
+    /* Future date string */
+    if (date instanceof Date && !Number.isNaN(date)) {
+        const now = new Date();
+        const diff = Math.ceil((date.getTime() - now.getTime()) / 1000);
+
+        if (diff > 0) {
+            return diff;
+        }
+    }
+
+    return 0;
+}
+
 /**
 * Find certificate chain with preferred issuer common name
 *  - If issuer is found in multiple chains, the closest to root wins
@@ -161,14 +195,16 @@ function findCertificateChainForIssuer(chains, issuer) {
 function formatResponseError(resp) {
    let result;

-    if (resp.data.error) {
-        result = resp.data.error.detail || resp.data.error;
-    }
-    else {
-        result = resp.data.detail || JSON.stringify(resp.data);
+    if (resp.data) {
+        if (resp.data.error) {
+            result = resp.data.error.detail || resp.data.error;
+        }
+        else {
+            result = resp.data.detail || JSON.stringify(resp.data);
+        }
    }

-    return result.replace(/\n/g, '');
+    return (result || '').replace(/\n/g, '');
 }

 /**
@@ -296,6 +332,7 @@ async function retrieveTlsAlpnCertificate(host, port, timeout = 30000) {
 module.exports = {
    retry,
    parseLinkHeader,
+    parseRetryAfterHeader,
    findCertificateChainForIssuer,
    formatResponseError,
    getAuthoritativeDnsResolver,