Warn when driver config inconsistent with web page protocol

Encryption can be explicitly turned on or off in the driver config.
Driver can be used on both HTTP and HTTPS web pages. Configured
encryption has to match the security protocol of the web page. Insecure
WebSockets ('ws') have to be used on insecure pages ('http'). Secure
WebSockets ('wss') have to be used on secure pages ('https').
WebSockets might not work in a mixed content environment,
i.e. 'ws' + 'https' or 'wss' + 'http'.

This commit makes driver print a warning when its configuration is
inconsistent with the web page.

Author: lutovich

src/v1/internal/ch-websocket.js

@@ -228,21 +228,23 @@ function asWindowsFriendlyIPv6Address(scheme, parsedUrl) {
  * @return {{scheme: string|null, error: Neo4jError|null}} object containing either scheme or error.
  */
 function determineWebSocketScheme(config, protocolSupplier) {
-  const encrypted = config.encrypted;
+  const encryptionOn = isEncryptionExplicitlyTurnedOn(config);
+  const encryptionOff = isEncryptionExplicitlyTurnedOff(config);
   const trust = config.trust;
+  const secureProtocol = isProtocolSecure(protocolSupplier);
+  verifyEncryptionSettings(encryptionOn, encryptionOff, secureProtocol);
 
-  if (encrypted === false || encrypted === ENCRYPTION_OFF) {
+  if (encryptionOff) {
     // encryption explicitly turned off in the config
     return {scheme: 'ws', error: null};
   }
 
-  const protocol = typeof protocolSupplier === 'function' ? protocolSupplier() : '';
-  if (protocol && protocol.toLowerCase().indexOf('https') >= 0) {
+  if (secureProtocol) {
     // driver is used in a secure https web page, use 'wss'
     return {scheme: 'wss', error: null};
   }
 
-  if (encrypted === true || encrypted === ENCRYPTION_ON) {
+  if (encryptionOn) {
     // encryption explicitly requested in the config
     if (!trust || trust === 'TRUST_CUSTOM_CA_SIGNED_CERTIFICATES') {
       // trust strategy not specified or the only supported strategy is specified
@@ -260,6 +262,45 @@ function determineWebSocketScheme(config, protocolSupplier) {
   return {scheme: 'ws', error: null};
 }
 
+/**
+ * @param {ChannelConfig} config - configuration for the channel.
+ * @return {boolean} <code>true</code> if encryption enabled in the config, <code>false</code> otherwise.
+ */
+function isEncryptionExplicitlyTurnedOn(config) {
+  return config.encrypted === true || config.encrypted === ENCRYPTION_ON;
+}
+
+/**
+ * @param {ChannelConfig} config - configuration for the channel.
+ * @return {boolean} <code>true</code> if encryption disabled in the config, <code>false</code> otherwise.
+ */
+function isEncryptionExplicitlyTurnedOff(config) {
+  return config.encrypted === false || config.encrypted === ENCRYPTION_OFF;
+}
+
+/**
+ * @param {function(): string} protocolSupplier - function that detects protocol of the web page.
+ * @return {boolean} <code>true</code> if protocol returned by the given function is secure, <code>false</code> otherwise.
+ */
+function isProtocolSecure(protocolSupplier) {
+  const protocol = typeof protocolSupplier === 'function' ? protocolSupplier() : '';
+  return protocol && protocol.toLowerCase().indexOf('https') >= 0;
+}
+
+function verifyEncryptionSettings(encryptionOn, encryptionOff, secureProtocol) {
+  if (encryptionOn && !secureProtocol) {
+    // encryption explicitly turned on for a driver used on a HTTP web page
+    console.warn('Neo4j driver is configured to use secure WebSocket on a HTTP web page. ' +
+      'WebSockets might not work in a mixed content environment. ' +
+      'Please consider configuring driver to not use encryption.');
+  } else if (encryptionOff && secureProtocol) {
+    // encryption explicitly turned off for a driver used on a HTTPS web page
+    console.warn('Neo4j driver is configured to use insecure WebSocket on a HTTPS web page. ' +
+      'WebSockets might not work in a mixed content environment. ' +
+      'Please consider configuring driver to use encryption.');
+  }
+}
+
 function detectWebPageProtocol() {
   return window && window.location ? window.location.protocol : null;
 }

test/internal/ch-websocket.test.js

@@ -30,11 +30,16 @@ describe('WebSocketChannel', () => {
 
   let OriginalWebSocket;
   let webSocketChannel;
+  let originalConsoleWarn;
 
   beforeEach(() => {
     if (webSocketChannelAvailable) {
       OriginalWebSocket = WebSocket;
     }
+    originalConsoleWarn = console.warn;
+    console.warn = () => {
+      // mute by default
+    };
   });
 
   afterEach(() => {
@@ -44,6 +49,7 @@ describe('WebSocketChannel', () => {
     if (webSocketChannel) {
       webSocketChannel.close();
     }
+    console.warn = originalConsoleWarn;
   });
 
   it('should fallback to literal IPv6 when SyntaxError is thrown', () => {
@@ -143,6 +149,16 @@ describe('WebSocketChannel', () => {
     expect(channel._error.name).toEqual('Neo4jError');
   });
 
+  it('should generate a warning when encryption turned on for HTTP web page', () => {
+    testWarningInMixedEnvironment(true, 'http');
+    testWarningInMixedEnvironment(ENCRYPTION_ON, 'http');
+  });
+
+  it('should generate a warning when encryption turned off for HTTPS web page', () => {
+    testWarningInMixedEnvironment(false, 'https');
+    testWarningInMixedEnvironment(ENCRYPTION_OFF, 'https');
+  });
+
   function testFallbackToLiteralIPv6(boltAddress, expectedWsAddress) {
     if (!webSocketChannelAvailable) {
       return;
@@ -193,4 +209,32 @@ describe('WebSocketChannel', () => {
     expect(channel._ws.url).toEqual(expectedScheme + '://localhost:8989');
   }
 
+  function testWarningInMixedEnvironment(encrypted, scheme) {
+    if (!webSocketChannelAvailable) {
+      return;
+    }
+
+    // replace real WebSocket with a function that memorizes the url
+    WebSocket = url => {
+      return {
+        url: url,
+        close: () => {
+        }
+      };
+    };
+
+    // replace console.warn with a function that memorizes the message
+    const warnMessages = [];
+    console.warn = message => warnMessages.push(message);
+
+    const url = urlUtil.parseDatabaseUrl('bolt://localhost:8989');
+    const config = new ChannelConfig(url, {encrypted: encrypted}, SERVICE_UNAVAILABLE);
+    const protocolSupplier = () => scheme + ':';
+
+    const channel = new WebSocketChannel(config, protocolSupplier);
+
+    expect(channel).toBeDefined();
+    expect(warnMessages.length).toEqual(1);
+  }
+
 });