1

I have a React application being served by an express web server. Within this app, I need to request a client certificate from a user when they click a "Login" button. This is for authorization using Common Access Cards.

My express server uses the https module with options set to require a client certificate. It prompts the user immediately when visiting the website, but I expected the prompt to only show when visiting/requesting the endpoint /authorize because of this code:

# Serve React app
app.use(express.static(path.join(__dirname, "..", "build")));

# Request client certificate
app.get('/authenticate', (req, res) => {
    const cert = req.connection.getPeerCertificate()
...
});

https.createServer(opts, app).listen(9999)

My "Login" button queries the /authorize endpoint which returns the certificate's information as JSON.

How can I architect this application to maintain current functionality, but only prompt for client certificate after clicking the login button?

Casey
  • 444
  • 1
  • 7
  • 22
  • My only idea is to host the React application separately from the `express` server (in a S3 bucket), but I don't know if this would work. – Casey Jun 17 '20 at 01:15

1 Answers1

0

The react app I develop on at work has CAC authentication but I am sitting behind apache and use it for my SSL connection and cert info. If you have the option for that you could remove the SSL requirement from express and place it in front of your react app and put something like the snippet below in your conf file then proxy it back.

<If "%{REQUEST_URI} == '/authenticate' && %{REQUEST_METHOD} == 'POST'">
    SSLVerifyClient require
    SSLVerifyDepth  10

    RequestHeader set SSL_CLIENT_CN "%{SSL_CLIENT_S_DN_CN}s"

    SSLOptions +ExportCertData +StdEnvVars
</If>
Andrew
  • 21
  • 3