Fixes proxy issue with browser auth

Author: gingi

desktop/src/client/core/aad/auth-provider.ts

@@ -13,6 +13,9 @@ import MSALCachePlugin from "./msal-cache-plugin";
 import { AuthObserver } from "./auth-observer";
 import { shell } from "electron";
 import { AuthLoopbackClient } from "./auth-loopback-client";
+import { ProxyNetworkClient } from "./proxy-network-client";
+
+import "global-agent/bootstrap";
 
 const MSAL_SCOPES = ["user_impersonation"];
 
@@ -245,18 +248,21 @@ export default class AuthProvider {
     private async _createClient(tenantId: string):
         Promise<PublicClientApplication> {
         const proxyUrl = await this._loadProxyUrl();
+        let networkClient;
 
         if (proxyUrl) {
             log.info(`[${tenantId}] Proxying auth endpoints through ` +
                 proxyUrl);
+            process.env.GLOBAL_AGENT_HTTP_PROXY = proxyUrl;
+            networkClient = new ProxyNetworkClient(proxyUrl);
         }
 
         const authority =
             `${this.app.properties.azureEnvironment.aadUrl}${tenantId}/`;
 
         return new PublicClientApplication({
             system: {
-                proxyUrl
+                networkClient
             },
             auth: {
                 clientId: this.config.clientId,

desktop/src/client/core/aad/proxy-network-client.ts

@@ -0,0 +1,55 @@
+import type { INetworkModule, NetworkRequestOptions, NetworkResponse } from "@azure/msal-node";
+import * as HttpsProxyAgent from "https-proxy-agent";
+import fetch from "node-fetch";
+
+/**
+ * Placeholder for msal-node's network module which uses node-fetch to support
+ * HTTP proxy configurations with authorization
+ *
+ * @see https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/6527#issuecomment-2077953882
+ */
+export class ProxyNetworkClient implements INetworkModule {
+    private proxyAgent: HttpsProxyAgent;
+    constructor(proxyUrl: string) {
+        this.proxyAgent = new HttpsProxyAgent(proxyUrl);
+    }
+
+    sendGetRequestAsync<T>(url: string, options?: NetworkRequestOptions): Promise<NetworkResponse<T>> {
+        return this.sendRequestAsync(url, "GET", options);
+    }
+    sendPostRequestAsync<T>(url: string, options?: NetworkRequestOptions): Promise<NetworkResponse<T>> {
+        return this.sendRequestAsync(url, "POST", options);
+    }
+
+    private async sendRequestAsync<T>(
+        url: string,
+        method: "GET" | "POST",
+        options: NetworkRequestOptions = {},
+    ): Promise<NetworkResponse<T>> {
+        try {
+            const requestOptions = {
+                method: method,
+                headers: options.headers,
+                body: method === "POST" ? options.body : undefined,
+                agent: this.proxyAgent,
+            };
+
+            const response = await fetch(url, requestOptions);
+            const data = await response.json() as any;
+
+            const headersObj: Record<string, string> = {};
+            response.headers.forEach((value, key) => {
+                headersObj[key] = value;
+            });
+
+            return {
+                headers: headersObj,
+                body: data,
+                status: response.status,
+            };
+        } catch (err) {
+            console.error("Proxy request error", err);
+            throw err;
+        }
+    }
+}

desktop/src/client/core/batch-explorer-application.ts

@@ -86,6 +86,7 @@ export class BatchExplorerApplication {
         this._setupProcessEvents();
         this._registerFileProtocol();
         await this.proxySettings.init();
+        this._applyProxySettings();
         this.storageBlobAdapter.init();
     }
 
@@ -365,4 +366,45 @@ export class BatchExplorerApplication {
             callback({ cancel: false, requestHeaders: details.requestHeaders });
         });
     }
+
+    private async _trustedDomains(): Promise<string[]> {
+        return [
+            "https://raw.githubusercontent.com",
+            "https://batch.azure.com", // Public data-plane API calls
+            this.properties.azureEnvironment.aadUrl,
+            this.properties.azureEnvironment.arm,
+            this.properties.azureEnvironment.batch,
+            this.properties.azureEnvironment.msGraph,
+            this.properties.azureEnvironment.storageEndpoint
+        ].map(url => {
+            try {
+                // Ensure the URL has a protocol (default to "https://")
+                const normalized = url.startsWith("http") ? url : `https://${url}`;
+                return new URL(normalized).hostname;
+            } catch (error) {
+                console.error(`Invalid URL: ${url}`, error);
+                return null; // Handle invalid URLs gracefully
+            }
+        }).filter(Boolean);
+    }
+
+    private async _applyProxySettings() {
+        const settings = await this.proxySettings.settings;
+
+        const conf = settings.http || settings.https;
+        const proxyUrl = `${conf.protocol}://${conf.host}:${conf.port}`;
+
+        session.defaultSession.setProxy({ proxyRules: proxyUrl });
+        process.env.HTTP_PROXY = proxyUrl;
+
+        const trustedDomains = await this._trustedDomains();
+        session.defaultSession.setCertificateVerifyProc((request, verifyCert) => {
+            if (trustedDomains.some(host => request.hostname.includes(host))) {
+                verifyCert(0); // trust the certificate
+            } else {
+                console.error("Untrusted certificate", request.hostname);
+                verifyCert(-3);
+            }
+        });
+    }
 }