Native fetch client certificate support

[ottob]

What is the problem this feature will solve?

I could not find a way to make a TLS request with a client certificate (mutual tls) with the new native fetch client.

With node-fetch I could use an https.Agent:

 const agent = new https.Agent({
   cert,
   key,
   keepAlive: true,
   timeout: 3 * 1000,
})

But the agent option is not available in the api:
Object literal may only specify known properties, and 'agent' does not exist in type 'RequestInit'

Is there a way of doing that that I am missing?

What is the feature you are proposing to solve the problem?

I read that the new client is based on undici and I found their docs for this here:
https://undici.nodejs.org/#/docs/best-practices/client-certificate

Could the undici Client be exposed from node?

What alternatives have you considered?

No response

[alexwhitman]

You can do it but you have to install undici.

const { Agent } = require('undici');

fetch(url, {
    dispatcher: new Agent({
        connect: {
            cert: cert,
            key: key,
            ca: ca
        }
    })
});

Could the undici Client be exposed from node?

That would useful to not have to install undici separately if it's bundled in the core anyway.

[ottob]

Thanks for the workaround.

That would useful to not have to install undici separately if it's bundled in the core anyway.

Yes, that would be very nice. The point of using the native version is to not have to depend on external libraries.

[ottob]

Will that workaround work? The type definition for fetch in native does not expose dispatcher on RequestInit.

[alexwhitman]

It works, I've got code that uses it against a service requiring mTLS.

[ottob]

It works, I've got code that uses it against a service requiring mTLS.

Strange. Im using "undici": "5.22.1" and cert and key are not available in the Agent options:

Object literal may only specify known properties, and 'cert' does not exist in type 'Options'

Also, are you sure you are using fetch from core and not importing it from undici?

import { fetch, Agent } from 'undici'

[alexwhitman]

My mistake, I typed the example out wrong rather than copying/pasting. The cert, key and ca parameters should be within a connect object. I've updated the earlier example.

[ottob]

I've updated the earlier example.

Thanks, I got it to work now. dispatcher is not defined in the RequestInit type for core fetch. But if I cast it with as any it works.

So if the undici Agent was exposed from core this would work out of the box. Lets hope this will happen.

[ottob]

And there already seems to be an issue for that: #47592

[kchojhu]

Thanks for this post and it worked. Please include this soon to next minor versions of Next.js.