Update httpolyglot to fix unknown-over-TLS bug

This fixes a bug that this update causes. Previously, we depended on
subtle ordering of events to detect whether the last hop of a request
was encrypted or not (i.e. is a tunnelled request HTTPS or HTTP, given a
series of TLS or not hops en route).

This was buggy, and breaks with the latest httpolyglot, where this order
can change for requests without ALPN. Now, we properly set defaults &
reset encrypted status at each tunnel hop instead.

Also fixed an unrelated TS issue that breaks things with the latest Node
types in reuest-utils.

Author: pimterry

package.json

@@ -161,7 +161,7 @@
   "dependencies": {
     "@graphql-tools/schema": "^8.5.0",
     "@graphql-tools/utils": "^8.8.0",
-    "@httptoolkit/httpolyglot": "^3.0.0",
+    "@httptoolkit/httpolyglot": "^3.0.1",
     "@httptoolkit/subscriptions-transport-ws": "^0.11.2",
     "@httptoolkit/util": "^0.1.7",
     "@httptoolkit/websocket-stream": "^6.0.1",

src/server/http-combo-server.ts

@@ -296,9 +296,9 @@ export async function createComboServer(options: ComboServerOptions): Promise<De
     server.on('connection', (socket: net.Socket | http2.ServerHttp2Stream) => {
         socket[SocketTimingInfo] ||= buildSocketTimingInfo();
 
-        // All sockets are initially marked as using unencrypted upstream connections.
-        // If TLS is used, this is upgraded to 'true' by secureConnection below.
-        socket[LastHopEncrypted] = false;
+        // All sockets are initially marked as using unencrypted upstream connections,
+        // if not set elsewhere (TLS) or downgraded by intended hop (CONNECT):
+        socket[LastHopEncrypted] ||= false;
 
         // For actual sockets, set NODELAY to avoid any buffering whilst streaming. This is
         // off by default in Node HTTP, but likely to be enabled soon & is default in curl.
@@ -371,6 +371,7 @@ export async function createComboServer(options: ComboServerOptions): Promise<De
         socket.write('HTTP/' + req.httpVersion + ' 200 OK\r\n\r\n', 'utf-8', () => {
             socket[SocketTimingInfo]!.tunnelSetupTimestamp = now();
             socket[LastTunnelAddress] = connectUrl;
+            socket[LastHopEncrypted] = false; // Will be updated if TLS is added later
             if (req.headers['proxy-authorization']) {
                 socket[SocketMetadata] = getSocketMetadataFromProxyAuth(socket, req.headers['proxy-authorization']);
             }
@@ -394,6 +395,8 @@ export async function createComboServer(options: ComboServerOptions): Promise<De
         res.writeHead(200, {});
 
         inheritSocketDetails(res.socket, res.stream);
+
+        res.stream[LastHopEncrypted] = false; // Will be updated if TLS is added later
         res.stream[LastTunnelAddress] = connectUrl;
         if (req.headers['proxy-authorization']) {
             res.stream[SocketMetadata] = getSocketMetadataFromProxyAuth(res.stream, req.headers['proxy-authorization']);

src/util/request-utils.ts

@@ -98,9 +98,9 @@ export const writeHead = (
 
     if (statusMessage === undefined) {
         // Cast is required as Node H2 types don't know about raw headers:
-        response.writeHead(status, flatHeaders as http.OutgoingHttpHeaders);
+        (response as http.ServerResponse).writeHead(status, flatHeaders);
     } else {
-        response.writeHead(status, statusMessage, flatHeaders as http.OutgoingHttpHeaders);
+        (response as http.ServerResponse).writeHead(status, statusMessage, flatHeaders);
     }
 };