This is a series of constraints that allow or restrict access to the local storage based on specific criteria.
The security constraints remain on the shoulders of the plugin being used, by default `verdaccio` uses the [htpasswd plugin](https://github.com/verdaccio/verdaccio-htpasswd). If you use a different plugin the behaviour might be different. The default plugin does not handle `allow_access` and `allow_publish` by itself, it uses an internal fallback in case the plugin is not ready for it.
For more information about permissions visit [the authentification section in the wiki](auth.md).
### Usage {#usage}
```yaml
packages:
# scoped packages
'@scope/*':
access: $all
publish: $all
proxy: server2
'private-*':
access: $all
publish: $all
proxy: uplink1
'**':
# allow all users (including non-authenticated users) to read and
# publish all packages
access: $all
publish: $all
proxy: uplink2
```
if none is specified, the default one remains
```yaml
packages:
'**':
access: $all
publish: $authenticated
```
The list internal groups handled by `verdaccio` are:
All users receive all those set of permissions independently of is anonymous or not plus the groups provided by the plugin, in case of `htpasswd` return the username as a group. For instance, if you are logged as `npmUser` the list of groups will be.
```js
// groups without '$' are going to be deprecated eventually
If you want to protect specific set packages under your group, you need to do something like this. Let's use a `Regex` that covers all prefixed `npmuser-` packages. We recommend using a prefix for your packages, in that way it will be easier to protect them.
```yaml
packages:
'npmuser-*':
access: npmuser
publish: npmuser
```
Restart `verdaccio` and in your console try to install `npmuser-core`.
```bash
$ npm install npmuser-core
npm install npmuser-core
npm ERR! code E403
npm ERR! 403 Forbidden: npmuser-core@latest
npm ERR! A complete log of this run can be found in:
You can change the existing behaviour using a different plugin authentication. `verdaccio` just checks whether the user that tried to access or publish a specific package belongs to the right group.
Please note that if you set the `access` permission of a package to something that requires Verdaccio to check your identity, for example `$authenticated`, npm does not send your access key by default when fetching packages. This means all requests for downloading packages will be rejected as they are made anonymously even if you have logged in. To make npm include you access key with all requests, you should set the [always-auth](https://docs.npmjs.com/cli/v7/using-npm/config#always-auth) npm setting to true on any client machines. This can be accomplished by running:
```bash
$ npm config set always-auth=true
```
#### Set multiple groups {#set-multiple-groups}
Defining multiple access groups is fairly easy, just define them with a white space between them.
You might want to block one or several packages from fetching from remote repositories., but, at the same time, allow others to access different _uplinks_.
Be **aware that the order of your packages definitions is important and always use double wilcard**. Because if you do not include it `verdaccio` will include it for you and the way that your dependencies are resolved will be affected.
#### Use multiple uplinks {#use-multiple-uplinks}
You may assign multiple uplinks for use as a proxy to use in the case of failover, or where there may be other private registries in use.
You can define mutiple `packages` and each of them must have an unique `Regex`. The syntax is based on [minimatch glob expressions](https://github.com/isaacs/minimatch).
> We higlight that we recommend to not use **allow_access**/**allow_publish** and **proxy_access** anymore, those are deprecated and will soon be removed, please use the short version of each of those (**access**/**publish**/**proxy**).
If you want more information about how to use the **storage** property, please refer to this [comment](https://github.com/verdaccio/verdaccio/issues/1383#issuecomment-509933674).