verdaccio/packages/plugins/htpasswd/README.md

[![verdaccio (latest)](https://img.shields.io/npm/v/verdaccio-htpasswd/latest.svg)](https://www.npmjs.com/package/verdaccio-htpasswd)
[![Known Vulnerabilities](https://snyk.io/test/github/verdaccio/verdaccio-htpasswd/badge.svg?targetFile=package.json)](https://snyk.io/test/github/verdaccio/verdaccio-htpasswd?targetFile=package.json)
[![CircleCI](https://circleci.com/gh/verdaccio/verdaccio-htpasswd.svg?style=svg)](https://circleci.com/gh/ayusharma/verdaccio-htpasswd) [![codecov](https://codecov.io/gh/ayusharma/verdaccio-htpasswd/branch/master/graph/badge.svg)](https://codecov.io/gh/ayusharma/verdaccio-htpasswd)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd?ref=badge_shield)
[![backers](https://opencollective.com/verdaccio/tiers/backer/badge.svg?label=Backer&color=brightgreen)](https://opencollective.com/verdaccio)
[![discord](https://img.shields.io/discord/388674437219745793.svg)](http://chat.verdaccio.org/)
![MIT](https://img.shields.io/github/license/mashape/apistatus.svg)
[![node](https://img.shields.io/node/v/verdaccio-htpasswd/latest.svg)](https://www.npmjs.com/package/verdaccio-htpasswd)

# Verdaccio Module For User Auth Via Htpasswd

`verdaccio-htpasswd` is a default authentication plugin for the [Verdaccio](https://github.com/verdaccio/verdaccio).

> This plugin is being used as dependency after `v3.0.0-beta.x`. The `v2.x` still contains this plugin built-in.

## Install

As simple as running:

    $ npm install -g verdaccio-htpasswd

## Configure

    auth:
        htpasswd:
            file: ./htpasswd
            # Maximum amount of users allowed to register, defaults to "+infinity".
            # You can set this to -1 to disable registration.
            #max_users: 1000
            # Hash algorithm, possible options are: "bcrypt", "md5", "sha1", "crypt".
            #algorithm: bcrypt
            # Rounds number for "bcrypt", will be ignored for other algorithms.
            # Setting this value higher will result in password verification taking longer.
            #rounds: 10
            # Log a warning if the password takes more then this duration in milliseconds to verify.
            #slow_verify_ms: 200

### Bcrypt rounds

It is important to note that when using the default `bcrypt` algorithm and setting
the `rounds` configuration value to a higher number then the default of `10`, that
verification of a user password can cause significantly increased CPU usage and
additional latency in processing requests.

If your Verdaccio instance handles a large number of authenticated requests using
username and password for authentication, the `rounds` configuration value may need
to be decreased to prevent excessive CPU usage and request latency.

Also note that setting the `rounds` configuration value to a value that is too small
increases the risk of successful brute force attack. Auth0 has a
[blog article](https://auth0.com/blog/hashing-in-action-understanding-bcrypt)
that provides an overview of how `bcrypt` hashing works and some best practices.

## Logging In

To log in using NPM, run:

```
    npm adduser --registry  https://your.registry.local
```

## Generate htpasswd username/password combination

If you wish to handle access control using htpasswd file, you can generate
username/password combination form
[here](http://www.htaccesstools.com/htpasswd-generator/) and add it to htpasswd
file.

## How does it work?

The htpasswd file contains rows corresponding to a pair of username and password
separated with a colon character. The password is encrypted using the UNIX system's
crypt method and may use MD5 or SHA1.

## Plugin Development in Verdaccio

There are many ways to extend [Verdaccio](https://github.com/verdaccio/verdaccio),
currently it support authentication plugins, middleware plugins (since v2.7.0)
and storage plugins since (v3.x).

#### Useful Links

- [Plugin Development](http://www.verdaccio.org/docs/en/dev-plugins.html)
- [List of Plugins](http://www.verdaccio.org/docs/en/plugins.html)

## License

[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd?ref=badge_large)
feat: relocate core packages (#1906) * chore: clean lint warnings * refactor: move core packages 2020-08-19 13:27:35 -05:00			`[![verdaccio (latest)](https://img.shields.io/npm/v/verdaccio-htpasswd/latest.svg)](https://www.npmjs.com/package/verdaccio-htpasswd)`
			`[![Known Vulnerabilities](https://snyk.io/test/github/verdaccio/verdaccio-htpasswd/badge.svg?targetFile=package.json)](https://snyk.io/test/github/verdaccio/verdaccio-htpasswd?targetFile=package.json)`
			`[![CircleCI](https://circleci.com/gh/verdaccio/verdaccio-htpasswd.svg?style=svg)](https://circleci.com/gh/ayusharma/verdaccio-htpasswd) [![codecov](https://codecov.io/gh/ayusharma/verdaccio-htpasswd/branch/master/graph/badge.svg)](https://codecov.io/gh/ayusharma/verdaccio-htpasswd)`
			`[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd?ref=badge_shield)`
			`[![backers](https://opencollective.com/verdaccio/tiers/backer/badge.svg?label=Backer&color=brightgreen)](https://opencollective.com/verdaccio)`
			`[![discord](https://img.shields.io/discord/388674437219745793.svg)](http://chat.verdaccio.org/)`
			`![MIT](https://img.shields.io/github/license/mashape/apistatus.svg)`
			`[![node](https://img.shields.io/node/v/verdaccio-htpasswd/latest.svg)](https://www.npmjs.com/package/verdaccio-htpasswd)`

			`# Verdaccio Module For User Auth Via Htpasswd`

			`verdaccio-htpasswd` is a default authentication plugin for the [Verdaccio](https://github.com/verdaccio/verdaccio).

			> This plugin is being used as dependency after `v3.0.0-beta.x`. The `v2.x` still contains this plugin built-in.

			`## Install`

			`As simple as running:`

			`$ npm install -g verdaccio-htpasswd`

			`## Configure`

			`auth:`
			`htpasswd:`
			`file: ./htpasswd`
			`# Maximum amount of users allowed to register, defaults to "+infinity".`
			`# You can set this to -1 to disable registration.`
			`#max_users: 1000`
feat: allow other password hashing algorithms (#1917) (#2072) 2021-01-30 17:41:33 -05:00			`# Hash algorithm, possible options are: "bcrypt", "md5", "sha1", "crypt".`
			`#algorithm: bcrypt`
			`# Rounds number for "bcrypt", will be ignored for other algorithms.`
fix: refactor htpasswd plugin to use the bcryptjs 'compare' api call instead of 'compareSync' (#3025) feat: add a new configuration value named 'slow_verify_ms' to the htpasswd plugin that when exceeded during password verification will log a warning message chore: update README.md for htpasswd plugin to add additional information about the 'rounds' configuration value and also include the new 'slow_verify_ms' configuration value 2022-03-03 15:57:19 -05:00			`# Setting this value higher will result in password verification taking longer.`
feat: allow other password hashing algorithms (#1917) (#2072) 2021-01-30 17:41:33 -05:00			`#rounds: 10`
fix: refactor htpasswd plugin to use the bcryptjs 'compare' api call instead of 'compareSync' (#3025) feat: add a new configuration value named 'slow_verify_ms' to the htpasswd plugin that when exceeded during password verification will log a warning message chore: update README.md for htpasswd plugin to add additional information about the 'rounds' configuration value and also include the new 'slow_verify_ms' configuration value 2022-03-03 15:57:19 -05:00			`# Log a warning if the password takes more then this duration in milliseconds to verify.`
			`#slow_verify_ms: 200`

			`### Bcrypt rounds`

			It is important to note that when using the default `bcrypt` algorithm and setting
			the `rounds` configuration value to a higher number then the default of `10`, that
			`verification of a user password can cause significantly increased CPU usage and`
			`additional latency in processing requests.`

			`If your Verdaccio instance handles a large number of authenticated requests using`
			username and password for authentication, the `rounds` configuration value may need
			`to be decreased to prevent excessive CPU usage and request latency.`

			Also note that setting the `rounds` configuration value to a value that is too small
			`increases the risk of successful brute force attack. Auth0 has a`
			`[blog article](https://auth0.com/blog/hashing-in-action-understanding-bcrypt)`
			that provides an overview of how `bcrypt` hashing works and some best practices.
feat: relocate core packages (#1906) * chore: clean lint warnings * refactor: move core packages 2020-08-19 13:27:35 -05:00
			`## Logging In`

			`To log in using NPM, run:`

			```
			`npm adduser --registry https://your.registry.local`
			```

			`## Generate htpasswd username/password combination`

build: configure prettier as formatter for json, yaml and markdown (#1930) * build: configure pretter as formatter for most files * chore: reformat code (#1931) * chore: re-format all files * chore: force run quality anaylsis test Co-authored-by: Juan Picado @jotadeveloper <juanpicado19@gmail.com> Co-authored-by: Juan Picado @jotadeveloper <juanpicado19@gmail.com> 2020-09-03 14:15:29 -05:00			`If you wish to handle access control using htpasswd file, you can generate`
			`username/password combination form`
feat: relocate core packages (#1906) * chore: clean lint warnings * refactor: move core packages 2020-08-19 13:27:35 -05:00			`[here](http://www.htaccesstools.com/htpasswd-generator/) and add it to htpasswd`
			`file.`

			`## How does it work?`

			`The htpasswd file contains rows corresponding to a pair of username and password`
			`separated with a colon character. The password is encrypted using the UNIX system's`
			`crypt method and may use MD5 or SHA1.`

			`## Plugin Development in Verdaccio`

			`There are many ways to extend [Verdaccio](https://github.com/verdaccio/verdaccio),`
build: configure prettier as formatter for json, yaml and markdown (#1930) * build: configure pretter as formatter for most files * chore: reformat code (#1931) * chore: re-format all files * chore: force run quality anaylsis test Co-authored-by: Juan Picado @jotadeveloper <juanpicado19@gmail.com> Co-authored-by: Juan Picado @jotadeveloper <juanpicado19@gmail.com> 2020-09-03 14:15:29 -05:00			`currently it support authentication plugins, middleware plugins (since v2.7.0)`
			`and storage plugins since (v3.x).`

feat: relocate core packages (#1906) * chore: clean lint warnings * refactor: move core packages 2020-08-19 13:27:35 -05:00			`#### Useful Links`
build: configure prettier as formatter for json, yaml and markdown (#1930) * build: configure pretter as formatter for most files * chore: reformat code (#1931) * chore: re-format all files * chore: force run quality anaylsis test Co-authored-by: Juan Picado @jotadeveloper <juanpicado19@gmail.com> Co-authored-by: Juan Picado @jotadeveloper <juanpicado19@gmail.com> 2020-09-03 14:15:29 -05:00
feat: relocate core packages (#1906) * chore: clean lint warnings * refactor: move core packages 2020-08-19 13:27:35 -05:00			`- [Plugin Development](http://www.verdaccio.org/docs/en/dev-plugins.html)`
			`- [List of Plugins](http://www.verdaccio.org/docs/en/plugins.html)`

			`## License`
build: configure prettier as formatter for json, yaml and markdown (#1930) * build: configure pretter as formatter for most files * chore: reformat code (#1931) * chore: re-format all files * chore: force run quality anaylsis test Co-authored-by: Juan Picado @jotadeveloper <juanpicado19@gmail.com> Co-authored-by: Juan Picado @jotadeveloper <juanpicado19@gmail.com> 2020-09-03 14:15:29 -05:00
feat: relocate core packages (#1906) * chore: clean lint warnings * refactor: move core packages 2020-08-19 13:27:35 -05:00			`[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd?ref=badge_large)`