feat: trustProxy property (#3691)

.changeset/pretty-clouds-help.md

@@ -0,0 +1,9 @@
+---
+'@verdaccio/config': minor
+'@verdaccio/core': minor
+'@verdaccio/types': minor
+'@verdaccio/server': minor
+'@verdaccio/store': minor
+---
+
+feat: trustProxy property

packages/config/src/conf/default.yaml

@@ -106,6 +106,9 @@ server:
   # A regex for the password validation /.{3}$/ (3 characters min)
   # An example to limit to 10 characters minimum
   # passwordValidationRegex: /.{10}$/
+  # Allow `req.ip` to resolve properly when Verdaccio is behind a proxy or load-balancer
+  # See: https://expressjs.com/en/guide/behind-proxies.html
+  # trustProxy: '127.0.0.1'
 
 # https://verdaccio.org/docs/configuration#offline-publish
 # publish:

packages/config/src/conf/docker.yaml

@@ -112,6 +112,9 @@ server:
   # A regex for the password validation /.{3}$/ (3 characters min)
   # An example to limit to 10 characters minimum
   # passwordValidationRegex: /.{10}$/
+  # Allow `req.ip` to resolve properly when Verdaccio is behind a proxy or load-balancer
+  # See: https://expressjs.com/en/guide/behind-proxies.html
+  # trustProxy: '127.0.0.1'
 
 # https://verdaccio.org/docs/configuration#offline-publish
 # publish:

packages/core/core/src/plugin-utils.ts

@@ -170,5 +170,5 @@ export interface IBasicAuth {
 }
 
 export interface ManifestFilter<T> extends Plugin<T> {
-  filterMetadata(packageInfo: Manifest): Promise<Manifest>;
+  filter_metadata(packageInfo: Manifest): Promise<Manifest>;
 }

packages/core/types/package.json

@@ -30,14 +30,14 @@
   "publishConfig": {
     "access": "public"
   },
-  "main": "build/types.d.ts",
+  "main": "src/types.ts",
-  "types": "build/types.d.ts",
+  "types": "src/types.ts",
   "scripts": {
     "clean": "rimraf ./build",
     "test": "pnpm type-check",
     "build:docs": "typedoc --options ./typedoc.json --tsconfig tsconfig.build.json",
     "type-check": "tsc --noEmit -p tsconfig.build.json",
-    "build": "tsc --emitDeclarationOnly -p tsconfig.build.json"
+    "build": "echo 0"
   },
   "devDependencies": {
     "@types/node": "16.18.10",

packages/core/types/src/configuration.ts

@@ -226,6 +226,8 @@ export type ServerSettingsConf = {
    */
   pluginPrefix?: string;
   passwordValidationRegex?: RegExp;
+  // docs on `trustProxy` can be found at: https://expressjs.com/en/guide/behind-proxies.html
+  trustProxy?: string;
 };
 
 /**

packages/core/types/src/manifest.ts

@@ -89,6 +89,12 @@ export interface Tags {
   [key: string]: Version;
 }
 
+export interface PeerDependenciesMeta {
+  [dependencyName: string]: {
+    optional?: boolean;
+  };
+}
+
 export interface Version {
   name: string;
   version: string;
@@ -116,6 +122,7 @@ export interface Version {
   peerDependencies?: Dependencies;
   devDependencies?: Dependencies;
   optionalDependencies?: Dependencies;
+  peerDependenciesMeta?: PeerDependenciesMeta;
   bundleDependencies?: Dependencies;
   keywords?: string | string[];
   nodeVersion?: string;
@@ -127,6 +134,8 @@ export interface Version {
   funding?: { type: string; url: string };
   engines?: Engines;
   hasInstallScript?: boolean;
+  cpu?: string[];
+  os?: string[];
 }
 
 export interface Dependencies {

packages/server/express/src/server.ts

@@ -31,6 +31,9 @@ const defineAPI = async function (config: IConfig, storage: Storage): Promise<an
   // run in production mode by default, just in case
   // it shouldn't make any difference anyway
   app.set('env', process.env.NODE_ENV || 'production');
+  if (config.server?.trustProxy) {
+    app.set('trust proxy', config.server.trustProxy);
+  }
   app.use(cors());
   app.use(rateLimit(config.serverSettings.rateLimit));
 

packages/store/src/storage.ts

@@ -670,8 +670,8 @@ class Storage {
           config: this.config,
           logger: this.logger,
         },
-        (plugin) => {
+        (plugin: pluginUtils.ManifestFilter<Config>) => {
-          return typeof plugin.filterMetadata !== 'undefined';
+          return typeof plugin.filter_metadata !== 'undefined';
         },
         this.config?.serverSettings?.pluginPrefix
       );
@@ -1786,7 +1786,7 @@ class Storage {
       // and return it directly for
       // performance (i.e. need not be pure)
       try {
-        filteredManifest = await filter.filterMetadata(manifest);
+        filteredManifest = await filter.filter_metadata(manifest);
       } catch (err: any) {
         this.logger.error({ err: err.message }, 'filter has failed @{err}');
         filterPluginErrors.push(err);