0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2024-12-16 21:56:25 -05:00

docs: add comment about token secret length to v6 migration (#4655)

This commit is contained in:
Marc Bernard 2024-05-26 18:31:05 +02:00 committed by GitHub
parent 007a7bd76c
commit 475759eaa8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -1,14 +1,14 @@
# Migration guide from Verdaccio 5 to Verdaccio 6 # Migration Guide from Verdaccio 5 to Verdaccio 6
Notes regarding breaking changes for next major release. Notes regarding breaking changes for next major release.
> This list might growth over the development. > This list might growth over the course of development.
## Breaking changes ## Breaking Changes
### New node-api interface [#2165](https://github.com/verdaccio/verdaccio/pull/2165) ### New node-api interface [#2165](https://github.com/verdaccio/verdaccio/pull/2165)
If you are using the node-api, the new structure is Promise based and less arguments. If you are using the `node-api`, the new structure is Promise based and less arguments.
```js ```js
import { runServer } from '@verdaccio/node-api'; import { runServer } from '@verdaccio/node-api';
@ -22,7 +22,7 @@ app.listen(4000, (event) => {
}); });
``` ```
### allow other password hashing algorithms [#1917](https://github.com/verdaccio/verdaccio/pull/1917) ### Allow other password hashing algorithms [#1917](https://github.com/verdaccio/verdaccio/pull/1917)
The current implementation of the `htpasswd` module supports multiple hash formats on verify, but only `crypt` on sign in. The current implementation of the `htpasswd` module supports multiple hash formats on verify, but only `crypt` on sign in.
`crypt` is an insecure old format, so to improve the security of the new `verdaccio` release we introduce the support of multiple hash algorithms on sign in step. `crypt` is an insecure old format, so to improve the security of the new `verdaccio` release we introduce the support of multiple hash algorithms on sign in step.
@ -53,21 +53,28 @@ htpasswd:
- The `experiments` configuration is renamed to `flags`. The functionality is exactly the same. - The `experiments` configuration is renamed to `flags`. The functionality is exactly the same.
```js ```yaml
flags: token: false; flags:
token: false;
search: false; search: false;
``` ```
- The `self_path` property from the config file is being removed in favor of `config_file` full path. - The `self_path` property from the config file is being removed in favor of `config_file` full path.
- Refactor `config` module, better types and utilities - Refactor `config` module, better types and utilities
### legacy token signature by removing crypto.createDecipher is deprecated [#1953](https://github.com/verdaccio/verdaccio/pull/1953) ### Legacy token signature by removing crypto.createDecipher is deprecated [#1953](https://github.com/verdaccio/verdaccio/pull/1953)
- Replace signature handler for legacy tokens by removing deprecated crypto.createDecipher by createCipheriv - Replace signature handler for legacy tokens by removing deprecated crypto.createDecipher by createCipheriv
- **The new signature invalidates all previous tokens generated by Verdaccio 5 or previous versions**. - **The new signature invalidates all previous tokens generated by Verdaccio 5 or previous versions**.
- The secret key must have 32 characters long - The secret key must have 32 characters long
> Remediation, update `.verdaccio-db.json` secret field with a secret key with 32 characters. > Remediation, update `.verdaccio-db.json` secret field with a secret key with 32 characters.
### Legacy token secret length
If the migration to v6 include an update to node 22 or higher, be aware that token secrets with a length other than 32 are not
supported anymore. A new secret will be generated. See [docs](https://verdaccio.org/docs/6.x/configuration#legacy-token-signature)
for more details.
#### New environment variables #### New environment variables
Introduce environment variables for legacy tokens. Introduce environment variables for legacy tokens.