From 4a587825f32f54570bf23d0fd0521e5507e83272 Mon Sep 17 00:00:00 2001 From: "Juan Picado @jotadeveloper" Date: Mon, 24 Jul 2017 07:25:50 +0200 Subject: [PATCH] doc: add recipe to protect your packages --- wiki/recipes/protect-your-dependencies.md | 41 +++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 wiki/recipes/protect-your-dependencies.md diff --git a/wiki/recipes/protect-your-dependencies.md b/wiki/recipes/protect-your-dependencies.md new file mode 100644 index 000000000..a2cb7aa35 --- /dev/null +++ b/wiki/recipes/protect-your-dependencies.md @@ -0,0 +1,41 @@ +# Protecting packages + +`verdaccio` allows you protect publish, to achieve that you will need to set up correctly your [packages acces](packages). + +### Package configuration + +Let's see for instance the following set up. You have a set of dependencies what are prefixed with `my-company-*` and you need to protect them from anonymous or another logged user without right credentials. + +```yaml + 'my-company-*': + access: admin teamA teamB teamC + publish: admin teamA + proxy: npmjs +``` + +With this configuration, basically we allow to groups **admin** and **teamA** to * publish* and **teamA** **teamB** **teamC** *access* to such dependencies. + +### Use case: teamD try to access the dependency + +So, if I am logged as **teamD**. I shouldn't be able to access all dependencies that match with `my-company-*` pattern. + +```bash +➜ npm whoami +teamD +``` +I won't have access to such dependencies and also won't be visible via web for user **teamD**. If I try to access the following will happen. + +```bash +➜ npm install my-company-core +npm ERR! code E403 +npm ERR! 403 Forbidden: webpack-1@latest +``` +or with `yarn` + +```bash +➜ yarn add my-company-core +yarn add v0.24.6 +info No lockfile found. +[1/4] 🔍 Resolving packages... +error An unexpected error occurred: "http://localhost:5555/webpack-1: unregistered users are not allowed to access package my-company-core". +```