fix: add missing token auth middleware (#3944)

* fix: add missing token auth middleware

* improve tests

* format

src/api/web/api/package.ts

@@ -69,7 +69,8 @@ function addPackageWebApi(pkgRouter: Router, storage: Storage, auth: Auth, confi
             const pkgCopy = { ...pkg };
             pkgCopy.author = formatAuthor(pkg.author);
             try {
-              if (await checkAllow(pkg.name, req.remote_user)) {
+              const isAllowed = await checkAllow(pkg.name, req.remote_user);
+              if (isAllowed) {
                 if (config.web) {
                   pkgCopy.author.avatar = generateGravatarUrl(
                     pkgCopy.author.email,

src/api/web/index.ts

@@ -30,6 +30,7 @@ export default (config, auth, storage) => {
   const pluginOptions = loadTheme(config) || require('@verdaccio/ui-theme')();
   // eslint-disable-next-line new-cap
   const router = Router();
+  router.use(auth.webUIJWTmiddleware());
   router.use(setSecurityWebHeaders);
   // render web
   // @ts-ignore

src/lib/auth.ts

@@ -299,7 +299,7 @@ class Auth {
       { name: packageName, version: packageVersion },
       getMatchedPackagesSpec(packageName, this.config.packages)
     );
-    debug('allow publish for %o init | plugins: %o', packageName, plugins);
+    debug('allow publish for %o init | plugins: %o', packageName, plugins?.length);
     (function next(): void {
       const plugin = plugins.shift();
 

test/README.md

@@ -76,7 +76,7 @@ const configForTest = configDefault(
         url: `http://${DOMAIN_SERVERS}:${mockServerPort}`,
       },
     },
-    logs: [{ type: 'stdout', format: 'pretty', level: 'trace' }],
+    log: { type: 'stdout', format: 'pretty', level: 'trace' },
   },
   'api.spec.yaml'
 );

test/functional/store/config-1.yaml

@@ -29,7 +29,7 @@ uplinks:
   baduplink:
     url: http://localhost:55666/
 
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 packages:
   '@test/*':

test/functional/store/config-2.yaml

@@ -30,7 +30,7 @@ auth:
         name: authtest
         password: blahblah-password
 
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 packages:
   '@test/*':

test/functional/store/config-3.yaml

@@ -18,7 +18,7 @@ auth:
         name: test
         password: test
 
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 packages:
   'pkg-gh131':

test/unit/modules/access/pkg.access.spec.ts

@@ -36,7 +36,7 @@ describe('api with no limited access configuration', () => {
               url: `http://${DOMAIN_SERVERS}:${mockServerPort}`,
             },
           },
-          logs: [{ type: 'stdout', format: 'pretty', level: 'warn' }],
+          log: { type: 'stdout', format: 'pretty', level: 'warn' },
         },
         'pkg.access.spec.yaml'
       );

test/unit/modules/api/config/distTag.yaml

@@ -13,7 +13,7 @@ publish:
 
 uplinks:
 
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 packages:
   '@*/*':

test/unit/modules/api/config/package.yaml

@@ -13,7 +13,7 @@ publish:
 
 uplinks:
 
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 packages:
   '@*/*':

test/unit/modules/api/config/ping.yaml

@@ -7,7 +7,7 @@ web:
 
 uplinks:
 
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 packages:
   '@*/*':

test/unit/modules/api/config/publish-proxy.yaml

@@ -9,7 +9,7 @@ uplinks:
   npmjs:
     url: https://registry.npmjs.org/
 
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 packages:
   '@*/*':

test/unit/modules/api/config/publish.yaml

@@ -10,7 +10,7 @@ publish:
 
 uplinks:
 
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 packages:
   '@*/*':

test/unit/modules/api/config/search.yaml

@@ -10,7 +10,7 @@ web:
 
 uplinks:
 
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 packages:
   'private-*':

test/unit/modules/api/config/star.yaml

@@ -9,7 +9,7 @@ uplinks:
   npmjs:
     url: https://registry.npmjs.org/
 
-logs: { type: stdout, format: pretty, level: info }
+log: { type: stdout, format: pretty, level: info }
 
 packages:
   '@*/*':

test/unit/modules/api/config/token.jwt.yaml

@@ -20,7 +20,7 @@ packages:
     access: $authenticated
     publish: $authenticated
 
-logs: { type: stdout, format: pretty, level: debug }
+log: { type: stdout, format: pretty, level: debug }
 
 ## enable token for testing
 flags:

test/unit/modules/api/config/token.yaml

@@ -12,7 +12,7 @@ packages:
     access: $authenticated
     publish: $authenticated
 
-logs: { type: stdout, format: pretty, level: debug }
+log: { type: stdout, format: pretty, level: debug }
 
 ## enable token for testing
 flags:

test/unit/modules/api/config/user.jwt.yaml

@@ -34,4 +34,4 @@ middlewares:
   audit:
     enabled: true
 
-logs: { type: stdout, format: pretty, level: info }
+log: { type: stdout, format: pretty, level: info }

test/unit/modules/api/config/user.yaml

@@ -9,7 +9,7 @@ uplinks:
   ver:
     url: https://registry.verdaccio.org
 
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 packages:
   '@*/*':

test/unit/modules/api/config/whoami.yaml

@@ -6,7 +6,7 @@ uplinks:
   npmjs:
     url: https://registry.npmjs.org/
 
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 auth:
   htpasswd:

test/unit/modules/api/legacy/api.__c.ts

@@ -92,7 +92,7 @@ describe('endpoint unit test', () => {
               fail_timeout: '1s',
             },
           },
-          logs: [{ type: 'stdout', format: 'pretty', level: 'warn' }],
+          log: { type: 'stdout', format: 'pretty', level: 'warn' },
         },
         'api.spec.yaml'
       );
@@ -1042,7 +1042,7 @@ describe('endpoint unit test', () => {
               url: `http://${DOMAIN_SERVERS}:${mockServerPort}`,
             },
           },
-          logs: [{ type: 'stdout', format: 'pretty', level: 'warn' }],
+          log: { type: 'stdout', format: 'pretty', level: 'warn' },
         },
         'api.spec.yaml'
       );

test/unit/modules/auth/jwt.spec.ts

@@ -49,7 +49,7 @@ describe('endpoint user auth JWT unit test', () => {
               file: './test-jwt-storage/.htpasswd_jwt_auth',
             },
           },
-          logs: [{ type: 'stdout', format: 'pretty', level: 'warn' }],
+          log: { type: 'stdout', format: 'pretty', level: 'warn' },
         },
         'api-jwt/jwt.yaml'
       );

test/unit/modules/bootstrap/config.yaml

@@ -13,7 +13,7 @@ auth:
         name: test
         password: test
 
-logs: { type: stdout, format: pretty, level: warn }
+log: { type: stdout, format: pretty, level: warn }
 
 packages:
   '@*/*':

test/unit/modules/config/partials/logs.yaml

@@ -26,6 +26,7 @@ server:
 middlewares:
   audit:
     enabled: true
+# intended to verify backward compatibility
 logs: { type: stdout, format: pretty, level: http }
 experiments:
   token: false

test/unit/modules/web/api.web.spec.ts

@@ -2,6 +2,8 @@ import path from 'path';
 import rimraf from 'rimraf';
 import request from 'supertest';
 
+import { buildToken } from '@verdaccio/utils';
+
 import endPointAPI from '../../../../src/api';
 import {
   API_ERROR,
@@ -9,13 +11,16 @@ import {
   HEADERS,
   HEADER_TYPE,
   HTTP_STATUS,
+  TOKEN_BEARER,
 } from '../../../../src/lib/constants';
 import { DOMAIN_SERVERS } from '../../../functional/config.functional';
+import { generatePackageMetadata } from '../../../helpers/generatePackageMetadata';
 import { addUser } from '../../__helper/api';
 import { mockServer } from '../../__helper/mock';
 import configDefault from '../../partials/config';
 import forbiddenPlace from '../../partials/forbidden-place';
 import publishMetadata from '../../partials/publish-api';
+import { getNewToken } from '../api/_helper';
 
 require('../../../../src/lib/logger').setup([]);
 
@@ -70,17 +75,28 @@ describe('endpoint web unit test', () => {
         .set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
         .send(JSON.stringify(forbiddenPlace))
         .expect(HTTP_STATUS.CREATED);
+      await request(app)
+        .put('/@protected/pk1')
+        .set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
+        .send(JSON.stringify(generatePackageMetadata('@protected/pk1')))
+        .expect(HTTP_STATUS.CREATED);
     });
 
     describe('Packages', () => {
-      test('should display all packages', (done) => {
-        request(app)
+      test('should display packages without login', async () => {
+        // this packages is protected at the yaml file
+        const res = await request(app).get('/-/verdaccio/data/packages').expect(HTTP_STATUS.OK);
+        expect(res.body).toHaveLength(1);
+      });
+
+      test('should display all packages logged', async () => {
+        const token = await getNewToken(app, { name: 'jota_token', password: 'secretPass' });
+        // this packages is protected at the yaml file
+        const res = await request(app)
           .get('/-/verdaccio/data/packages')
-          .expect(HTTP_STATUS.OK)
-          .end(function (err, res) {
-            expect(res.body).toHaveLength(1);
-            done();
-          });
+          .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, token))
+          .expect(HTTP_STATUS.OK);
+        expect(res.body).toHaveLength(2);
       });
 
       test.skip('should display scoped readme', (done) => {

test/unit/partials/config-unit-mock-server-test.yaml

@@ -11,8 +11,7 @@ auth:
         name: test
         password: test
 
-logs:
-  - { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 
 packages:
   '@*/*':

test/unit/partials/config/config_access.ts

@@ -18,9 +18,8 @@ const config = {
       proxy: 'npmjs'
     }
   },
-  logs: [
-    {type: 'stdout', format: 'pretty', level: 'fatal'},
-  ],
+  log: {type: 'stdout', format: 'pretty', level: 'fatal'}
+  ,
 };
 
 export default config;

test/unit/partials/config/js/default.js

@@ -12,4 +12,4 @@ module.exports = { storage: './storage_default_storage',
         publish: '$authenticated',
         proxy: 'npmjs' },
      '*': { access: '$all', publish: '$all', proxy: 'npmjs' } },
-  logs: [ { type: 'stdout', format: 'pretty', level: 'warn' } ] };
+  log:  { type: 'stdout', format: 'pretty', level: 'warn' } ] ;

test/unit/partials/config/yaml/api-jwt/jwt.yaml

@@ -32,5 +32,4 @@ packages:
 middlewares:
   audit:
     enabled: true
-logs:
-  - { type: stdout, format: pretty, level: http }
+log: { type: stdout, format: pretty, level: http }

test/unit/partials/config/yaml/api.search.spec.yaml

@@ -28,4 +28,4 @@ packages:
     publish: $all
     unpublish: xxx
     proxy: npmjs
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }

test/unit/partials/config/yaml/api.spec.yaml

@@ -95,4 +95,4 @@ packages:
     publish: $all
     unpublish: xxx
     proxy: npmjs
-logs: { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }

test/unit/partials/config/yaml/api.spec/web-config.yaml

@@ -48,5 +48,4 @@ packages:
     access: $all
     publish: $all
 
-logs:
-  - { type: stdout, format: pretty, level: warns }
+log: { type: stdout, format: pretty, level: warns }

test/unit/partials/config/yaml/api.web.spec.yaml

@@ -8,11 +8,15 @@ uplinks:
   npmjs:
     url: http://localhost:4873/
 packages:
+  '@protected/*':
+    access: jota_token
+    publish: $all
+    proxy: npmjs
   '@*/*':
     access: $all
     publish: $all
     proxy: npmjs
-    unpublish: npmjs
+    unpublish: somethingelse
   'forbidden-place':
     access: nobody
     publish: $all
@@ -21,5 +25,4 @@ packages:
     publish: $all
     unpublish: xxx
     proxy: npmjs
-logs:
-  - { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }

test/unit/partials/config/yaml/default.yaml

@@ -38,5 +38,4 @@ packages:
     access: $all
     publish: $all
     proxy: npmjs
-logs:
-  - { type: stdout, format: pretty, level: warn }
+log: { type: stdout, format: pretty, level: warn }

test/unit/partials/config/yaml/pkg.access.spec.yaml

@@ -9,5 +9,4 @@ packages:
   '**':
     access: $all
     proxy: remote
-logs:
-  - { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }

test/unit/partials/config/yaml/profile/profile.yaml

@@ -26,5 +26,4 @@ packages:
   '**':
     access: $authenticated
     publish: $authenticated
-logs:
-  - { type: stdout, format: pretty, level: http }
+log: { type: stdout, format: pretty, level: http }

test/unit/partials/config/yaml/store.spec.yaml

@@ -17,5 +17,4 @@ packages:
   'npm_test':
     access: $all
     publish: $all
-logs:
-  - { type: stdout, format: pretty, level: warn }
+log: { type: stdout, format: pretty, level: warn }

test/unit/partials/config/yaml/token.spec.yaml

@@ -16,8 +16,7 @@ packages:
   'only-you-can-publish':
     access: $authenticated
     publish: $authenticated
-logs:
-  - { type: stdout, format: pretty, level: trace }
+log: { type: stdout, format: pretty, level: trace }
 experiments:
   ## enable token for testing
   token: true