Infrastructure/verdaccio
0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2025-04-08 02:54:13 -05:00
Code Issues Activity

fix(web): anonymous user handling (#5114)

Browse source 
* fix(web): "??" operator warning

* fix(web): anonymous user handling

* remove duplicate changeset
This commit is contained in:
Marc Bernard 2025-03-02 10:50:56 +01:00 committed by GitHub
parent cd61cd4dab
commit 96fdf89d20
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 65 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.changeset/proud-houses-switch.md Normal file
View file

@ -0,0 +1,5 @@
---
'@verdaccio/web': patch
---
fix(web): anonymous user handling

17
packages/web/src/api/package.ts
View file

@ -3,6 +3,7 @@ import { Router } from 'express';
import _ from 'lodash';
import { Auth } from '@verdaccio/auth';
import { createAnonymousRemoteUser } from '@verdaccio/config';
import { logger } from '@verdaccio/logger';
import { $NextFunctionVer, $RequestExtend, $ResponseExtend } from '@verdaccio/middleware';
import { WebUrls } from '@verdaccio/middleware';
@ -22,23 +23,17 @@ const getOrder = (order = 'asc') => {
const debug = buildDebug('verdaccio:web:api:package');
function addPackageWebApi(storage: Storage, auth: Auth, config: Config): Router {
const isLoginEnabled = config?.web?.login === true ?? true;
const isLoginEnabled = config?.web?.login === true;
const pkgRouter = Router(); /* eslint new-cap: 0 */
// eslint-disable-next-line @typescript-eslint/no-unused-vars
const anonymousRemoteUser: RemoteUser = {
name: undefined,
real_groups: [],
groups: [],
};
const anonymousRemoteUser: RemoteUser = createAnonymousRemoteUser();
debug('initialized package web api');
const checkAllow = (name: string, remoteUser: RemoteUser): Promise<boolean> =>
new Promise((resolve, reject): void => {
debug('is login disabled %o', isLoginEnabled);
// FIXME: this logic does not work, review
// const remoteUserAccess = !isLoginEnabled ? anonymousRemoteUser : remoteUser;
debug('is login enabled: %o', isLoginEnabled);
const remoteUserAccess = !isLoginEnabled ? anonymousRemoteUser : remoteUser;
try {
auth.allow_access({ packageName: name }, remoteUser, (err, allowed): void => {
auth.allow_access({ packageName: name }, remoteUserAccess, (err, allowed): void => {
if (err) {
resolve(false);
}

54
packages/web/test/api.packages.test.ts
View file

@ -33,4 +33,58 @@ describe('test web server', () => {
.expect(HTTP_STATUS.OK);
expect(response.body).toEqual([]);
});
test('should allow anonymous user to access package api when login is disabled', async () => {
mockManifest.mockReturnValue(() => ({
staticPath: path.join(__dirname, 'static'),
manifestFiles: {
js: ['runtime.js', 'vendors.js', 'main.js'],
},
manifest: require('./partials/manifest/manifest.json'),
}));
const response = await supertest(await initializeServer('login-disabled.yaml'))
.get('/-/verdaccio/data/packages')
.set('Accept', HEADERS.JSON_CHARSET)
.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
.expect(HTTP_STATUS.OK);
expect(response.body).toEqual([]);
});
test('should allow authenticated user to access package api', async () => {
mockManifest.mockReturnValue(() => ({
staticPath: path.join(__dirname, 'static'),
manifestFiles: {
js: ['runtime.js', 'vendors.js', 'main.js'],
},
manifest: require('./partials/manifest/manifest.json'),
}));
const api = supertest(await initializeServer('default-test.yaml'));
// First login to get the token
const loginRes = await api
.post('/-/verdaccio/sec/login')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.send(
JSON.stringify({
username: 'test',
password: 'test',
})
)
.expect(HTTP_STATUS.OK);
expect(loginRes.body.token).toBeDefined();
// Then access the packages API with the token
const response = await api
.get('/-/verdaccio/data/packages')
.set('Accept', HEADERS.JSON_CHARSET)
.set(HEADER_TYPE.AUTHORIZATION, `Bearer ${loginRes.body.token}`)
.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
.expect(HTTP_STATUS.OK);
expect(response.body).toEqual([]);
});
});