add scoped packages draft

2025-03-18 02:22:46 -05:00 · 2014-11-16 20:44:46 +03:00 · 2014-11-16 20:44:46 +03:00 · a425c5e2ff
commit a425c5e2ff
parent 972551e838
7 changed files with 37 additions and 5 deletions
--- a/conf/default.yaml
+++ b/conf/default.yaml
@ -22,6 +22,11 @@ uplinks:
    url: https://registry.npmjs.org/

 packages:
+  '@*/*':
+    # scoped packages
+    allow_access: $all
+    allow_publish: $authenticated
+
  '*':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
--- a/lib/index-api.js
+++ b/lib/index-api.js
@ -2,12 +2,14 @@ var Cookies       = require('cookies')
 var express       = require('express')
 var expressJson5  = require('express-json5')
 var Error         = require('http-errors')
+var Path          = require('path')
 var Middleware    = require('./middleware')
 var Utils         = require('./utils')
 var expect_json   = Middleware.expect_json
 var match         = Middleware.match
 var media         = Middleware.media
 var validate_name = Middleware.validate_name
+var validate_pkg  = Middleware.validate_package

 module.exports = function(config, auth, storage) {
  var app = express.Router()
@ -15,7 +17,7 @@ module.exports = function(config, auth, storage) {

  // validate all of these params as a package name
  // this might be too harsh, so ask if it causes trouble
-  app.param('package',  validate_name)
+  app.param('package',  validate_pkg)
  app.param('filename', validate_name)
  app.param('tag',      validate_name)
  app.param('version',  validate_name)
@ -209,7 +211,7 @@ module.exports = function(config, auth, storage) {

      // at this point document is either created or existed before
      var t1 = Object.keys(metadata._attachments)[0]
-      create_tarball(t1, metadata._attachments[t1], function(err) {
+      create_tarball(Path.basename(t1), metadata._attachments[t1], function(err) {
        if (err) return next(err)

        var t2 = Object.keys(metadata.versions)[0]
--- a/lib/index-web.js
+++ b/lib/index-web.js
@ -9,6 +9,7 @@ var Search        = require('./search')
 var Middleware    = require('./middleware')
 var match         = Middleware.match
 var validate_name = Middleware.validate_name
+var validate_pkg  = Middleware.validate_package

 module.exports = function(config, auth, storage) {
  var app = express.Router()
@ -16,7 +17,7 @@ module.exports = function(config, auth, storage) {

  // validate all of these params as a package name
  // this might be too harsh, so ask if it causes trouble
-  app.param('package',  validate_name)
+  app.param('package',  validate_pkg)
  app.param('filename', validate_name)
  app.param('version',  validate_name)
  app.param('anything', match(/.*/))
--- a/lib/local-storage.js
+++ b/lib/local-storage.js
@ -291,8 +291,8 @@ Storage.prototype.change_package = function(name, metadata, revision, callback)
 }

 Storage.prototype.remove_tarball = function(name, filename, revision, callback) {
-  var self = this
  assert(Utils.validate_name(filename))
+  var self = this

  self.update_package(name, function updater(data, cb) {
    if (data._attachments[filename]) {
--- a/lib/middleware.js
+++ b/lib/middleware.js
@ -24,6 +24,17 @@ module.exports.validate_name = function validate_name(req, res, next, value, nam
  }
 }

+module.exports.validate_package = function validate_package(req, res, next, value, name) {
+  if (value.charAt(0) === '-') {
+    // special case in couchdb usually
+    next('route')
+  } else if (utils.validate_package(value)) {
+    next()
+  } else {
+    next( Error[403]('invalid ' + name) )
+  }
+}
+
 module.exports.media = function media(expect) {
  return function(req, res, next) {
    if (req.headers['content-type'] !== expect) {
--- a/lib/utils.js
+++ b/lib/utils.js
@ -3,6 +3,19 @@ var Semver = require('semver')
 var URL    = require('url')
 var Logger = require('./logger')

+module.exports.validate_package = function(name) {
+  name = name.split('/', 2)
+  if (name.length === 1) {
+    // normal package
+    return module.exports.validate_name(name[0])
+  } else {
+    // scoped package
+    return name[0][0] === '@'
+        && module.exports.validate_name(name[0].slice(1))
+        && module.exports.validate_name(name[1])
+  }
+}
+
 // from normalize-package-data/lib/fixer.js
 module.exports.validate_name = function(name) {
  if (typeof(name) !== 'string') return false
--- a/test/functional/index.js
+++ b/test/functional/index.js
@ -41,7 +41,7 @@ describe('Func', function() {
    async.map([server, server2], function(server, cb) {
      server.auth('test', 'test', function(res, body) {
        assert.equal(res.statusCode, 201)
-        assert.notEqual(body.ok.indexOf('"test"'), -1)
+        assert.notEqual(body.ok.indexOf("'test'"), -1)
        cb()
      })
    }, cb)