mirror of
https://github.com/verdaccio/verdaccio.git
synced 2025-01-13 22:48:31 -05:00
feat: add support for jwt on api (#896)
* feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before 😷 * chore: trace log on auth in case we want more output
This commit is contained in:
parent
26873682b8
commit
a68d247a44
40 changed files with 1102 additions and 289 deletions
5
.gitignore
vendored
5
.gitignore
vendored
|
@ -3,6 +3,10 @@ verdaccio-*.tgz
|
||||||
.DS_Store
|
.DS_Store
|
||||||
build/
|
build/
|
||||||
|
|
||||||
|
### Test
|
||||||
|
|
||||||
|
test/unit/partials/store/test-jwt-storage/*
|
||||||
|
|
||||||
###
|
###
|
||||||
!bin/verdaccio
|
!bin/verdaccio
|
||||||
test-storage*
|
test-storage*
|
||||||
|
@ -10,7 +14,6 @@ access-storage*
|
||||||
.verdaccio_test_env
|
.verdaccio_test_env
|
||||||
node_modules
|
node_modules
|
||||||
package-lock.json
|
package-lock.json
|
||||||
build/
|
|
||||||
npm_test-fails-add-tarball*
|
npm_test-fails-add-tarball*
|
||||||
yarn-error.log
|
yarn-error.log
|
||||||
|
|
||||||
|
|
|
@ -23,6 +23,16 @@ auth:
|
||||||
# You can set this to -1 to disable registration.
|
# You can set this to -1 to disable registration.
|
||||||
#max_users: 1000
|
#max_users: 1000
|
||||||
|
|
||||||
|
security:
|
||||||
|
api:
|
||||||
|
jwt:
|
||||||
|
sign:
|
||||||
|
expiresIn: 60d
|
||||||
|
notBefore: 1
|
||||||
|
web:
|
||||||
|
sign:
|
||||||
|
expiresIn: 7d
|
||||||
|
|
||||||
# a list of other known repositories we can talk to
|
# a list of other known repositories we can talk to
|
||||||
uplinks:
|
uplinks:
|
||||||
npmjs:
|
npmjs:
|
||||||
|
|
|
@ -27,6 +27,16 @@ auth:
|
||||||
# You can set this to -1 to disable registration.
|
# You can set this to -1 to disable registration.
|
||||||
#max_users: 1000
|
#max_users: 1000
|
||||||
|
|
||||||
|
security:
|
||||||
|
api:
|
||||||
|
jwt:
|
||||||
|
sign:
|
||||||
|
expiresIn: 60d
|
||||||
|
notBefore: 1
|
||||||
|
web:
|
||||||
|
sign:
|
||||||
|
expiresIn: 7d
|
||||||
|
|
||||||
# a list of other known repositories we can talk to
|
# a list of other known repositories we can talk to
|
||||||
uplinks:
|
uplinks:
|
||||||
npmjs:
|
npmjs:
|
||||||
|
|
|
@ -61,6 +61,31 @@ auth:
|
||||||
max_users: 1000
|
max_users: 1000
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Security
|
||||||
|
|
||||||
|
<small>Since: `verdaccio@4.0.0` due [#168](https://github.com/verdaccio/verdaccio/pull/168)</small>
|
||||||
|
|
||||||
|
The security block allows you to customise the token signature. To enable [JWT (json web token)](https://jwt.io/) new signture you need to add the block `jwt` to `api` section, `web` uses by default `jwt`.
|
||||||
|
|
||||||
|
The configuration is separated in two sections, `api` and `web`. To use JWT on `api`, it has to be defined, otherwise will use the legacy token signature (`aes192`). For JWT you might customize the [signature](https://github.com/auth0/node-jsonwebtoken#jwtsignpayload-secretorprivatekey-options-callback) and the token [verification](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback) with your own properties.
|
||||||
|
|
||||||
|
```
|
||||||
|
security:
|
||||||
|
api:
|
||||||
|
legacy: true
|
||||||
|
jwt:
|
||||||
|
sign:
|
||||||
|
expiresIn: 29d
|
||||||
|
verify:
|
||||||
|
someProp: [value]
|
||||||
|
web:
|
||||||
|
sign:
|
||||||
|
expiresIn: 7d # 7 days by default
|
||||||
|
verify:
|
||||||
|
someProp: [value]
|
||||||
|
```
|
||||||
|
> We highly recommend move to JWT since legacy signature (`aes192`) is deprecated and will disappear in future versions.
|
||||||
|
|
||||||
### Web UI
|
### Web UI
|
||||||
|
|
||||||
This properties allow you to modify the look and feel of the web UI. For more information about this section read the [web ui page](web.md).
|
This properties allow you to modify the look and feel of the web UI. For more information about this section read the [web ui page](web.md).
|
||||||
|
|
|
@ -79,7 +79,6 @@ uplinks:
|
||||||
|
|
||||||
### You Must know
|
### You Must know
|
||||||
|
|
||||||
* Verdaccio does not use Basic Authentication since version `v2.3.0`. All tokens generated by verdaccio are based on JWT ([JSON Web Token](https://jwt.io/))
|
|
||||||
* Uplinks must be registries compatible with the `npm` endpoints. Eg: *verdaccio*, `sinopia@1.4.0`, *npmjs registry*, *yarn registry*, *JFrog*, *Nexus* and more.
|
* Uplinks must be registries compatible with the `npm` endpoints. Eg: *verdaccio*, `sinopia@1.4.0`, *npmjs registry*, *yarn registry*, *JFrog*, *Nexus* and more.
|
||||||
* Setting `cache` to false will help to save space in your hard drive. This will avoid store `tarballs` but [it will keep metadata in folders](https://github.com/verdaccio/verdaccio/issues/391).
|
* Setting `cache` to false will help to save space in your hard drive. This will avoid store `tarballs` but [it will keep metadata in folders](https://github.com/verdaccio/verdaccio/issues/391).
|
||||||
* Exceed with multiple uplinks might slow down the lookup of your packages due for each request a npm client does, verdaccio does 1 call for each uplink.
|
* Exceed with multiple uplinks might slow down the lookup of your packages due for each request a npm client does, verdaccio does 1 call for each uplink.
|
||||||
|
|
|
@ -32,7 +32,7 @@
|
||||||
"express": "4.16.3",
|
"express": "4.16.3",
|
||||||
"global": "4.3.2",
|
"global": "4.3.2",
|
||||||
"handlebars": "4.0.11",
|
"handlebars": "4.0.11",
|
||||||
"http-errors": "1.6.3",
|
"http-errors": "1.7.0",
|
||||||
"js-base64": "2.4.8",
|
"js-base64": "2.4.8",
|
||||||
"js-string-escape": "1.0.1",
|
"js-string-escape": "1.0.1",
|
||||||
"js-yaml": "3.12.0",
|
"js-yaml": "3.12.0",
|
||||||
|
@ -54,7 +54,7 @@
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"@commitlint/cli": "7.0.0",
|
"@commitlint/cli": "7.0.0",
|
||||||
"@commitlint/config-conventional": "7.0.1",
|
"@commitlint/config-conventional": "7.0.1",
|
||||||
"@verdaccio/types": "3.4.2",
|
"@verdaccio/types": "3.7.1",
|
||||||
"babel-cli": "6.26.0",
|
"babel-cli": "6.26.0",
|
||||||
"babel-core": "6.26.3",
|
"babel-core": "6.26.3",
|
||||||
"babel-eslint": "8.2.6",
|
"babel-eslint": "8.2.6",
|
||||||
|
@ -194,7 +194,8 @@
|
||||||
},
|
},
|
||||||
"lint-staged": {
|
"lint-staged": {
|
||||||
"*.yaml": [
|
"*.yaml": [
|
||||||
"prettier --parser yaml --no-config --single-quote --write"
|
"prettier --parser yaml --no-config --single-quote --write",
|
||||||
|
"git add"
|
||||||
],
|
],
|
||||||
"*.js": [
|
"*.js": [
|
||||||
"eslint .",
|
"eslint .",
|
||||||
|
|
|
@ -1,34 +1,40 @@
|
||||||
// @flow
|
// @flow
|
||||||
|
|
||||||
import type {$Response, Router} from 'express';
|
|
||||||
import type {$RequestExtend, $ResponseExtend, $NextFunctionVer, IAuth} from '../../../../types';
|
|
||||||
import {ErrorCode} from '../../../lib/utils';
|
|
||||||
|
|
||||||
import _ from 'lodash';
|
import _ from 'lodash';
|
||||||
import Cookies from 'cookies';
|
import Cookies from 'cookies';
|
||||||
|
|
||||||
export default function(route: Router, auth: IAuth) {
|
import {ErrorCode} from '../../../lib/utils';
|
||||||
|
import {API_MESSAGE, HTTP_STATUS} from '../../../lib/constants';
|
||||||
|
import {createSessionToken, getApiToken, getAuthenticatedMessage} from '../../../lib/auth-utils';
|
||||||
|
|
||||||
|
import type {Config} from '@verdaccio/types';
|
||||||
|
import type {$Response, Router} from 'express';
|
||||||
|
import type {$RequestExtend, $ResponseExtend, $NextFunctionVer, IAuth} from '../../../../types';
|
||||||
|
|
||||||
|
export default function(route: Router, auth: IAuth, config: Config) {
|
||||||
route.get('/-/user/:org_couchdb_user', function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) {
|
route.get('/-/user/:org_couchdb_user', function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) {
|
||||||
res.status(200);
|
res.status(HTTP_STATUS.OK);
|
||||||
next({
|
next({
|
||||||
ok: 'you are authenticated as "' + req.remote_user.name + '"',
|
ok: getAuthenticatedMessage(req.remote_user.name),
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
route.put('/-/user/:org_couchdb_user/:_rev?/:revision?', function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) {
|
route.put('/-/user/:org_couchdb_user/:_rev?/:revision?', async function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) {
|
||||||
let token = (req.body.name && req.body.password)
|
const {name, password} = req.body;
|
||||||
? auth.aesEncrypt(new Buffer(req.body.name + ':' + req.body.password)).toString('base64')
|
|
||||||
: undefined;
|
|
||||||
if (_.isNil(req.remote_user.name) === false) {
|
if (_.isNil(req.remote_user.name) === false) {
|
||||||
res.status(201);
|
const token = (name && password) ? await getApiToken(auth, config, req.remote_user, password) : undefined;
|
||||||
|
|
||||||
|
res.status(HTTP_STATUS.CREATED);
|
||||||
|
|
||||||
return next({
|
return next({
|
||||||
ok: 'you are authenticated as \'' + req.remote_user.name + '\'',
|
ok: getAuthenticatedMessage(req.remote_user.name),
|
||||||
token,
|
token,
|
||||||
});
|
});
|
||||||
} else {
|
} else {
|
||||||
auth.add_user(req.body.name, req.body.password, function(err, user) {
|
auth.add_user(name, password, async function(err, user) {
|
||||||
if (err) {
|
if (err) {
|
||||||
if (err.status >= 400 && err.status < 500) {
|
if (err.status >= HTTP_STATUS.BAD_REQUEST && err.status < HTTP_STATUS.INTERNAL_ERROR) {
|
||||||
// With npm registering is the same as logging in,
|
// With npm registering is the same as logging in,
|
||||||
// and npm accepts only an 409 error.
|
// and npm accepts only an 409 error.
|
||||||
// So, changing status code here.
|
// So, changing status code here.
|
||||||
|
@ -37,20 +43,22 @@ export default function(route: Router, auth: IAuth) {
|
||||||
return next(err);
|
return next(err);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const token = (name && password) ? await getApiToken(auth, config, user, password) : undefined;
|
||||||
|
|
||||||
req.remote_user = user;
|
req.remote_user = user;
|
||||||
res.status(201);
|
res.status(HTTP_STATUS.CREATED);
|
||||||
return next({
|
return next({
|
||||||
ok: 'user \'' + req.body.name + '\' created',
|
ok: `user '${req.body.name }' created`,
|
||||||
token: token,
|
token,
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
route.delete('/-/user/token/*', function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) {
|
route.delete('/-/user/token/*', function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) {
|
||||||
res.status(200);
|
res.status(HTTP_STATUS.OK);
|
||||||
next({
|
next({
|
||||||
ok: 'Logged out',
|
ok: API_MESSAGE.LOGGED_OUT,
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@ -58,10 +66,8 @@ export default function(route: Router, auth: IAuth) {
|
||||||
// placeholder 'cause npm require to be authenticated to publish
|
// placeholder 'cause npm require to be authenticated to publish
|
||||||
// we do not do any real authentication yet
|
// we do not do any real authentication yet
|
||||||
route.post('/_session', Cookies.express(), function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
|
route.post('/_session', Cookies.express(), function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
|
||||||
res.cookies.set('AuthSession', String(Math.random()), {
|
res.cookies.set('AuthSession', String(Math.random()), createSessionToken());
|
||||||
// npmjs.org sets 10h expire
|
|
||||||
expires: new Date(Date.now() + 10 * 60 * 60 * 1000),
|
|
||||||
});
|
|
||||||
next({
|
next({
|
||||||
ok: true,
|
ok: true,
|
||||||
name: 'somebody',
|
name: 'somebody',
|
||||||
|
|
|
@ -46,7 +46,7 @@ export default function(config: Config, auth: IAuth, storage: IStorageHandler) {
|
||||||
whoami(app);
|
whoami(app);
|
||||||
pkg(app, auth, storage, config);
|
pkg(app, auth, storage, config);
|
||||||
search(app, auth, storage);
|
search(app, auth, storage);
|
||||||
user(app, auth);
|
user(app, auth, config);
|
||||||
distTags(app, auth, storage);
|
distTags(app, auth, storage);
|
||||||
publish(app, auth, storage, config);
|
publish(app, auth, storage, config);
|
||||||
ping(app);
|
ping(app);
|
||||||
|
|
|
@ -12,6 +12,8 @@ import apiEndpoint from './endpoint';
|
||||||
import {ErrorCode} from '../lib/utils';
|
import {ErrorCode} from '../lib/utils';
|
||||||
import {API_ERROR, HTTP_STATUS} from '../lib/constants';
|
import {API_ERROR, HTTP_STATUS} from '../lib/constants';
|
||||||
import AppConfig from '../lib/config';
|
import AppConfig from '../lib/config';
|
||||||
|
import webAPI from './web/api';
|
||||||
|
import web from './web';
|
||||||
|
|
||||||
import type {$Application} from 'express';
|
import type {$Application} from 'express';
|
||||||
import type {
|
import type {
|
||||||
|
@ -74,8 +76,8 @@ const defineAPI = function(config: IConfig, storage: IStorageHandler) {
|
||||||
|
|
||||||
// For WebUI & WebUI API
|
// For WebUI & WebUI API
|
||||||
if (_.get(config, 'web.enable', true)) {
|
if (_.get(config, 'web.enable', true)) {
|
||||||
app.use('/', require('./web')(config, auth, storage));
|
app.use('/', web(config, auth, storage));
|
||||||
app.use('/-/verdaccio/', require('./web/api')(config, auth, storage));
|
app.use('/-/verdaccio/', webAPI(config, auth, storage));
|
||||||
} else {
|
} else {
|
||||||
app.get('/', function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
|
app.get('/', function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
|
||||||
next(ErrorCode.getNotFound(API_ERROR.WEB_DISABLED));
|
next(ErrorCode.getNotFound(API_ERROR.WEB_DISABLED));
|
||||||
|
|
|
@ -16,7 +16,7 @@ const route = Router(); /* eslint new-cap: 0 */
|
||||||
/*
|
/*
|
||||||
This file include all verdaccio only API(Web UI), for npm API please see ../endpoint/
|
This file include all verdaccio only API(Web UI), for npm API please see ../endpoint/
|
||||||
*/
|
*/
|
||||||
module.exports = function(config: Config, auth: IAuth, storage: IStorageHandler) {
|
export default function(config: Config, auth: IAuth, storage: IStorageHandler) {
|
||||||
Search.configureStorage(storage);
|
Search.configureStorage(storage);
|
||||||
|
|
||||||
// validate all of these params as a package name
|
// validate all of these params as a package name
|
||||||
|
@ -43,4 +43,4 @@ module.exports = function(config: Config, auth: IAuth, storage: IStorageHandler)
|
||||||
// We will/may replace current token with JWT in next major release, and it will not expire at all(configurable).
|
// We will/may replace current token with JWT in next major release, and it will not expire at all(configurable).
|
||||||
|
|
||||||
return route;
|
return route;
|
||||||
};
|
}
|
||||||
|
|
|
@ -1,22 +1,29 @@
|
||||||
// @flow
|
// @flow
|
||||||
|
|
||||||
import HTTPError from 'http-errors';
|
import {HTTP_STATUS} from '../../../lib/constants';
|
||||||
import type {Config} from '@verdaccio/types';
|
|
||||||
import type {Router} from 'express';
|
import type {Router} from 'express';
|
||||||
|
import type {Config, RemoteUser, JWTSignOptions} from '@verdaccio/types';
|
||||||
import type {IAuth, $ResponseExtend, $RequestExtend, $NextFunctionVer} from '../../../../types';
|
import type {IAuth, $ResponseExtend, $RequestExtend, $NextFunctionVer} from '../../../../types';
|
||||||
|
import {ErrorCode} from '../../../lib/utils';
|
||||||
|
import {getSecurity} from '../../../lib/auth-utils';
|
||||||
|
|
||||||
function addUserAuthApi(route: Router, auth: IAuth, config: Config) {
|
function addUserAuthApi(route: Router, auth: IAuth, config: Config) {
|
||||||
route.post('/login', function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
|
route.post('/login', function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
|
||||||
auth.authenticate(req.body.username, req.body.password, (err, user) => {
|
const {username, password} = req.body;
|
||||||
if (!err) {
|
|
||||||
|
auth.authenticate(username, password, async (err, user: RemoteUser) => {
|
||||||
|
if (err) {
|
||||||
|
const errorCode = err.message ? HTTP_STATUS.UNAUTHORIZED : HTTP_STATUS.INTERNAL_ERROR;
|
||||||
|
next(ErrorCode.getCode(errorCode, err.message));
|
||||||
|
} else {
|
||||||
req.remote_user = user;
|
req.remote_user = user;
|
||||||
|
const jWTSignOptions: JWTSignOptions = getSecurity(config).web.sign;
|
||||||
|
|
||||||
next({
|
next({
|
||||||
token: auth.issueUIjwt(user, '24h'),
|
token: await auth.jwtEncrypt(user, jWTSignOptions),
|
||||||
username: req.remote_user.name,
|
username: req.remote_user.name,
|
||||||
});
|
});
|
||||||
} else {
|
|
||||||
next(HTTPError[err.message ? 401 : 500](err.message));
|
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
|
@ -3,11 +3,10 @@ import _ from 'lodash';
|
||||||
import fs from 'fs';
|
import fs from 'fs';
|
||||||
import Search from '../../lib/search';
|
import Search from '../../lib/search';
|
||||||
import * as Utils from '../../lib/utils';
|
import * as Utils from '../../lib/utils';
|
||||||
import {WEB_TITLE} from '../../lib/constants';
|
import {HTTP_STATUS, WEB_TITLE} from '../../lib/constants';
|
||||||
|
|
||||||
const {securityIframe} = require('../middleware');
|
const {securityIframe} = require('../middleware');
|
||||||
/* eslint new-cap:off */
|
/* eslint new-cap:off */
|
||||||
const router = express.Router();
|
|
||||||
const env = require('../../config/env');
|
const env = require('../../config/env');
|
||||||
const template = fs.readFileSync(`${env.DIST_PATH}/index.html`).toString();
|
const template = fs.readFileSync(`${env.DIST_PATH}/index.html`).toString();
|
||||||
const spliceURL = require('../../utils/string').spliceURL;
|
const spliceURL = require('../../utils/string').spliceURL;
|
||||||
|
@ -15,6 +14,8 @@ const spliceURL = require('../../utils/string').spliceURL;
|
||||||
module.exports = function(config, auth, storage) {
|
module.exports = function(config, auth, storage) {
|
||||||
Search.configureStorage(storage);
|
Search.configureStorage(storage);
|
||||||
|
|
||||||
|
const router = express.Router();
|
||||||
|
|
||||||
router.use(auth.webUIJWTmiddleware());
|
router.use(auth.webUIJWTmiddleware());
|
||||||
router.use(securityIframe);
|
router.use(securityIframe);
|
||||||
|
|
||||||
|
@ -25,7 +26,7 @@ module.exports = function(config, auth, storage) {
|
||||||
if (!err) {
|
if (!err) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (err.status === 404) {
|
if (err.status === HTTP_STATUS.NOT_FOUND) {
|
||||||
next();
|
next();
|
||||||
} else {
|
} else {
|
||||||
next(err);
|
next(err);
|
||||||
|
|
|
@ -1,9 +1,60 @@
|
||||||
// @flow
|
// @flow
|
||||||
|
import _ from 'lodash';
|
||||||
|
import {convertPayloadToBase64, ErrorCode} from './utils';
|
||||||
|
import {API_ERROR, HTTP_STATUS, ROLES, TIME_EXPIRATION_7D, TOKEN_BASIC, TOKEN_BEARER} from './constants';
|
||||||
|
|
||||||
import {ErrorCode} from './utils';
|
import type {
|
||||||
import {API_ERROR} from './constants';
|
RemoteUser,
|
||||||
|
Package,
|
||||||
|
Callback,
|
||||||
|
Config,
|
||||||
|
Security,
|
||||||
|
APITokenOptions,
|
||||||
|
JWTOptions} from '@verdaccio/types';
|
||||||
|
import type {
|
||||||
|
CookieSessionToken, IAuthWebUI, AuthMiddlewarePayload, AuthTokenHeader, BasicPayload,
|
||||||
|
} from '../../types';
|
||||||
|
import {aesDecrypt, verifyPayload} from './crypto-utils';
|
||||||
|
|
||||||
import type {RemoteUser, Package, Callback} from '@verdaccio/types';
|
|
||||||
|
/**
|
||||||
|
* Create a RemoteUser object
|
||||||
|
* @return {Object} { name: xx, pluginGroups: [], real_groups: [] }
|
||||||
|
*/
|
||||||
|
export function createRemoteUser(name: string, pluginGroups: Array<string>): RemoteUser {
|
||||||
|
const isGroupValid: boolean = _.isArray(pluginGroups);
|
||||||
|
const groups = (isGroupValid ? pluginGroups : []).concat([
|
||||||
|
ROLES.$ALL,
|
||||||
|
ROLES.$AUTH,
|
||||||
|
ROLES.DEPRECATED_ALL,
|
||||||
|
ROLES.DEPRECATED_AUTH,
|
||||||
|
ROLES.ALL]);
|
||||||
|
|
||||||
|
return {
|
||||||
|
name,
|
||||||
|
groups,
|
||||||
|
real_groups: pluginGroups,
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Builds an anonymous remote user in case none is logged in.
|
||||||
|
* @return {Object} { name: xx, groups: [], real_groups: [] }
|
||||||
|
*/
|
||||||
|
export function createAnonymousRemoteUser(): RemoteUser {
|
||||||
|
return {
|
||||||
|
name: undefined,
|
||||||
|
// groups without '$' are going to be deprecated eventually
|
||||||
|
groups: [
|
||||||
|
ROLES.$ALL,
|
||||||
|
ROLES.$ANONYMOUS,
|
||||||
|
ROLES.DEPRECATED_ALL,
|
||||||
|
ROLES.DEPRECATED_ANONUMOUS,
|
||||||
|
],
|
||||||
|
real_groups: [],
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
export function allow_action(action: string) {
|
export function allow_action(action: string) {
|
||||||
return function(user: RemoteUser, pkg: Package, callback: Callback) {
|
return function(user: RemoteUser, pkg: Package, callback: Callback) {
|
||||||
|
@ -36,3 +87,162 @@ export function getDefaultPlugins() {
|
||||||
allow_publish: allow_action('publish'),
|
allow_publish: allow_action('publish'),
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export function createSessionToken(): CookieSessionToken {
|
||||||
|
const tenHoursTime = 10 * 60 * 60 * 1000;
|
||||||
|
|
||||||
|
return {
|
||||||
|
// npmjs.org sets 10h expire
|
||||||
|
expires: new Date(Date.now() + tenHoursTime),
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
const defaultWebTokenOptions: JWTOptions = {
|
||||||
|
sign: {
|
||||||
|
expiresIn: TIME_EXPIRATION_7D,
|
||||||
|
},
|
||||||
|
verify: {},
|
||||||
|
};
|
||||||
|
|
||||||
|
const defaultApiTokenConf: APITokenOptions = {
|
||||||
|
legacy: true,
|
||||||
|
sign: {},
|
||||||
|
};
|
||||||
|
|
||||||
|
export function getSecurity(config: Config): Security {
|
||||||
|
const defaultSecurity: Security = {
|
||||||
|
web: defaultWebTokenOptions,
|
||||||
|
api: defaultApiTokenConf,
|
||||||
|
};
|
||||||
|
|
||||||
|
if (_.isNil(config.security) === false) {
|
||||||
|
return _.merge(defaultSecurity, config.security);
|
||||||
|
}
|
||||||
|
|
||||||
|
return defaultSecurity;
|
||||||
|
}
|
||||||
|
|
||||||
|
export function getAuthenticatedMessage(user: string): string {
|
||||||
|
return `you are authenticated as '${user}'`;
|
||||||
|
}
|
||||||
|
|
||||||
|
export function buildUserBuffer(name: string, password: string) {
|
||||||
|
return Buffer.from(`${name}:${password}`, 'utf8');
|
||||||
|
}
|
||||||
|
|
||||||
|
export function isAESLegacy(security: Security): boolean {
|
||||||
|
const {legacy, jwt} = security.api;
|
||||||
|
|
||||||
|
return _.isNil(legacy) === false &&_.isNil(jwt) && legacy === true;
|
||||||
|
}
|
||||||
|
|
||||||
|
export async function getApiToken(
|
||||||
|
auth: IAuthWebUI,
|
||||||
|
config: Config,
|
||||||
|
remoteUser: RemoteUser,
|
||||||
|
aesPassword: string): Promise<string> {
|
||||||
|
const security: Security = getSecurity(config);
|
||||||
|
|
||||||
|
if (isAESLegacy(security)) {
|
||||||
|
// fallback all goes to AES encryption
|
||||||
|
return await new Promise((resolve) => {
|
||||||
|
resolve(auth.aesEncrypt(buildUserBuffer((remoteUser: any).name, aesPassword)).toString('base64'));
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
// i am wiling to use here _.isNil but flow does not like it yet.
|
||||||
|
const {jwt} = security.api;
|
||||||
|
|
||||||
|
if (typeof jwt !== 'undefined' &&
|
||||||
|
typeof jwt.sign !== 'undefined') {
|
||||||
|
return await auth.jwtEncrypt(remoteUser, jwt.sign);
|
||||||
|
} else {
|
||||||
|
return await new Promise((resolve) => {
|
||||||
|
resolve(auth.aesEncrypt(buildUserBuffer((remoteUser: any).name, aesPassword)).toString('base64'));
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
export function parseAuthTokenHeader(authorizationHeader: string): AuthTokenHeader {
|
||||||
|
const parts = authorizationHeader.split(' ');
|
||||||
|
const [scheme, token] = parts;
|
||||||
|
|
||||||
|
return {scheme, token};
|
||||||
|
}
|
||||||
|
|
||||||
|
export function parseBasicPayload(credentials: string): BasicPayload {
|
||||||
|
const index = credentials.indexOf(':');
|
||||||
|
if (index < 0) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const user: string = credentials.slice(0, index);
|
||||||
|
const password: string = credentials.slice(index + 1);
|
||||||
|
|
||||||
|
return {user, password};
|
||||||
|
}
|
||||||
|
|
||||||
|
export function parseAESCredentials(
|
||||||
|
authorizationHeader: string, secret: string) {
|
||||||
|
const {scheme, token} = parseAuthTokenHeader(authorizationHeader);
|
||||||
|
|
||||||
|
// basic is deprecated and should not be enforced
|
||||||
|
if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
|
||||||
|
const credentials = convertPayloadToBase64(token).toString();
|
||||||
|
|
||||||
|
return credentials;
|
||||||
|
} else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
|
||||||
|
const tokenAsBuffer = convertPayloadToBase64(token);
|
||||||
|
const credentials = aesDecrypt(tokenAsBuffer, secret).toString('utf8');
|
||||||
|
|
||||||
|
return credentials;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
export function verifyJWTPayload(token: string, secret: string): RemoteUser {
|
||||||
|
try {
|
||||||
|
const payload: RemoteUser = (verifyPayload(token, secret): RemoteUser);
|
||||||
|
|
||||||
|
return payload;
|
||||||
|
} catch (err) {
|
||||||
|
// #168 this check should be removed as soon AES encrypt is removed.
|
||||||
|
if (err.name === 'JsonWebTokenError') {
|
||||||
|
// it might be possible the jwt configuration is enabled and
|
||||||
|
// old tokens fails still remains in usage, thus
|
||||||
|
// we return an anonymous user to force log in.
|
||||||
|
return createAnonymousRemoteUser();
|
||||||
|
} else {
|
||||||
|
throw ErrorCode.getCode(HTTP_STATUS.UNAUTHORIZED, err.message);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
export function isAuthHeaderValid(authorization: string): boolean {
|
||||||
|
return authorization.split(' ').length === 2;
|
||||||
|
}
|
||||||
|
|
||||||
|
export function getMiddlewareCredentials(
|
||||||
|
security: Security,
|
||||||
|
secret: string,
|
||||||
|
authorizationHeader: string
|
||||||
|
): AuthMiddlewarePayload {
|
||||||
|
if (isAESLegacy(security)) {
|
||||||
|
const credentials = parseAESCredentials(authorizationHeader, secret);
|
||||||
|
if (!credentials) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const parsedCredentials = parseBasicPayload(credentials);
|
||||||
|
if (!parsedCredentials) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
return parsedCredentials;
|
||||||
|
} else {
|
||||||
|
const {scheme, token} = parseAuthTokenHeader(authorizationHeader);
|
||||||
|
|
||||||
|
if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
|
||||||
|
return verifyJWTPayload(token, secret);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
233
src/lib/auth.js
233
src/lib/auth.js
|
@ -2,19 +2,26 @@
|
||||||
|
|
||||||
import _ from 'lodash';
|
import _ from 'lodash';
|
||||||
|
|
||||||
import {API_ERROR, HTTP_STATUS, ROLES, TOKEN_BASIC, TOKEN_BEARER} from './constants';
|
import {API_ERROR, TOKEN_BASIC, TOKEN_BEARER} from './constants';
|
||||||
import loadPlugin from '../lib/plugin-loader';
|
import loadPlugin from '../lib/plugin-loader';
|
||||||
import {buildBase64Buffer, ErrorCode} from './utils';
|
import {aesEncrypt, signPayload} from './crypto-utils';
|
||||||
import {aesDecrypt, aesEncrypt, signPayload, verifyPayload} from './crypto-utils';
|
import {
|
||||||
import {getDefaultPlugins} from './auth-utils';
|
getDefaultPlugins,
|
||||||
|
getMiddlewareCredentials,
|
||||||
|
verifyJWTPayload,
|
||||||
|
createAnonymousRemoteUser,
|
||||||
|
isAuthHeaderValid,
|
||||||
|
getSecurity,
|
||||||
|
isAESLegacy, parseAuthTokenHeader, parseBasicPayload, createRemoteUser,
|
||||||
|
} from './auth-utils';
|
||||||
|
import {convertPayloadToBase64, ErrorCode} from './utils';
|
||||||
import {getMatchedPackagesSpec} from './config-utils';
|
import {getMatchedPackagesSpec} from './config-utils';
|
||||||
|
|
||||||
import type {Config, Logger, Callback, IPluginAuth, RemoteUser} from '@verdaccio/types';
|
import type {
|
||||||
|
Config, Logger, Callback, IPluginAuth, RemoteUser, JWTSignOptions, Security,
|
||||||
|
} from '@verdaccio/types';
|
||||||
import type {$Response, NextFunction} from 'express';
|
import type {$Response, NextFunction} from 'express';
|
||||||
import type {$RequestExtend, JWTPayload} from '../../types';
|
import type {$RequestExtend, IAuth} from '../../types';
|
||||||
import type {IAuth} from '../../types';
|
|
||||||
|
|
||||||
|
|
||||||
const LoggerApi = require('./logger');
|
const LoggerApi = require('./logger');
|
||||||
|
|
||||||
|
@ -23,7 +30,6 @@ class Auth implements IAuth {
|
||||||
logger: Logger;
|
logger: Logger;
|
||||||
secret: string;
|
secret: string;
|
||||||
plugins: Array<any>;
|
plugins: Array<any>;
|
||||||
static DEFAULT_EXPIRE_WEB_TOKEN: string = '7d';
|
|
||||||
|
|
||||||
constructor(config: Config) {
|
constructor(config: Config) {
|
||||||
this.config = config;
|
this.config = config;
|
||||||
|
@ -50,8 +56,9 @@ class Auth implements IAuth {
|
||||||
this.plugins.push(getDefaultPlugins());
|
this.plugins.push(getDefaultPlugins());
|
||||||
}
|
}
|
||||||
|
|
||||||
authenticate(user: string, password: string, cb: Callback) {
|
authenticate(username: string, password: string, cb: Callback) {
|
||||||
const plugins = this.plugins.slice(0);
|
const plugins = this.plugins.slice(0);
|
||||||
|
const self = this;
|
||||||
(function next() {
|
(function next() {
|
||||||
const plugin = plugins.shift();
|
const plugin = plugins.shift();
|
||||||
|
|
||||||
|
@ -59,7 +66,8 @@ class Auth implements IAuth {
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
|
|
||||||
plugin.authenticate(user, password, function(err, groups) {
|
self.logger.trace( {username}, 'authenticating @{username}');
|
||||||
|
plugin.authenticate(username, password, function(err, groups) {
|
||||||
if (err) {
|
if (err) {
|
||||||
return cb(err);
|
return cb(err);
|
||||||
}
|
}
|
||||||
|
@ -74,14 +82,14 @@ class Auth implements IAuth {
|
||||||
if (!!groups && groups.length !== 0) {
|
if (!!groups && groups.length !== 0) {
|
||||||
// TODO: create a better understanding of expectations
|
// TODO: create a better understanding of expectations
|
||||||
if (_.isString(groups)) {
|
if (_.isString(groups)) {
|
||||||
throw new TypeError('invalid type for function');
|
throw new TypeError('plugin group error: invalid type for function');
|
||||||
}
|
}
|
||||||
const isGroupValid: boolean = _.isArray(groups);
|
const isGroupValid: boolean = _.isArray(groups);
|
||||||
if (!isGroupValid) {
|
if (!isGroupValid) {
|
||||||
throw new TypeError(API_ERROR.BAD_FORMAT_USER_GROUP);
|
throw new TypeError(API_ERROR.BAD_FORMAT_USER_GROUP);
|
||||||
}
|
}
|
||||||
|
|
||||||
return cb(err, authenticatedUser(user, groups));
|
return cb(err, createRemoteUser(username, groups));
|
||||||
}
|
}
|
||||||
next();
|
next();
|
||||||
});
|
});
|
||||||
|
@ -91,6 +99,7 @@ class Auth implements IAuth {
|
||||||
add_user(user: string, password: string, cb: Callback) {
|
add_user(user: string, password: string, cb: Callback) {
|
||||||
let self = this;
|
let self = this;
|
||||||
let plugins = this.plugins.slice(0);
|
let plugins = this.plugins.slice(0);
|
||||||
|
this.logger.trace( {user}, 'add user @{user}');
|
||||||
|
|
||||||
(function next() {
|
(function next() {
|
||||||
let plugin = plugins.shift();
|
let plugin = plugins.shift();
|
||||||
|
@ -122,6 +131,7 @@ class Auth implements IAuth {
|
||||||
let plugins = this.plugins.slice(0);
|
let plugins = this.plugins.slice(0);
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
let pkg = Object.assign({name: packageName}, getMatchedPackagesSpec(packageName, this.config.packages));
|
let pkg = Object.assign({name: packageName}, getMatchedPackagesSpec(packageName, this.config.packages));
|
||||||
|
this.logger.trace( {packageName}, 'allow access for @{packageName}');
|
||||||
|
|
||||||
(function next() {
|
(function next() {
|
||||||
const plugin = plugins.shift();
|
const plugin = plugins.shift();
|
||||||
|
@ -151,6 +161,7 @@ class Auth implements IAuth {
|
||||||
let plugins = this.plugins.slice(0);
|
let plugins = this.plugins.slice(0);
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
let pkg = Object.assign({name: packageName}, getMatchedPackagesSpec(packageName, this.config.packages));
|
let pkg = Object.assign({name: packageName}, getMatchedPackagesSpec(packageName, this.config.packages));
|
||||||
|
this.logger.trace( {packageName}, 'allow publish for @{packageName}');
|
||||||
|
|
||||||
(function next() {
|
(function next() {
|
||||||
const plugin = plugins.shift();
|
const plugin = plugins.shift();
|
||||||
|
@ -188,62 +199,96 @@ class Auth implements IAuth {
|
||||||
return _next();
|
return _next();
|
||||||
};
|
};
|
||||||
|
|
||||||
if (_.isUndefined(req.remote_user) === false
|
if (this._isRemoteUserMissing(req.remote_user)) {
|
||||||
&& _.isUndefined(req.remote_user.name) === false) {
|
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
req.remote_user = buildAnonymousUser();
|
|
||||||
|
|
||||||
const authorization = req.headers.authorization;
|
// in case auth header does not exist we return anonymous function
|
||||||
|
req.remote_user = createAnonymousRemoteUser();
|
||||||
|
|
||||||
|
const {authorization} = req.headers;
|
||||||
if (_.isNil(authorization)) {
|
if (_.isNil(authorization)) {
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
|
|
||||||
const parts = authorization.split(' ');
|
if (!isAuthHeaderValid(authorization)) {
|
||||||
if (parts.length !== 2) {
|
this.logger.trace('api middleware auth heather is not valid');
|
||||||
return next( ErrorCode.getBadRequest(API_ERROR.BAD_AUTH_HEADER) );
|
return next( ErrorCode.getBadRequest(API_ERROR.BAD_AUTH_HEADER) );
|
||||||
}
|
}
|
||||||
|
|
||||||
const credentials = this._parseCredentials(parts);
|
const security: Security = getSecurity(this.config);
|
||||||
if (!credentials) {
|
const {secret} = this.config;
|
||||||
return next();
|
|
||||||
|
if (isAESLegacy(security)) {
|
||||||
|
this.logger.trace('api middleware using legacy auth token');
|
||||||
|
this._handleAESMiddleware(req, security, secret, authorization, next);
|
||||||
|
} else {
|
||||||
|
this.logger.trace('api middleware using JWT auth token');
|
||||||
|
this._handleJWTAPIMiddleware(req, security, secret, authorization, next);
|
||||||
}
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
const index = credentials.indexOf(':');
|
_handleJWTAPIMiddleware(
|
||||||
if (index < 0) {
|
req: $RequestExtend,
|
||||||
return next();
|
security: Security,
|
||||||
}
|
secret: string,
|
||||||
|
authorization: string,
|
||||||
const user: string = credentials.slice(0, index);
|
next: Function) {
|
||||||
const pass: string = credentials.slice(index + 1);
|
const {scheme, token} = parseAuthTokenHeader(authorization);
|
||||||
|
if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
|
||||||
this.authenticate(user, pass, function(err, user) {
|
// this should happen when client tries to login with an existing user
|
||||||
|
const credentials = convertPayloadToBase64(token).toString();
|
||||||
|
const {user, password} = (parseBasicPayload(credentials): any);
|
||||||
|
this.authenticate(user, password, (err, user) => {
|
||||||
if (!err) {
|
if (!err) {
|
||||||
req.remote_user = user;
|
req.remote_user = user;
|
||||||
next();
|
next();
|
||||||
} else {
|
} else {
|
||||||
req.remote_user = buildAnonymousUser();
|
req.remote_user = createAnonymousRemoteUser();
|
||||||
next(err);
|
next(err);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
};
|
} else {
|
||||||
|
// jwt handler
|
||||||
|
const credentials: any = getMiddlewareCredentials(security, secret, authorization);
|
||||||
|
if (credentials) {
|
||||||
|
// if the signature is valid we rely on it
|
||||||
|
req.remote_user = credentials;
|
||||||
|
next();
|
||||||
|
} else {
|
||||||
|
// with JWT throw 401
|
||||||
|
next(ErrorCode.getForbidden(API_ERROR.BAD_USERNAME_PASSWORD));
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
_parseCredentials(parts: Array<string>) {
|
_handleAESMiddleware(req: $RequestExtend,
|
||||||
let credentials;
|
security: Security,
|
||||||
const scheme = parts[0];
|
secret: string,
|
||||||
if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
|
authorization: string,
|
||||||
credentials = buildBase64Buffer(parts[1]).toString();
|
next: Function) {
|
||||||
this.logger.info(API_ERROR.DEPRECATED_BASIC_HEADER);
|
const credentials: any = getMiddlewareCredentials(security, secret, authorization);
|
||||||
return credentials;
|
if (credentials) {
|
||||||
} else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
|
const {user, password} = credentials;
|
||||||
const token = buildBase64Buffer(parts[1]);
|
this.authenticate(user, password, (err, user) => {
|
||||||
|
if (!err) {
|
||||||
|
req.remote_user = user;
|
||||||
|
next();
|
||||||
|
} else {
|
||||||
|
req.remote_user = createAnonymousRemoteUser();
|
||||||
|
next(err);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
// we force npm client to ask again with basic authentication
|
||||||
|
return next(ErrorCode.getBadRequest(API_ERROR.BAD_AUTH_HEADER));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
credentials = aesDecrypt(token, this.secret).toString('utf8');
|
_isRemoteUserMissing(remote_user: RemoteUser): boolean {
|
||||||
return credentials;
|
return _.isUndefined(remote_user) === false &&
|
||||||
} else {
|
(_.isUndefined(remote_user.name) === false);
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -251,62 +296,65 @@ class Auth implements IAuth {
|
||||||
*/
|
*/
|
||||||
webUIJWTmiddleware() {
|
webUIJWTmiddleware() {
|
||||||
return (req: $RequestExtend, res: $Response, _next: NextFunction) => {
|
return (req: $RequestExtend, res: $Response, _next: NextFunction) => {
|
||||||
if (_.isNull(req.remote_user) === false && _.isNil(req.remote_user.name) === false) {
|
if (this._isRemoteUserMissing(req.remote_user)) {
|
||||||
return _next();
|
return _next();
|
||||||
}
|
}
|
||||||
|
|
||||||
req.pause();
|
req.pause();
|
||||||
const next = () => {
|
const next = (err) => {
|
||||||
req.resume();
|
req.resume();
|
||||||
|
if (err) {
|
||||||
|
// req.remote_user.error = err.message;
|
||||||
|
res.status(err.statusCode).send(err.message);
|
||||||
|
}
|
||||||
|
|
||||||
return _next();
|
return _next();
|
||||||
};
|
};
|
||||||
|
|
||||||
const token = (req.headers.authorization || '').replace(`${TOKEN_BEARER} `, '');
|
const {authorization} = req.headers;
|
||||||
|
if (_.isNil(authorization)) {
|
||||||
|
return next();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!isAuthHeaderValid(authorization)) {
|
||||||
|
return next( ErrorCode.getBadRequest(API_ERROR.BAD_AUTH_HEADER) );
|
||||||
|
}
|
||||||
|
|
||||||
|
const token = (authorization || '').replace(`${TOKEN_BEARER} `, '');
|
||||||
if (!token) {
|
if (!token) {
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
|
|
||||||
let decoded;
|
let credentials;
|
||||||
try {
|
try {
|
||||||
decoded = this.decode_token(token);
|
credentials = verifyJWTPayload(token, this.config.secret);
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
// FIXME: intended behaviour, do we want it?
|
// FIXME: intended behaviour, do we want it?
|
||||||
}
|
}
|
||||||
|
|
||||||
if (decoded) {
|
if (credentials) {
|
||||||
req.remote_user = authenticatedUser(decoded.user, decoded.group);
|
const {name, groups} = credentials;
|
||||||
|
// $FlowFixMe
|
||||||
|
req.remote_user = createRemoteUser(name, groups);
|
||||||
} else {
|
} else {
|
||||||
req.remote_user = buildAnonymousUser();
|
req.remote_user = createAnonymousRemoteUser();
|
||||||
}
|
}
|
||||||
|
|
||||||
next();
|
next();
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
issueUIjwt(user: any, expiresIn: string) {
|
async jwtEncrypt(user: RemoteUser, signOptions: JWTSignOptions): string {
|
||||||
const {name, real_groups} = user;
|
const {real_groups} = user;
|
||||||
const payload: JWTPayload = {
|
const payload: RemoteUser = {
|
||||||
user: name,
|
...user,
|
||||||
group: real_groups && real_groups.length ? real_groups : undefined,
|
group: real_groups && real_groups.length ? real_groups : undefined,
|
||||||
};
|
};
|
||||||
|
|
||||||
return signPayload(payload, this.secret, {expiresIn: expiresIn || Auth.DEFAULT_EXPIRE_WEB_TOKEN});
|
const token: string = await signPayload(payload, this.secret, signOptions);
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
// $FlowFixMe
|
||||||
* Decodes the token.
|
return token;
|
||||||
* @param {*} token
|
|
||||||
* @return {Object}
|
|
||||||
*/
|
|
||||||
decode_token(token: string) {
|
|
||||||
let decoded;
|
|
||||||
try {
|
|
||||||
decoded = verifyPayload(token, this.secret);
|
|
||||||
} catch (err) {
|
|
||||||
throw ErrorCode.getCode(HTTP_STATUS.UNAUTHORIZED, err.message);
|
|
||||||
}
|
|
||||||
|
|
||||||
return decoded;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -317,37 +365,4 @@ class Auth implements IAuth {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Builds an anonymous user in case none is logged in.
|
|
||||||
* @return {Object} { name: xx, groups: [], real_groups: [] }
|
|
||||||
*/
|
|
||||||
function buildAnonymousUser() {
|
|
||||||
return {
|
|
||||||
name: undefined,
|
|
||||||
// groups without '$' are going to be deprecated eventually
|
|
||||||
groups: [ROLES.$ALL, ROLES.$ANONYMOUS, ROLES.DEPRECATED_ALL, ROLES.DEPRECATED_ANONUMOUS],
|
|
||||||
real_groups: [],
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Authenticate an user.
|
|
||||||
* @return {Object} { name: xx, pluginGroups: [], real_groups: [] }
|
|
||||||
*/
|
|
||||||
function authenticatedUser(name: string, pluginGroups: Array<any>) {
|
|
||||||
const isGroupValid: boolean = _.isArray(pluginGroups);
|
|
||||||
const groups = (isGroupValid ? pluginGroups : []).concat([
|
|
||||||
ROLES.$ALL,
|
|
||||||
ROLES.$AUTH,
|
|
||||||
ROLES.DEPRECATED_ALL,
|
|
||||||
ROLES.DEPRECATED_AUTH,
|
|
||||||
ROLES.ALL]);
|
|
||||||
|
|
||||||
return {
|
|
||||||
name,
|
|
||||||
groups,
|
|
||||||
real_groups: pluginGroups,
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
export default Auth;
|
export default Auth;
|
||||||
|
|
|
@ -15,6 +15,7 @@ import {APP_ERROR} from './constants';
|
||||||
import type {
|
import type {
|
||||||
PackageList,
|
PackageList,
|
||||||
Config as AppConfig,
|
Config as AppConfig,
|
||||||
|
Security,
|
||||||
Logger,
|
Logger,
|
||||||
} from '@verdaccio/types';
|
} from '@verdaccio/types';
|
||||||
|
|
||||||
|
@ -38,6 +39,7 @@ class Config implements AppConfig {
|
||||||
self_path: string;
|
self_path: string;
|
||||||
storage: string | void;
|
storage: string | void;
|
||||||
plugins: string | void;
|
plugins: string | void;
|
||||||
|
security: Security;
|
||||||
$key: any;
|
$key: any;
|
||||||
$value: any;
|
$value: any;
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,9 @@
|
||||||
// @flow
|
// @flow
|
||||||
|
|
||||||
export const DEFAULT_PORT = '4873';
|
export const DEFAULT_PORT: string = '4873';
|
||||||
export const DEFAULT_DOMAIN = 'localhost';
|
export const DEFAULT_DOMAIN: string = 'localhost';
|
||||||
|
export const TIME_EXPIRATION_24H: string ='24h';
|
||||||
|
export const TIME_EXPIRATION_7D: string = '7d';
|
||||||
|
|
||||||
export const HEADERS = {
|
export const HEADERS = {
|
||||||
JSON: 'application/json',
|
JSON: 'application/json',
|
||||||
|
@ -63,6 +65,7 @@ export const API_MESSAGE = {
|
||||||
TAG_UPDATED: 'tags updated',
|
TAG_UPDATED: 'tags updated',
|
||||||
TAG_REMOVED: 'tag removed',
|
TAG_REMOVED: 'tag removed',
|
||||||
TAG_ADDED: 'package tagged',
|
TAG_ADDED: 'package tagged',
|
||||||
|
LOGGED_OUT: 'Logged out',
|
||||||
};
|
};
|
||||||
|
|
||||||
export const API_ERROR = {
|
export const API_ERROR = {
|
||||||
|
|
|
@ -1,12 +1,21 @@
|
||||||
// @flow
|
// @flow
|
||||||
|
|
||||||
import {createDecipher, createCipher, createHash, pseudoRandomBytes} from 'crypto';
|
import {
|
||||||
|
createDecipher,
|
||||||
|
createCipher,
|
||||||
|
createHash,
|
||||||
|
pseudoRandomBytes,
|
||||||
|
} from 'crypto';
|
||||||
import jwt from 'jsonwebtoken';
|
import jwt from 'jsonwebtoken';
|
||||||
import type {JWTPayload, JWTSignOptions} from '../../types';
|
|
||||||
|
import type {JWTSignOptions, RemoteUser} from '@verdaccio/types';
|
||||||
|
|
||||||
export const defaultAlgorithm = 'aes192';
|
export const defaultAlgorithm = 'aes192';
|
||||||
|
export const defaultTarballHashAlgorithm = 'sha1';
|
||||||
|
|
||||||
export function aesEncrypt(buf: Buffer, secret: string): Buffer {
|
export function aesEncrypt(buf: Buffer, secret: string): Buffer {
|
||||||
|
// deprecated
|
||||||
|
// https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options
|
||||||
const c = createCipher(defaultAlgorithm, secret);
|
const c = createCipher(defaultAlgorithm, secret);
|
||||||
const b1 = c.update(buf);
|
const b1 = c.update(buf);
|
||||||
const b2 = c.final();
|
const b2 = c.final();
|
||||||
|
@ -16,6 +25,8 @@ export function aesEncrypt(buf: Buffer, secret: string): Buffer {
|
||||||
|
|
||||||
export function aesDecrypt(buf: Buffer, secret: string) {
|
export function aesDecrypt(buf: Buffer, secret: string) {
|
||||||
try {
|
try {
|
||||||
|
// deprecated
|
||||||
|
// https://nodejs.org/api/crypto.html#crypto_crypto_createdecipher_algorithm_password_options
|
||||||
const c = createDecipher(defaultAlgorithm, secret);
|
const c = createDecipher(defaultAlgorithm, secret);
|
||||||
const b1 = c.update(buf);
|
const b1 = c.update(buf);
|
||||||
const b2 = c.final();
|
const b2 = c.final();
|
||||||
|
@ -26,7 +37,7 @@ export function aesDecrypt(buf: Buffer, secret: string) {
|
||||||
}
|
}
|
||||||
|
|
||||||
export function createTarballHash() {
|
export function createTarballHash() {
|
||||||
return createHash('sha1');
|
return createHash(defaultTarballHashAlgorithm);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -44,13 +55,18 @@ export function generateRandomHexString(length: number = 8) {
|
||||||
return pseudoRandomBytes(length).toString('hex');
|
return pseudoRandomBytes(length).toString('hex');
|
||||||
}
|
}
|
||||||
|
|
||||||
export function signPayload(payload: JWTPayload, secret: string, options: JWTSignOptions) {
|
export async function signPayload(
|
||||||
return jwt.sign(payload, secret, {
|
payload: RemoteUser,
|
||||||
notBefore: '1000', // Make sure the time will not rollback :)
|
secretOrPrivateKey: string,
|
||||||
...options,
|
options: JWTSignOptions): Promise<string> {
|
||||||
|
return new Promise(function(resolve, reject) {
|
||||||
|
return jwt.sign(payload, secretOrPrivateKey, {
|
||||||
|
notBefore: '1000', // Make sure the time will not rollback :)
|
||||||
|
...options,
|
||||||
|
}, (error, token) => error ? reject(error) : resolve(token));
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
export function verifyPayload(token: string, secret: string) {
|
export function verifyPayload(token: string, secretOrPrivateKey: string) {
|
||||||
return jwt.verify(token, secret);
|
return jwt.verify(token, secretOrPrivateKey);
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,7 +34,7 @@ export function getUserAgent(): string {
|
||||||
return `${pkgName}/${pkgVersion}`;
|
return `${pkgName}/${pkgVersion}`;
|
||||||
}
|
}
|
||||||
|
|
||||||
export function buildBase64Buffer(payload: string): Buffer {
|
export function convertPayloadToBase64(payload: string): Buffer {
|
||||||
return new Buffer(payload, 'base64');
|
return new Buffer(payload, 'base64');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,7 @@ class API {
|
||||||
if (token) {
|
if (token) {
|
||||||
if (!options.headers) options.headers = {};
|
if (!options.headers) options.headers = {};
|
||||||
|
|
||||||
options.headers.authorization = token;
|
options.headers.authorization = `Bearer ${token}`;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!['http://', 'https://', '//'].some((prefix) => url.startsWith(prefix))) {
|
if (!['http://', 'https://', '//'].some((prefix) => url.startsWith(prefix))) {
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
import fs from 'fs';
|
import fs from 'fs';
|
||||||
import path from 'path';
|
import path from 'path';
|
||||||
import assert from 'assert';
|
import assert from 'assert';
|
||||||
import crypto from 'crypto';
|
|
||||||
import {readFile} from '../lib/test.utils';
|
import {readFile} from '../lib/test.utils';
|
||||||
import {HTTP_STATUS} from "../../../src/lib/constants";
|
import {HTTP_STATUS} from "../../../src/lib/constants";
|
||||||
import {TARBALL} from '../config.functional';
|
import {TARBALL} from '../config.functional';
|
||||||
|
import {createTarballHash} from '../../../src/lib/crypto-utils';
|
||||||
|
|
||||||
function getBinary() {
|
function getBinary() {
|
||||||
return readFile('../fixtures/binary');
|
return readFile('../fixtures/binary');
|
||||||
|
@ -35,7 +35,7 @@ export default function (server, server2, server3) {
|
||||||
|
|
||||||
beforeAll(function () {
|
beforeAll(function () {
|
||||||
const pkg = require('../fixtures/package')(PKG_GH131);
|
const pkg = require('../fixtures/package')(PKG_GH131);
|
||||||
pkg.dist.shasum = crypto.createHash('sha1').update(getBinary()).digest('hex');
|
pkg.dist.shasum = createTarballHash().update(getBinary()).digest('hex');
|
||||||
|
|
||||||
return server.putVersion(PKG_GH131, '0.0.1', pkg)
|
return server.putVersion(PKG_GH131, '0.0.1', pkg)
|
||||||
.status(HTTP_STATUS.CREATED)
|
.status(HTTP_STATUS.CREATED)
|
||||||
|
@ -67,7 +67,7 @@ export default function (server, server2, server3) {
|
||||||
|
|
||||||
beforeAll(function () {
|
beforeAll(function () {
|
||||||
const pkg = require('../fixtures/package')(PKG_GH1312);
|
const pkg = require('../fixtures/package')(PKG_GH1312);
|
||||||
pkg.dist.shasum = crypto.createHash('sha1').update(getBinary()).digest('hex');
|
pkg.dist.shasum = createTarballHash().update(getBinary()).digest('hex');
|
||||||
|
|
||||||
return server2.putVersion(PKG_GH1312, '0.0.1', pkg)
|
return server2.putVersion(PKG_GH1312, '0.0.1', pkg)
|
||||||
.status(HTTP_STATUS.CREATED)
|
.status(HTTP_STATUS.CREATED)
|
||||||
|
|
|
@ -116,7 +116,6 @@ function smartRequest(options: any): Promise<any> {
|
||||||
|
|
||||||
// store the response on symbol
|
// store the response on symbol
|
||||||
smartObject[requestData].response = res;
|
smartObject[requestData].response = res;
|
||||||
// console.log("======>smartRequest RESPONSE: ", body);
|
|
||||||
resolve(body);
|
resolve(body);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
|
@ -68,25 +68,14 @@ export default class VerdaccioProcess implements IServerProcess {
|
||||||
this.bridge.auth(CREDENTIALS.user, CREDENTIALS.password)
|
this.bridge.auth(CREDENTIALS.user, CREDENTIALS.password)
|
||||||
.status(HTTP_STATUS.CREATED)
|
.status(HTTP_STATUS.CREATED)
|
||||||
.body_ok(new RegExp(CREDENTIALS.user))
|
.body_ok(new RegExp(CREDENTIALS.user))
|
||||||
.then(() => {
|
.then(() => resolve([this, body.pid]), reject)
|
||||||
resolve([this, body.pid]);
|
|
||||||
}, reject)
|
|
||||||
}, reject);
|
}, reject);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
this.childFork.on('error', (err) => {
|
this.childFork.on('error', (err) => reject([err, this]));
|
||||||
console.log('error process', err);
|
this.childFork.on('disconnect', (err) => reject([err, this]));
|
||||||
reject([err, this]);
|
this.childFork.on('exit', (err) => reject([err, this]));
|
||||||
});
|
|
||||||
|
|
||||||
this.childFork.on('disconnect', (err) => {
|
|
||||||
reject([err, this]);
|
|
||||||
});
|
|
||||||
|
|
||||||
this.childFork.on('exit', (err) => {
|
|
||||||
reject([err, this]);
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
stop(): void {
|
stop(): void {
|
||||||
|
|
5
test/unit/__helper.js
Normal file
5
test/unit/__helper.js
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
import path from 'path';
|
||||||
|
|
||||||
|
export const parseConfigurationFile = (name) => {
|
||||||
|
return path.join(__dirname, `./partials/config/yaml/${name}.yaml`);
|
||||||
|
};
|
32
test/unit/api/__api-helper.js
Normal file
32
test/unit/api/__api-helper.js
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
// @flow
|
||||||
|
|
||||||
|
import {HEADER_TYPE, HEADERS, HTTP_STATUS} from '../../../src/lib/constants';
|
||||||
|
|
||||||
|
export function getPackage(
|
||||||
|
request: any,
|
||||||
|
header: string,
|
||||||
|
pkg: string,
|
||||||
|
statusCode: number = HTTP_STATUS.OK) {
|
||||||
|
return new Promise((resolve) => {
|
||||||
|
request.get(`/${pkg}`)
|
||||||
|
.set('authorization', header)
|
||||||
|
.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
|
||||||
|
.expect(statusCode)
|
||||||
|
.end(function(err, res) {
|
||||||
|
resolve([err, res]);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
export function addUser(request: any, user: string, credentials: any,
|
||||||
|
statusCode: number = HTTP_STATUS.CREATED) {
|
||||||
|
return new Promise((resolve, reject) => {
|
||||||
|
request.put(`/-/user/org.couchdb.user:${user}`)
|
||||||
|
.send(credentials)
|
||||||
|
.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
|
||||||
|
.expect(statusCode)
|
||||||
|
.end(function(err, res) {
|
||||||
|
return resolve([err, res]);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
115
test/unit/api/api.jwt.spec.js
Normal file
115
test/unit/api/api.jwt.spec.js
Normal file
|
@ -0,0 +1,115 @@
|
||||||
|
// @flow
|
||||||
|
|
||||||
|
import request from 'supertest';
|
||||||
|
import _ from 'lodash';
|
||||||
|
import path from 'path';
|
||||||
|
import rimraf from 'rimraf';
|
||||||
|
|
||||||
|
import Config from '../../../src/lib/config';
|
||||||
|
import endPointAPI from '../../../src/api/index';
|
||||||
|
|
||||||
|
import {HEADERS, HTTP_STATUS, HEADER_TYPE} from '../../../src/lib/constants';
|
||||||
|
import {mockServer} from './mock';
|
||||||
|
import {DOMAIN_SERVERS} from '../../functional/config.functional';
|
||||||
|
import {parseConfigFile} from '../../../src/lib/utils';
|
||||||
|
import {parseConfigurationFile} from '../__helper';
|
||||||
|
import {addUser, getPackage} from './__api-helper';
|
||||||
|
import {setup} from '../../../src/lib/logger';
|
||||||
|
import {buildUserBuffer} from '../../../src/lib/auth-utils';
|
||||||
|
|
||||||
|
setup([]);
|
||||||
|
const credentials = { name: 'JotaJWT', password: 'secretPass' };
|
||||||
|
|
||||||
|
const parseConfigurationJWTFile = () => {
|
||||||
|
return parseConfigurationFile(`api-jwt/jwt`);
|
||||||
|
};
|
||||||
|
|
||||||
|
const FORBIDDEN_VUE: string = 'unregistered users are not allowed to access package vue';
|
||||||
|
|
||||||
|
describe('endpoint user auth JWT unit test', () => {
|
||||||
|
let config;
|
||||||
|
let app;
|
||||||
|
let mockRegistry;
|
||||||
|
|
||||||
|
beforeAll(function(done) {
|
||||||
|
const store = path.join(__dirname, '../partials/store/test-jwt-storage');
|
||||||
|
const mockServerPort = 55546;
|
||||||
|
rimraf(store, async () => {
|
||||||
|
const confS = parseConfigFile(parseConfigurationJWTFile());
|
||||||
|
const configForTest = _.clone(confS);
|
||||||
|
configForTest.storage = store;
|
||||||
|
configForTest.auth = {
|
||||||
|
htpasswd: {
|
||||||
|
file: './test-jwt-storage/.htpasswd'
|
||||||
|
}
|
||||||
|
};
|
||||||
|
configForTest.uplinks = {
|
||||||
|
npmjs: {
|
||||||
|
url: `http://${DOMAIN_SERVERS}:${mockServerPort}`
|
||||||
|
}
|
||||||
|
};
|
||||||
|
configForTest.self_path = store;
|
||||||
|
config = new Config(configForTest);
|
||||||
|
app = await endPointAPI(config);
|
||||||
|
mockRegistry = await mockServer(mockServerPort).init();
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
afterAll(function(done) {
|
||||||
|
mockRegistry[0].stop();
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('should test add a new user with JWT enabled', async (done) => {
|
||||||
|
const [err, res] = await addUser(request(app), credentials.name, credentials);
|
||||||
|
expect(err).toBeNull();
|
||||||
|
expect(res.body.ok).toBeDefined();
|
||||||
|
expect(res.body.token).toBeDefined();
|
||||||
|
const token = res.body.token;
|
||||||
|
expect(typeof token).toBe('string');
|
||||||
|
expect(res.body.ok).toMatch(`user '${credentials.name}' created`);
|
||||||
|
// testing JWT auth headers with token
|
||||||
|
// we need it here, because token is required
|
||||||
|
const [err1, resp1] = await getPackage(request(app), `Bearer ${token}`, 'vue');
|
||||||
|
expect(err1).toBeNull();
|
||||||
|
expect(resp1.body).toBeDefined();
|
||||||
|
expect(resp1.body.name).toMatch('vue');
|
||||||
|
|
||||||
|
const [err2, resp2] = await getPackage(request(app), `Bearer fake`, 'vue', HTTP_STATUS.FORBIDDEN);
|
||||||
|
expect(err2).toBeNull();
|
||||||
|
expect(resp2.statusCode).toBe(HTTP_STATUS.FORBIDDEN);
|
||||||
|
expect(resp2.body.error).toMatch(FORBIDDEN_VUE);
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('should emulate npm login when user already exist', async (done) => {
|
||||||
|
const credentials = { name: 'jwtUser2', password: 'secretPass' };
|
||||||
|
// creates an user
|
||||||
|
await addUser(request(app), credentials.name, credentials);
|
||||||
|
// it should fails conflict 409
|
||||||
|
await addUser(request(app), credentials.name, credentials, HTTP_STATUS.CONFLICT);
|
||||||
|
// npm will try to sign in sending credentials via basic auth header
|
||||||
|
const token = buildUserBuffer(credentials.name, credentials.password).toString('base64');
|
||||||
|
request(app).put(`/-/user/org.couchdb.user:${credentials.name}/-rev/undefined`)
|
||||||
|
.send(credentials)
|
||||||
|
.set('authorization', `Basic ${token}`)
|
||||||
|
.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
|
||||||
|
.expect(HTTP_STATUS.CREATED)
|
||||||
|
.end(function(err, res) {
|
||||||
|
expect(err).toBeNull();
|
||||||
|
expect(res.body.ok).toBeDefined();
|
||||||
|
expect(res.body.token).toBeDefined();
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
test('should fails on try to access with corrupted token', async (done) => {
|
||||||
|
const [err2, resp2] = await getPackage(request(app), `Bearer fake`, 'vue', HTTP_STATUS.FORBIDDEN);
|
||||||
|
expect(err2).toBeNull();
|
||||||
|
expect(resp2.statusCode).toBe(HTTP_STATUS.FORBIDDEN);
|
||||||
|
expect(resp2.body.error).toMatch(FORBIDDEN_VUE);
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
|
||||||
|
});
|
249
test/unit/api/auth-utils.spec.js
Normal file
249
test/unit/api/auth-utils.spec.js
Normal file
|
@ -0,0 +1,249 @@
|
||||||
|
// @flow
|
||||||
|
|
||||||
|
import _ from 'lodash';
|
||||||
|
import Auth from '../../../src/lib/auth';
|
||||||
|
// $FlowFixMe
|
||||||
|
import configExample from '../partials/config/index';
|
||||||
|
import AppConfig from '../../../src/lib/config';
|
||||||
|
import {setup} from '../../../src/lib/logger';
|
||||||
|
|
||||||
|
import {convertPayloadToBase64, parseConfigFile} from '../../../src/lib/utils';
|
||||||
|
import {
|
||||||
|
buildUserBuffer,
|
||||||
|
getApiToken,
|
||||||
|
getAuthenticatedMessage,
|
||||||
|
getMiddlewareCredentials,
|
||||||
|
getSecurity
|
||||||
|
} from '../../../src/lib/auth-utils';
|
||||||
|
import {aesDecrypt, verifyPayload} from '../../../src/lib/crypto-utils';
|
||||||
|
import {parseConfigurationFile} from '../__helper';
|
||||||
|
|
||||||
|
import type {IAuth, } from '../../../types/index';
|
||||||
|
import type {Config, Security, RemoteUser} from '@verdaccio/types';
|
||||||
|
|
||||||
|
setup(configExample.logs);
|
||||||
|
|
||||||
|
describe('Auth utilities', () => {
|
||||||
|
const parseConfigurationSecurityFile = (name) => {
|
||||||
|
return parseConfigurationFile(`security/${name}`);
|
||||||
|
};
|
||||||
|
|
||||||
|
function getConfig(configFileName: string, secret: string) {
|
||||||
|
const conf = parseConfigFile(parseConfigurationSecurityFile(configFileName));
|
||||||
|
const secConf= _.merge(configExample, conf);
|
||||||
|
secConf.secret = secret;
|
||||||
|
const config: Config = new AppConfig(secConf);
|
||||||
|
|
||||||
|
return config;
|
||||||
|
}
|
||||||
|
|
||||||
|
async function signCredentials(
|
||||||
|
configFileName: string,
|
||||||
|
username: string,
|
||||||
|
password: string,
|
||||||
|
secret = '12345',
|
||||||
|
methodToSpy: string,
|
||||||
|
methodNotBeenCalled: string): Promise<string> {
|
||||||
|
const config: Config = getConfig(configFileName, secret);
|
||||||
|
const auth: IAuth = new Auth(config);
|
||||||
|
const spy = jest.spyOn(auth, methodToSpy);
|
||||||
|
const spyNotCalled = jest.spyOn(auth, methodNotBeenCalled);
|
||||||
|
const user: RemoteUser = {
|
||||||
|
name: username,
|
||||||
|
real_groups: [],
|
||||||
|
groups: []
|
||||||
|
};
|
||||||
|
const token = await getApiToken(auth, config, user, password);
|
||||||
|
expect(spy).toHaveBeenCalled();
|
||||||
|
expect(spy).toHaveBeenCalledTimes(1);
|
||||||
|
expect(spyNotCalled).not.toHaveBeenCalled();
|
||||||
|
expect(token).toBeDefined();
|
||||||
|
|
||||||
|
return token;
|
||||||
|
}
|
||||||
|
|
||||||
|
const verifyJWT = (token: string, user: string, password: string, secret: string) => {
|
||||||
|
const payload = verifyPayload(token, secret);
|
||||||
|
expect(payload.name).toBe(user);
|
||||||
|
expect(payload.groups).toBeDefined();
|
||||||
|
expect(payload.real_groups).toBeDefined();
|
||||||
|
};
|
||||||
|
|
||||||
|
const verifyAES = (token: string, user: string, password: string, secret: string) => {
|
||||||
|
const payload = aesDecrypt(convertPayloadToBase64(token), secret).toString('utf8');
|
||||||
|
const content = payload.split(':');
|
||||||
|
|
||||||
|
expect(content[0]).toBe(user);
|
||||||
|
expect(content[0]).toBe(password);
|
||||||
|
};
|
||||||
|
|
||||||
|
describe('getApiToken test', () => {
|
||||||
|
test('should sign token with aes and security missing', async () => {
|
||||||
|
const token = await signCredentials('security-missing',
|
||||||
|
'test', 'test', '1234567', 'aesEncrypt', 'jwtEncrypt');
|
||||||
|
|
||||||
|
verifyAES(token, 'test', 'test', '1234567');
|
||||||
|
expect(_.isString(token)).toBeTruthy();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('should sign token with aes and security emtpy', async () => {
|
||||||
|
const token = await signCredentials('security-empty',
|
||||||
|
'test', 'test', '123456', 'aesEncrypt', 'jwtEncrypt');
|
||||||
|
|
||||||
|
verifyAES(token, 'test', 'test', '123456');
|
||||||
|
expect(_.isString(token)).toBeTruthy();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('should sign token with aes', async () => {
|
||||||
|
const token = await signCredentials('security-basic',
|
||||||
|
'test', 'test', '123456', 'aesEncrypt', 'jwtEncrypt');
|
||||||
|
|
||||||
|
verifyAES(token, 'test', 'test', '123456');
|
||||||
|
expect(_.isString(token)).toBeTruthy();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('should sign token with legacy and jwt disabled', async () => {
|
||||||
|
const token = await signCredentials('security-no-legacy',
|
||||||
|
'test', 'test', 'x8T#ZCx=2t', 'aesEncrypt', 'jwtEncrypt');
|
||||||
|
|
||||||
|
expect(_.isString(token)).toBeTruthy();
|
||||||
|
verifyAES(token, 'test', 'test', 'x8T#ZCx=2t');
|
||||||
|
});
|
||||||
|
|
||||||
|
test('should sign token with legacy enabled and jwt enabled', async () => {
|
||||||
|
const token = await signCredentials('security-jwt-legacy-enabled',
|
||||||
|
'test', 'test', 'secret', 'jwtEncrypt', 'aesEncrypt');
|
||||||
|
|
||||||
|
verifyJWT(token, 'test', 'test', 'secret');
|
||||||
|
expect(_.isString(token)).toBeTruthy();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('should sign token with jwt enabled', async () => {
|
||||||
|
const token = await signCredentials('security-jwt',
|
||||||
|
'test', 'test', 'secret', 'jwtEncrypt', 'aesEncrypt');
|
||||||
|
|
||||||
|
expect(_.isString(token)).toBeTruthy();
|
||||||
|
verifyJWT(token, 'test', 'test', 'secret');
|
||||||
|
});
|
||||||
|
|
||||||
|
test('should sign with jwt whether legacy is disabled', async () => {
|
||||||
|
const token = await signCredentials('security-legacy-disabled',
|
||||||
|
'test', 'test', 'secret', 'jwtEncrypt', 'aesEncrypt');
|
||||||
|
|
||||||
|
expect(_.isString(token)).toBeTruthy();
|
||||||
|
verifyJWT(token, 'test', 'test', 'secret');
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
describe('getAuthenticatedMessage test', () => {
|
||||||
|
test('should sign token with jwt enabled', () => {
|
||||||
|
expect(getAuthenticatedMessage('test')).toBe('you are authenticated as \'test\'');
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
describe('getMiddlewareCredentials test', () => {
|
||||||
|
describe('should get AES credentials', () => {
|
||||||
|
test.concurrent('should unpack aes token and credentials', async () => {
|
||||||
|
const secret: string = 'secret';
|
||||||
|
const user: string = 'test';
|
||||||
|
const pass: string = 'test';
|
||||||
|
const token = await signCredentials('security-legacy',
|
||||||
|
user, pass, secret, 'aesEncrypt', 'jwtEncrypt');
|
||||||
|
const config: Config = getConfig('security-legacy', secret);
|
||||||
|
const security: Security = getSecurity(config);
|
||||||
|
const credentials = getMiddlewareCredentials(security, secret, `Bearer ${token}`);
|
||||||
|
expect(credentials).toBeDefined();
|
||||||
|
// $FlowFixMe
|
||||||
|
expect(credentials.user).toEqual(user);
|
||||||
|
// $FlowFixMe
|
||||||
|
expect(credentials.password).toEqual(pass);
|
||||||
|
});
|
||||||
|
|
||||||
|
test.concurrent('should unpack aes token and credentials', async () => {
|
||||||
|
const secret: string = 'secret';
|
||||||
|
const user: string = 'test';
|
||||||
|
const pass: string = 'test';
|
||||||
|
const token = buildUserBuffer(user, pass).toString('base64');
|
||||||
|
const config: Config = getConfig('security-legacy', secret);
|
||||||
|
const security: Security = getSecurity(config);
|
||||||
|
const credentials = getMiddlewareCredentials(security, secret, `Basic ${token}`);
|
||||||
|
expect(credentials).toBeDefined();
|
||||||
|
// $FlowFixMe
|
||||||
|
expect(credentials.user).toEqual(user);
|
||||||
|
// $FlowFixMe
|
||||||
|
expect(credentials.password).toEqual(pass);
|
||||||
|
});
|
||||||
|
|
||||||
|
test.concurrent('should return empty credential wrong secret key', async () => {
|
||||||
|
const secret: string = 'secret';
|
||||||
|
const token = await signCredentials('security-legacy',
|
||||||
|
'test', 'test', secret, 'aesEncrypt', 'jwtEncrypt');
|
||||||
|
const config: Config = getConfig('security-legacy', secret);
|
||||||
|
const security: Security = getSecurity(config);
|
||||||
|
const credentials = getMiddlewareCredentials(security, 'BAD_SECRET', `Bearer ${token}`);
|
||||||
|
expect(credentials).not.toBeDefined();
|
||||||
|
});
|
||||||
|
|
||||||
|
test.concurrent('should return empty credential wrong scheme', async () => {
|
||||||
|
const secret: string = 'secret';
|
||||||
|
const token = await signCredentials('security-legacy',
|
||||||
|
'test', 'test', secret, 'aesEncrypt', 'jwtEncrypt');
|
||||||
|
const config: Config = getConfig('security-legacy', secret);
|
||||||
|
const security: Security = getSecurity(config);
|
||||||
|
const credentials = getMiddlewareCredentials(security, secret, `BAD_SCHEME ${token}`);
|
||||||
|
expect(credentials).not.toBeDefined();
|
||||||
|
});
|
||||||
|
|
||||||
|
test.concurrent('should return empty credential corrupted payload', async () => {
|
||||||
|
const secret: string = 'secret';
|
||||||
|
const config: Config = getConfig('security-legacy', secret);
|
||||||
|
const auth: IAuth = new Auth(config);
|
||||||
|
const token = auth.aesEncrypt(new Buffer(`corruptedBuffer`)).toString('base64');
|
||||||
|
const security: Security = getSecurity(config);
|
||||||
|
const credentials = getMiddlewareCredentials(security, secret, `Bearer ${token}`);
|
||||||
|
expect(credentials).not.toBeDefined();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
describe('should get JWT credentials', () => {
|
||||||
|
test('should return anonymous whether token is corrupted', () => {
|
||||||
|
const config: Config = getConfig('security-jwt', '12345');
|
||||||
|
const security: Security = getSecurity(config);
|
||||||
|
const credentials = getMiddlewareCredentials(security, '12345', 'Bearer fakeToken');
|
||||||
|
|
||||||
|
expect(credentials).toBeDefined();
|
||||||
|
// $FlowFixMe
|
||||||
|
expect(credentials.name).not.toBeDefined();
|
||||||
|
// $FlowFixMe
|
||||||
|
expect(credentials.real_groups).toBeDefined();
|
||||||
|
// $FlowFixMe
|
||||||
|
expect(credentials.real_groups).toEqual([]);
|
||||||
|
});
|
||||||
|
|
||||||
|
test('should return anonymous whether token and scheme are corrupted', () => {
|
||||||
|
const config: Config = getConfig('security-jwt', '12345');
|
||||||
|
const security: Security = getSecurity(config);
|
||||||
|
const credentials = getMiddlewareCredentials(security, '12345', 'FakeScheme fakeToken');
|
||||||
|
|
||||||
|
expect(credentials).not.toBeDefined();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('should verify succesfully a JWT token', async () => {
|
||||||
|
const secret: string = 'secret';
|
||||||
|
const user: string = 'test';
|
||||||
|
const config: Config = getConfig('security-jwt', secret);
|
||||||
|
const token = await signCredentials('security-jwt',
|
||||||
|
user, 'secretTest', secret, 'jwtEncrypt', 'aesEncrypt');
|
||||||
|
const security: Security = getSecurity(config);
|
||||||
|
const credentials = getMiddlewareCredentials(security, secret, `Bearer ${token}`);
|
||||||
|
expect(credentials).toBeDefined();
|
||||||
|
// $FlowFixMe
|
||||||
|
expect(credentials.name).toEqual(user);
|
||||||
|
// $FlowFixMe
|
||||||
|
expect(credentials.real_groups).toBeDefined();
|
||||||
|
// $FlowFixMe
|
||||||
|
expect(credentials.real_groups).toEqual([]);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
|
@ -11,107 +11,111 @@ import {setup} from '../../../src/lib/logger';
|
||||||
import type {IAuth} from '../../../types/index';
|
import type {IAuth} from '../../../types/index';
|
||||||
import type {Config} from '@verdaccio/types';
|
import type {Config} from '@verdaccio/types';
|
||||||
|
|
||||||
|
const authConfig = Object.assign({}, configExample);
|
||||||
|
// avoid noisy log output
|
||||||
|
authConfig.logs = [{type: 'stdout', format: 'pretty', level: 'error'}];
|
||||||
|
|
||||||
setup(configExample.logs);
|
setup(configExample.logs);
|
||||||
|
|
||||||
describe('AuthTest', () => {
|
describe('AuthTest', () => {
|
||||||
|
|
||||||
test('should be defined', () => {
|
test('should be defined', () => {
|
||||||
const config: Config = new AppConfig(configExample);
|
const config: Config = new AppConfig(authConfig);
|
||||||
const auth: IAuth = new Auth(config);
|
const auth: IAuth = new Auth(config);
|
||||||
|
|
||||||
expect(auth).toBeDefined();
|
expect(auth).toBeDefined();
|
||||||
});
|
});
|
||||||
|
|
||||||
describe('authenticate', () => {
|
describe('test authenticate method', () => {
|
||||||
test('should utilize plugin', () => {
|
test('should utilize plugin', () => {
|
||||||
const config: Config = new AppConfig(configPlugins);
|
const config: Config = new AppConfig(configPlugins);
|
||||||
const auth: IAuth = new Auth(config);
|
const auth: IAuth = new Auth(config);
|
||||||
|
|
||||||
expect(auth).toBeDefined();
|
expect(auth).toBeDefined();
|
||||||
|
|
||||||
const callback = jest.fn();
|
const callback = jest.fn();
|
||||||
const result = [ "test" ];
|
const result = [ "test" ];
|
||||||
|
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
auth.authenticate(1, null, callback);
|
auth.authenticate(1, null, callback);
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
auth.authenticate(null, result, callback);
|
auth.authenticate(null, result, callback);
|
||||||
|
|
||||||
expect(callback.mock.calls).toHaveLength(2);
|
expect(callback.mock.calls).toHaveLength(2);
|
||||||
expect(callback.mock.calls[0][0]).toBe(1);
|
expect(callback.mock.calls[0][0]).toBe(1);
|
||||||
expect(callback.mock.calls[0][1]).toBeUndefined();
|
expect(callback.mock.calls[0][1]).toBeUndefined();
|
||||||
expect(callback.mock.calls[1][0]).toBeNull();
|
expect(callback.mock.calls[1][0]).toBeNull();
|
||||||
expect(callback.mock.calls[1][1].real_groups).toBe(result);
|
expect(callback.mock.calls[1][1].real_groups).toBe(result);
|
||||||
});
|
});
|
||||||
|
|
||||||
test('should skip falsy values', () => {
|
test('should skip falsy values', () => {
|
||||||
const config: Config = new AppConfig(configPlugins);
|
const config: Config = new AppConfig(configPlugins);
|
||||||
const auth: IAuth = new Auth(config);
|
const auth: IAuth = new Auth(config);
|
||||||
|
|
||||||
expect(auth).toBeDefined();
|
expect(auth).toBeDefined();
|
||||||
|
|
||||||
const callback = jest.fn();
|
const callback = jest.fn();
|
||||||
let index = 0;
|
let index = 0;
|
||||||
|
|
||||||
// as defined by https://developer.mozilla.org/en-US/docs/Glossary/Falsy
|
// as defined by https://developer.mozilla.org/en-US/docs/Glossary/Falsy
|
||||||
for (const value of [ false, 0, "", null, undefined, NaN ]) {
|
for (const value of [ false, 0, "", null, undefined, NaN ]) {
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
auth.authenticate(null, value, callback);
|
auth.authenticate(null, value, callback);
|
||||||
const call = callback.mock.calls[index++];
|
const call = callback.mock.calls[index++];
|
||||||
expect(call[0]).toBeDefined();
|
expect(call[0]).toBeDefined();
|
||||||
expect(call[1]).toBeUndefined();
|
expect(call[1]).toBeUndefined();
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
test('should error truthy non-array', () => {
|
test('should error truthy non-array', () => {
|
||||||
const config: Config = new AppConfig(configPlugins);
|
const config: Config = new AppConfig(configPlugins);
|
||||||
const auth: IAuth = new Auth(config);
|
const auth: IAuth = new Auth(config);
|
||||||
|
|
||||||
expect(auth).toBeDefined();
|
expect(auth).toBeDefined();
|
||||||
|
|
||||||
const callback = jest.fn();
|
const callback = jest.fn();
|
||||||
|
|
||||||
for (const value of [ true, 1, "test", { } ]) {
|
for (const value of [ true, 1, "test", { } ]) {
|
||||||
expect(function ( ) {
|
expect(function ( ) {
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
auth.authenticate(null, value, callback);
|
auth.authenticate(null, value, callback);
|
||||||
}).toThrow(TypeError);
|
}).toThrow(TypeError);
|
||||||
expect(callback.mock.calls).toHaveLength(0);
|
expect(callback.mock.calls).toHaveLength(0);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
test('should skip empty array', () => {
|
test('should skip empty array', () => {
|
||||||
const config: Config = new AppConfig(configPlugins);
|
const config: Config = new AppConfig(configPlugins);
|
||||||
const auth: IAuth = new Auth(config);
|
const auth: IAuth = new Auth(config);
|
||||||
|
|
||||||
expect(auth).toBeDefined();
|
expect(auth).toBeDefined();
|
||||||
|
|
||||||
const callback = jest.fn();
|
const callback = jest.fn();
|
||||||
const value = [ ];
|
const value = [ ];
|
||||||
|
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
auth.authenticate(null, value, callback);
|
auth.authenticate(null, value, callback);
|
||||||
expect(callback.mock.calls).toHaveLength(1);
|
expect(callback.mock.calls).toHaveLength(1);
|
||||||
expect(callback.mock.calls[0][0]).toBeDefined();
|
expect(callback.mock.calls[0][0]).toBeDefined();
|
||||||
expect(callback.mock.calls[0][1]).toBeUndefined();
|
expect(callback.mock.calls[0][1]).toBeUndefined();
|
||||||
});
|
});
|
||||||
|
|
||||||
test('should accept valid array', () => {
|
test('should accept valid array', () => {
|
||||||
const config: Config = new AppConfig(configPlugins);
|
const config: Config = new AppConfig(configPlugins);
|
||||||
const auth: IAuth = new Auth(config);
|
const auth: IAuth = new Auth(config);
|
||||||
|
|
||||||
expect(auth).toBeDefined();
|
expect(auth).toBeDefined();
|
||||||
|
|
||||||
const callback = jest.fn();
|
const callback = jest.fn();
|
||||||
let index = 0;
|
let index = 0;
|
||||||
|
|
||||||
for (const value of [ [ "" ], [ "1" ], [ "0" ], ["000"] ]) {
|
for (const value of [ [ "" ], [ "1" ], [ "0" ], ["000"] ]) {
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
auth.authenticate(null, value, callback);
|
auth.authenticate(null, value, callback);
|
||||||
const call = callback.mock.calls[index++];
|
const call = callback.mock.calls[index++];
|
||||||
expect(call[0]).toBeNull();
|
expect(call[0]).toBeNull();
|
||||||
expect(call[1].real_groups).toBe(value);
|
expect(call[1].real_groups).toBe(value);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
})
|
})
|
||||||
});
|
});
|
||||||
|
|
|
@ -13,19 +13,19 @@ import {PACKAGE_ACCESS, ROLES} from '../../../src/lib/constants';
|
||||||
|
|
||||||
describe('Config Utilities', () => {
|
describe('Config Utilities', () => {
|
||||||
|
|
||||||
const parsePartial = (name) => {
|
const parseConfigurationFile = (name) => {
|
||||||
return path.join(__dirname, `../partials/config/yaml/${name}.yaml`);
|
return path.join(__dirname, `../partials/config/yaml/${name}.yaml`);
|
||||||
};
|
};
|
||||||
|
|
||||||
describe('uplinkSanityCheck', () => {
|
describe('uplinkSanityCheck', () => {
|
||||||
test('should test basic conversion', ()=> {
|
test('should test basic conversion', ()=> {
|
||||||
const uplinks = uplinkSanityCheck(parseConfigFile(parsePartial('uplink-basic')).uplinks);
|
const uplinks = uplinkSanityCheck(parseConfigFile(parseConfigurationFile('uplink-basic')).uplinks);
|
||||||
expect(Object.keys(uplinks)).toContain('server1');
|
expect(Object.keys(uplinks)).toContain('server1');
|
||||||
expect(Object.keys(uplinks)).toContain('server2');
|
expect(Object.keys(uplinks)).toContain('server2');
|
||||||
});
|
});
|
||||||
|
|
||||||
test('should throw error on blacklisted uplink name', ()=> {
|
test('should throw error on blacklisted uplink name', ()=> {
|
||||||
const {uplinks} = parseConfigFile(parsePartial('uplink-wrong'));
|
const {uplinks} = parseConfigFile(parseConfigurationFile('uplink-wrong'));
|
||||||
|
|
||||||
expect(() => {
|
expect(() => {
|
||||||
uplinkSanityCheck(uplinks)
|
uplinkSanityCheck(uplinks)
|
||||||
|
@ -35,7 +35,7 @@ describe('Config Utilities', () => {
|
||||||
|
|
||||||
describe('sanityCheckUplinksProps', () => {
|
describe('sanityCheckUplinksProps', () => {
|
||||||
test('should fails if url prop is missing', ()=> {
|
test('should fails if url prop is missing', ()=> {
|
||||||
const {uplinks} = parseConfigFile(parsePartial('uplink-wrong'));
|
const {uplinks} = parseConfigFile(parseConfigurationFile('uplink-wrong'));
|
||||||
expect(() => {
|
expect(() => {
|
||||||
sanityCheckUplinksProps(uplinks)
|
sanityCheckUplinksProps(uplinks)
|
||||||
}).toThrow('CONFIG: no url for uplink: none-url');
|
}).toThrow('CONFIG: no url for uplink: none-url');
|
||||||
|
@ -48,7 +48,7 @@ describe('Config Utilities', () => {
|
||||||
|
|
||||||
describe('normalisePackageAccess', () => {
|
describe('normalisePackageAccess', () => {
|
||||||
test('should test basic conversion', ()=> {
|
test('should test basic conversion', ()=> {
|
||||||
const {packages} = parseConfigFile(parsePartial('pkgs-basic'));
|
const {packages} = parseConfigFile(parseConfigurationFile('pkgs-basic'));
|
||||||
const access = normalisePackageAccess(packages);
|
const access = normalisePackageAccess(packages);
|
||||||
|
|
||||||
expect(access).toBeDefined();
|
expect(access).toBeDefined();
|
||||||
|
@ -60,7 +60,7 @@ describe('Config Utilities', () => {
|
||||||
});
|
});
|
||||||
|
|
||||||
test('should test multi group', ()=> {
|
test('should test multi group', ()=> {
|
||||||
const {packages} = parseConfigFile(parsePartial('pkgs-multi-group'));
|
const {packages} = parseConfigFile(parseConfigurationFile('pkgs-multi-group'));
|
||||||
const access = normalisePackageAccess(packages);
|
const access = normalisePackageAccess(packages);
|
||||||
|
|
||||||
expect(access).toBeDefined();
|
expect(access).toBeDefined();
|
||||||
|
@ -84,7 +84,7 @@ describe('Config Utilities', () => {
|
||||||
|
|
||||||
|
|
||||||
test('should deprecated packages props', ()=> {
|
test('should deprecated packages props', ()=> {
|
||||||
const {packages} = parseConfigFile(parsePartial('deprecated-pkgs-basic'));
|
const {packages} = parseConfigFile(parseConfigurationFile('deprecated-pkgs-basic'));
|
||||||
const access = normalisePackageAccess(packages);
|
const access = normalisePackageAccess(packages);
|
||||||
|
|
||||||
expect(access).toBeDefined();
|
expect(access).toBeDefined();
|
||||||
|
@ -118,7 +118,7 @@ describe('Config Utilities', () => {
|
||||||
});
|
});
|
||||||
|
|
||||||
test('should check not default packages access', ()=> {
|
test('should check not default packages access', ()=> {
|
||||||
const {packages} = parseConfigFile(parsePartial('pkgs-empty'));
|
const {packages} = parseConfigFile(parseConfigurationFile('pkgs-empty'));
|
||||||
const access = normalisePackageAccess(packages);
|
const access = normalisePackageAccess(packages);
|
||||||
expect(access).toBeDefined();
|
expect(access).toBeDefined();
|
||||||
|
|
||||||
|
@ -137,7 +137,7 @@ describe('Config Utilities', () => {
|
||||||
|
|
||||||
describe('getMatchedPackagesSpec', () => {
|
describe('getMatchedPackagesSpec', () => {
|
||||||
test('should test basic config', () => {
|
test('should test basic config', () => {
|
||||||
const {packages} = parseConfigFile(parsePartial('pkgs-custom'));
|
const {packages} = parseConfigFile(parseConfigurationFile('pkgs-custom'));
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
expect(getMatchedPackagesSpec('react', packages).proxy).toMatch('facebook');
|
expect(getMatchedPackagesSpec('react', packages).proxy).toMatch('facebook');
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
|
@ -149,7 +149,7 @@ describe('Config Utilities', () => {
|
||||||
});
|
});
|
||||||
|
|
||||||
test('should test no ** wildcard on config', () => {
|
test('should test no ** wildcard on config', () => {
|
||||||
const {packages} = parseConfigFile(parsePartial('pkgs-nosuper-wildcard-custom'));
|
const {packages} = parseConfigFile(parseConfigurationFile('pkgs-nosuper-wildcard-custom'));
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
expect(getMatchedPackagesSpec('react', packages).proxy).toMatch('facebook');
|
expect(getMatchedPackagesSpec('react', packages).proxy).toMatch('facebook');
|
||||||
// $FlowFixMe
|
// $FlowFixMe
|
||||||
|
@ -163,7 +163,7 @@ describe('Config Utilities', () => {
|
||||||
|
|
||||||
describe('hasProxyTo', () => {
|
describe('hasProxyTo', () => {
|
||||||
test('should test basic config', () => {
|
test('should test basic config', () => {
|
||||||
const packages = normalisePackageAccess(parseConfigFile(parsePartial('pkgs-basic')).packages);
|
const packages = normalisePackageAccess(parseConfigFile(parseConfigurationFile('pkgs-basic')).packages);
|
||||||
// react
|
// react
|
||||||
expect(hasProxyTo('react', 'facebook', packages)).toBeFalsy();
|
expect(hasProxyTo('react', 'facebook', packages)).toBeFalsy();
|
||||||
expect(hasProxyTo('react', 'google', packages)).toBeFalsy();
|
expect(hasProxyTo('react', 'google', packages)).toBeFalsy();
|
||||||
|
@ -178,7 +178,7 @@ describe('Config Utilities', () => {
|
||||||
});
|
});
|
||||||
|
|
||||||
test('should test resolve based on custom package access', () => {
|
test('should test resolve based on custom package access', () => {
|
||||||
const packages = normalisePackageAccess(parseConfigFile(parsePartial('pkgs-custom')).packages);
|
const packages = normalisePackageAccess(parseConfigFile(parseConfigurationFile('pkgs-custom')).packages);
|
||||||
// react
|
// react
|
||||||
expect(hasProxyTo('react', 'facebook', packages)).toBeTruthy();
|
expect(hasProxyTo('react', 'facebook', packages)).toBeTruthy();
|
||||||
expect(hasProxyTo('react', 'google', packages)).toBeFalsy();
|
expect(hasProxyTo('react', 'google', packages)).toBeFalsy();
|
||||||
|
@ -193,7 +193,7 @@ describe('Config Utilities', () => {
|
||||||
});
|
});
|
||||||
|
|
||||||
test('should not resolve any proxy', () => {
|
test('should not resolve any proxy', () => {
|
||||||
const packages = normalisePackageAccess(parseConfigFile(parsePartial('pkgs-empty')).packages);
|
const packages = normalisePackageAccess(parseConfigFile(parseConfigurationFile('pkgs-empty')).packages);
|
||||||
// react
|
// react
|
||||||
expect(hasProxyTo('react', 'npmjs', packages)).toBeFalsy();
|
expect(hasProxyTo('react', 'npmjs', packages)).toBeFalsy();
|
||||||
expect(hasProxyTo('react', 'npmjs', packages)).toBeFalsy();
|
expect(hasProxyTo('react', 'npmjs', packages)).toBeFalsy();
|
||||||
|
|
36
test/unit/partials/config/yaml/api-jwt/jwt.yaml
Normal file
36
test/unit/partials/config/yaml/api-jwt/jwt.yaml
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
storage: ./storage
|
||||||
|
plugins: ./plugins
|
||||||
|
|
||||||
|
web:
|
||||||
|
title: Verdaccio
|
||||||
|
|
||||||
|
auth:
|
||||||
|
htpasswd:
|
||||||
|
file: ./htpasswd
|
||||||
|
uplinks:
|
||||||
|
npmjs:
|
||||||
|
url: https://registry.npmjs.org/
|
||||||
|
security:
|
||||||
|
api:
|
||||||
|
jwt:
|
||||||
|
sign:
|
||||||
|
expiresIn: 10m
|
||||||
|
notBefore: 0
|
||||||
|
packages:
|
||||||
|
'@*/*':
|
||||||
|
access: $all
|
||||||
|
publish: $authenticated
|
||||||
|
proxy: npmjs
|
||||||
|
'vue':
|
||||||
|
access: $authenticated
|
||||||
|
publish: $authenticated
|
||||||
|
proxy: npmjs
|
||||||
|
'**':
|
||||||
|
access: $all
|
||||||
|
publish: $authenticated
|
||||||
|
proxy: npmjs
|
||||||
|
middlewares:
|
||||||
|
audit:
|
||||||
|
enabled: true
|
||||||
|
logs:
|
||||||
|
- {type: stdout, format: pretty, level: http}
|
12
test/unit/partials/config/yaml/security/security-basic.yaml
Normal file
12
test/unit/partials/config/yaml/security/security-basic.yaml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
security:
|
||||||
|
api:
|
||||||
|
legacy: true # use AES algorithm
|
||||||
|
# jwt enables json web token and disable legacy
|
||||||
|
# jwt: https://github.com/auth0/node-jsonwebtoken#jwtsignpayload-secretorprivatekey-options-callback
|
||||||
|
sign:
|
||||||
|
expiresIn: 7d # 7 days by default
|
||||||
|
# verify:
|
||||||
|
web:
|
||||||
|
sign:
|
||||||
|
expiresIn: 7d # 7 days by default
|
||||||
|
# verify: https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback
|
|
@ -0,0 +1 @@
|
||||||
|
security:
|
|
@ -0,0 +1,10 @@
|
||||||
|
security:
|
||||||
|
api:
|
||||||
|
legacy: true
|
||||||
|
jwt:
|
||||||
|
sign:
|
||||||
|
expiresIn: 7d
|
||||||
|
notBefore: 0
|
||||||
|
web:
|
||||||
|
sign:
|
||||||
|
expiresIn: 7d
|
|
@ -0,0 +1,6 @@
|
||||||
|
security:
|
||||||
|
api:
|
||||||
|
jwt:
|
||||||
|
sign:
|
||||||
|
expiresIn: 7d
|
||||||
|
notBefore: 0
|
|
@ -0,0 +1,3 @@
|
||||||
|
security:
|
||||||
|
api:
|
||||||
|
legacy: false
|
|
@ -0,0 +1,3 @@
|
||||||
|
security:
|
||||||
|
api:
|
||||||
|
legacy: true
|
|
@ -0,0 +1,9 @@
|
||||||
|
security:
|
||||||
|
api:
|
||||||
|
legacy: false
|
||||||
|
sign:
|
||||||
|
expiresIn: 7d
|
||||||
|
notBefore: 0
|
||||||
|
web:
|
||||||
|
sign:
|
||||||
|
expiresIn: 7d
|
1
test/unit/partials/store/storage/.sinopia-db.json
Normal file
1
test/unit/partials/store/storage/.sinopia-db.json
Normal file
|
@ -0,0 +1 @@
|
||||||
|
{"list":[],"secret":"c884521349204fdb6665e27a20c04dd1fb81863a56fa68cbbab39aebea0dd609"}
|
|
@ -8,8 +8,10 @@ import type {
|
||||||
Callback,
|
Callback,
|
||||||
Versions,
|
Versions,
|
||||||
Version,
|
Version,
|
||||||
|
RemoteUser,
|
||||||
Config,
|
Config,
|
||||||
Logger,
|
Logger,
|
||||||
|
JWTSignOptions,
|
||||||
PackageAccess,
|
PackageAccess,
|
||||||
StringValue as verdaccio$StringValue,
|
StringValue as verdaccio$StringValue,
|
||||||
Package} from '@verdaccio/types';
|
Package} from '@verdaccio/types';
|
||||||
|
@ -30,19 +32,31 @@ export type StartUpConfig = {
|
||||||
|
|
||||||
export type MatchedPackage = PackageAccess | void;
|
export type MatchedPackage = PackageAccess | void;
|
||||||
|
|
||||||
export type JWTPayload = {
|
export type JWTPayload = RemoteUser & {
|
||||||
user: string;
|
password?: string;
|
||||||
group: string | void;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
export type JWTSignOptions = {
|
export type AESPayload = {
|
||||||
expiresIn: string;
|
user: string;
|
||||||
|
password: string;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export type AuthTokenHeader = {
|
||||||
|
scheme: string;
|
||||||
|
token: string;
|
||||||
|
}
|
||||||
|
|
||||||
|
export type BasicPayload = AESPayload | void;
|
||||||
|
export type AuthMiddlewarePayload = RemoteUser | BasicPayload;
|
||||||
|
|
||||||
export type ProxyList = {
|
export type ProxyList = {
|
||||||
[key: string]: IProxy;
|
[key: string]: IProxy;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export type CookieSessionToken = {
|
||||||
|
expires: Date;
|
||||||
|
}
|
||||||
|
|
||||||
export type Utils = {
|
export type Utils = {
|
||||||
ErrorCode: any;
|
ErrorCode: any;
|
||||||
getLatestVersion: Callback;
|
getLatestVersion: Callback;
|
||||||
|
@ -59,8 +73,9 @@ export type $NextFunctionVer = NextFunction & mixed;
|
||||||
export type $SidebarPackage = Package & {latest: mixed}
|
export type $SidebarPackage = Package & {latest: mixed}
|
||||||
|
|
||||||
|
|
||||||
interface IAuthWebUI {
|
export interface IAuthWebUI {
|
||||||
issueUIjwt(user: string, time: string): string;
|
jwtEncrypt(user: RemoteUser, signOptions: JWTSignOptions): string;
|
||||||
|
aesEncrypt(buf: Buffer): Buffer;
|
||||||
}
|
}
|
||||||
|
|
||||||
interface IAuthMiddleware {
|
interface IAuthMiddleware {
|
||||||
|
|
22
yarn.lock
22
yarn.lock
|
@ -265,9 +265,9 @@
|
||||||
version "1.0.0"
|
version "1.0.0"
|
||||||
resolved "https://registry.npmjs.org/@verdaccio/streams/-/streams-1.0.0.tgz#d5d24c6747208728b9fd16b908e3932c3fb1f864"
|
resolved "https://registry.npmjs.org/@verdaccio/streams/-/streams-1.0.0.tgz#d5d24c6747208728b9fd16b908e3932c3fb1f864"
|
||||||
|
|
||||||
"@verdaccio/types@3.4.2":
|
"@verdaccio/types@3.7.1":
|
||||||
version "3.4.2"
|
version "3.7.1"
|
||||||
resolved "https://registry.npmjs.org/@verdaccio/types/-/types-3.4.2.tgz#e1b0952df73167428dbbe071663e72911df3404e"
|
resolved "https://registry.npmjs.org/@verdaccio/types/-/types-3.7.1.tgz#e084ce466e8308c502013a810f29f52615aba124"
|
||||||
|
|
||||||
"@webassemblyjs/ast@1.5.13":
|
"@webassemblyjs/ast@1.5.13":
|
||||||
version "1.5.13"
|
version "1.5.13"
|
||||||
|
@ -4872,6 +4872,16 @@ http-errors@1.6.3, http-errors@~1.6.2, http-errors@~1.6.3:
|
||||||
setprototypeof "1.1.0"
|
setprototypeof "1.1.0"
|
||||||
statuses ">= 1.4.0 < 2"
|
statuses ">= 1.4.0 < 2"
|
||||||
|
|
||||||
|
http-errors@1.7.0:
|
||||||
|
version "1.7.0"
|
||||||
|
resolved "https://registry.npmjs.org/http-errors/-/http-errors-1.7.0.tgz#b6d36492a201c7888bdcb5dd0471140423c4ad2a"
|
||||||
|
dependencies:
|
||||||
|
depd "~1.1.2"
|
||||||
|
inherits "2.0.3"
|
||||||
|
setprototypeof "1.1.0"
|
||||||
|
statuses ">= 1.5.0 < 2"
|
||||||
|
toidentifier "1.0.0"
|
||||||
|
|
||||||
http-parser-js@>=0.4.0:
|
http-parser-js@>=0.4.0:
|
||||||
version "0.4.13"
|
version "0.4.13"
|
||||||
resolved "https://registry.npmjs.org/http-parser-js/-/http-parser-js-0.4.13.tgz#3bd6d6fde6e3172c9334c3b33b6c193d80fe1137"
|
resolved "https://registry.npmjs.org/http-parser-js/-/http-parser-js-0.4.13.tgz#3bd6d6fde6e3172c9334c3b33b6c193d80fe1137"
|
||||||
|
@ -9604,7 +9614,7 @@ static-extend@^0.1.1:
|
||||||
define-property "^0.2.5"
|
define-property "^0.2.5"
|
||||||
object-copy "^0.1.0"
|
object-copy "^0.1.0"
|
||||||
|
|
||||||
"statuses@>= 1.3.1 < 2", "statuses@>= 1.4.0 < 2":
|
"statuses@>= 1.3.1 < 2", "statuses@>= 1.4.0 < 2", "statuses@>= 1.5.0 < 2":
|
||||||
version "1.5.0"
|
version "1.5.0"
|
||||||
resolved "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz#161c7dac177659fd9811f43771fa99381478628c"
|
resolved "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz#161c7dac177659fd9811f43771fa99381478628c"
|
||||||
|
|
||||||
|
@ -10110,6 +10120,10 @@ to-regex@^3.0.1, to-regex@^3.0.2:
|
||||||
regex-not "^1.0.2"
|
regex-not "^1.0.2"
|
||||||
safe-regex "^1.1.0"
|
safe-regex "^1.1.0"
|
||||||
|
|
||||||
|
toidentifier@1.0.0:
|
||||||
|
version "1.0.0"
|
||||||
|
resolved "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.0.tgz#7e1be3470f1e77948bc43d94a3c8f4d7752ba553"
|
||||||
|
|
||||||
toposort@^1.0.0:
|
toposort@^1.0.0:
|
||||||
version "1.0.7"
|
version "1.0.7"
|
||||||
resolved "https://registry.npmjs.org/toposort/-/toposort-1.0.7.tgz#2e68442d9f64ec720b8cc89e6443ac6caa950029"
|
resolved "https://registry.npmjs.org/toposort/-/toposort-1.0.7.tgz#2e68442d9f64ec720b8cc89e6443ac6caa950029"
|
||||||
|
|
Loading…
Add table
Reference in a new issue