0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2025-01-13 22:48:31 -05:00

feat: add support for jwt on api (#896)

* feat: add support for jwt on api

* test: add unit test for sign token with jwt

add multiple scenarios with configuration file

* chore: add JWT verification on middleware

* chore: restore headless

* chore: restore middleware header validation

* refactor: fix login whether user exists

* refactor: JWT is signed asynchronously

* refactor: better structure and new naming convention

* test: add unit test for token signature

* test: add unit test for creating user with JWT enabled

#168

* docs: add security section jwt

* refactor: renable  web auth middleware

* test(auth): add legacy disabled scenario

* chore: update gitignore

* chore: add some es6 sugar

* feat: enable JWT token signature for new installations

* chore: add yaml files to git

I forgot add this before 😷

* chore: trace log on auth

in case we want more output
This commit is contained in:
Juan Picado @jotadeveloper 2018-08-21 08:05:34 +02:00 committed by GitHub
parent 26873682b8
commit a68d247a44
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
40 changed files with 1102 additions and 289 deletions

5
.gitignore vendored
View file

@ -3,6 +3,10 @@ verdaccio-*.tgz
.DS_Store .DS_Store
build/ build/
### Test
test/unit/partials/store/test-jwt-storage/*
### ###
!bin/verdaccio !bin/verdaccio
test-storage* test-storage*
@ -10,7 +14,6 @@ access-storage*
.verdaccio_test_env .verdaccio_test_env
node_modules node_modules
package-lock.json package-lock.json
build/
npm_test-fails-add-tarball* npm_test-fails-add-tarball*
yarn-error.log yarn-error.log

View file

@ -23,6 +23,16 @@ auth:
# You can set this to -1 to disable registration. # You can set this to -1 to disable registration.
#max_users: 1000 #max_users: 1000
security:
api:
jwt:
sign:
expiresIn: 60d
notBefore: 1
web:
sign:
expiresIn: 7d
# a list of other known repositories we can talk to # a list of other known repositories we can talk to
uplinks: uplinks:
npmjs: npmjs:

View file

@ -27,6 +27,16 @@ auth:
# You can set this to -1 to disable registration. # You can set this to -1 to disable registration.
#max_users: 1000 #max_users: 1000
security:
api:
jwt:
sign:
expiresIn: 60d
notBefore: 1
web:
sign:
expiresIn: 7d
# a list of other known repositories we can talk to # a list of other known repositories we can talk to
uplinks: uplinks:
npmjs: npmjs:

View file

@ -61,6 +61,31 @@ auth:
max_users: 1000 max_users: 1000
``` ```
### Security
<small>Since: `verdaccio@4.0.0` due [#168](https://github.com/verdaccio/verdaccio/pull/168)</small>
The security block allows you to customise the token signature. To enable [JWT (json web token)](https://jwt.io/) new signture you need to add the block `jwt` to `api` section, `web` uses by default `jwt`.
The configuration is separated in two sections, `api` and `web`. To use JWT on `api`, it has to be defined, otherwise will use the legacy token signature (`aes192`). For JWT you might customize the [signature](https://github.com/auth0/node-jsonwebtoken#jwtsignpayload-secretorprivatekey-options-callback) and the token [verification](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback) with your own properties.
```
security:
api:
legacy: true
jwt:
sign:
expiresIn: 29d
verify:
someProp: [value]
web:
sign:
expiresIn: 7d # 7 days by default
verify:
someProp: [value]
```
> We highly recommend move to JWT since legacy signature (`aes192`) is deprecated and will disappear in future versions.
### Web UI ### Web UI
This properties allow you to modify the look and feel of the web UI. For more information about this section read the [web ui page](web.md). This properties allow you to modify the look and feel of the web UI. For more information about this section read the [web ui page](web.md).

View file

@ -79,7 +79,6 @@ uplinks:
### You Must know ### You Must know
* Verdaccio does not use Basic Authentication since version `v2.3.0`. All tokens generated by verdaccio are based on JWT ([JSON Web Token](https://jwt.io/))
* Uplinks must be registries compatible with the `npm` endpoints. Eg: *verdaccio*, `sinopia@1.4.0`, *npmjs registry*, *yarn registry*, *JFrog*, *Nexus* and more. * Uplinks must be registries compatible with the `npm` endpoints. Eg: *verdaccio*, `sinopia@1.4.0`, *npmjs registry*, *yarn registry*, *JFrog*, *Nexus* and more.
* Setting `cache` to false will help to save space in your hard drive. This will avoid store `tarballs` but [it will keep metadata in folders](https://github.com/verdaccio/verdaccio/issues/391). * Setting `cache` to false will help to save space in your hard drive. This will avoid store `tarballs` but [it will keep metadata in folders](https://github.com/verdaccio/verdaccio/issues/391).
* Exceed with multiple uplinks might slow down the lookup of your packages due for each request a npm client does, verdaccio does 1 call for each uplink. * Exceed with multiple uplinks might slow down the lookup of your packages due for each request a npm client does, verdaccio does 1 call for each uplink.

View file

@ -32,7 +32,7 @@
"express": "4.16.3", "express": "4.16.3",
"global": "4.3.2", "global": "4.3.2",
"handlebars": "4.0.11", "handlebars": "4.0.11",
"http-errors": "1.6.3", "http-errors": "1.7.0",
"js-base64": "2.4.8", "js-base64": "2.4.8",
"js-string-escape": "1.0.1", "js-string-escape": "1.0.1",
"js-yaml": "3.12.0", "js-yaml": "3.12.0",
@ -54,7 +54,7 @@
"devDependencies": { "devDependencies": {
"@commitlint/cli": "7.0.0", "@commitlint/cli": "7.0.0",
"@commitlint/config-conventional": "7.0.1", "@commitlint/config-conventional": "7.0.1",
"@verdaccio/types": "3.4.2", "@verdaccio/types": "3.7.1",
"babel-cli": "6.26.0", "babel-cli": "6.26.0",
"babel-core": "6.26.3", "babel-core": "6.26.3",
"babel-eslint": "8.2.6", "babel-eslint": "8.2.6",
@ -194,7 +194,8 @@
}, },
"lint-staged": { "lint-staged": {
"*.yaml": [ "*.yaml": [
"prettier --parser yaml --no-config --single-quote --write" "prettier --parser yaml --no-config --single-quote --write",
"git add"
], ],
"*.js": [ "*.js": [
"eslint .", "eslint .",

View file

@ -1,34 +1,40 @@
// @flow // @flow
import type {$Response, Router} from 'express';
import type {$RequestExtend, $ResponseExtend, $NextFunctionVer, IAuth} from '../../../../types';
import {ErrorCode} from '../../../lib/utils';
import _ from 'lodash'; import _ from 'lodash';
import Cookies from 'cookies'; import Cookies from 'cookies';
export default function(route: Router, auth: IAuth) { import {ErrorCode} from '../../../lib/utils';
import {API_MESSAGE, HTTP_STATUS} from '../../../lib/constants';
import {createSessionToken, getApiToken, getAuthenticatedMessage} from '../../../lib/auth-utils';
import type {Config} from '@verdaccio/types';
import type {$Response, Router} from 'express';
import type {$RequestExtend, $ResponseExtend, $NextFunctionVer, IAuth} from '../../../../types';
export default function(route: Router, auth: IAuth, config: Config) {
route.get('/-/user/:org_couchdb_user', function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) { route.get('/-/user/:org_couchdb_user', function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) {
res.status(200); res.status(HTTP_STATUS.OK);
next({ next({
ok: 'you are authenticated as "' + req.remote_user.name + '"', ok: getAuthenticatedMessage(req.remote_user.name),
}); });
}); });
route.put('/-/user/:org_couchdb_user/:_rev?/:revision?', function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) { route.put('/-/user/:org_couchdb_user/:_rev?/:revision?', async function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) {
let token = (req.body.name && req.body.password) const {name, password} = req.body;
? auth.aesEncrypt(new Buffer(req.body.name + ':' + req.body.password)).toString('base64')
: undefined;
if (_.isNil(req.remote_user.name) === false) { if (_.isNil(req.remote_user.name) === false) {
res.status(201); const token = (name && password) ? await getApiToken(auth, config, req.remote_user, password) : undefined;
res.status(HTTP_STATUS.CREATED);
return next({ return next({
ok: 'you are authenticated as \'' + req.remote_user.name + '\'', ok: getAuthenticatedMessage(req.remote_user.name),
token, token,
}); });
} else { } else {
auth.add_user(req.body.name, req.body.password, function(err, user) { auth.add_user(name, password, async function(err, user) {
if (err) { if (err) {
if (err.status >= 400 && err.status < 500) { if (err.status >= HTTP_STATUS.BAD_REQUEST && err.status < HTTP_STATUS.INTERNAL_ERROR) {
// With npm registering is the same as logging in, // With npm registering is the same as logging in,
// and npm accepts only an 409 error. // and npm accepts only an 409 error.
// So, changing status code here. // So, changing status code here.
@ -37,20 +43,22 @@ export default function(route: Router, auth: IAuth) {
return next(err); return next(err);
} }
const token = (name && password) ? await getApiToken(auth, config, user, password) : undefined;
req.remote_user = user; req.remote_user = user;
res.status(201); res.status(HTTP_STATUS.CREATED);
return next({ return next({
ok: 'user \'' + req.body.name + '\' created', ok: `user '${req.body.name }' created`,
token: token, token,
}); });
}); });
} }
}); });
route.delete('/-/user/token/*', function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) { route.delete('/-/user/token/*', function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) {
res.status(200); res.status(HTTP_STATUS.OK);
next({ next({
ok: 'Logged out', ok: API_MESSAGE.LOGGED_OUT,
}); });
}); });
@ -58,10 +66,8 @@ export default function(route: Router, auth: IAuth) {
// placeholder 'cause npm require to be authenticated to publish // placeholder 'cause npm require to be authenticated to publish
// we do not do any real authentication yet // we do not do any real authentication yet
route.post('/_session', Cookies.express(), function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) { route.post('/_session', Cookies.express(), function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
res.cookies.set('AuthSession', String(Math.random()), { res.cookies.set('AuthSession', String(Math.random()), createSessionToken());
// npmjs.org sets 10h expire
expires: new Date(Date.now() + 10 * 60 * 60 * 1000),
});
next({ next({
ok: true, ok: true,
name: 'somebody', name: 'somebody',

View file

@ -46,7 +46,7 @@ export default function(config: Config, auth: IAuth, storage: IStorageHandler) {
whoami(app); whoami(app);
pkg(app, auth, storage, config); pkg(app, auth, storage, config);
search(app, auth, storage); search(app, auth, storage);
user(app, auth); user(app, auth, config);
distTags(app, auth, storage); distTags(app, auth, storage);
publish(app, auth, storage, config); publish(app, auth, storage, config);
ping(app); ping(app);

View file

@ -12,6 +12,8 @@ import apiEndpoint from './endpoint';
import {ErrorCode} from '../lib/utils'; import {ErrorCode} from '../lib/utils';
import {API_ERROR, HTTP_STATUS} from '../lib/constants'; import {API_ERROR, HTTP_STATUS} from '../lib/constants';
import AppConfig from '../lib/config'; import AppConfig from '../lib/config';
import webAPI from './web/api';
import web from './web';
import type {$Application} from 'express'; import type {$Application} from 'express';
import type { import type {
@ -74,8 +76,8 @@ const defineAPI = function(config: IConfig, storage: IStorageHandler) {
// For WebUI & WebUI API // For WebUI & WebUI API
if (_.get(config, 'web.enable', true)) { if (_.get(config, 'web.enable', true)) {
app.use('/', require('./web')(config, auth, storage)); app.use('/', web(config, auth, storage));
app.use('/-/verdaccio/', require('./web/api')(config, auth, storage)); app.use('/-/verdaccio/', webAPI(config, auth, storage));
} else { } else {
app.get('/', function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) { app.get('/', function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
next(ErrorCode.getNotFound(API_ERROR.WEB_DISABLED)); next(ErrorCode.getNotFound(API_ERROR.WEB_DISABLED));

View file

@ -16,7 +16,7 @@ const route = Router(); /* eslint new-cap: 0 */
/* /*
This file include all verdaccio only API(Web UI), for npm API please see ../endpoint/ This file include all verdaccio only API(Web UI), for npm API please see ../endpoint/
*/ */
module.exports = function(config: Config, auth: IAuth, storage: IStorageHandler) { export default function(config: Config, auth: IAuth, storage: IStorageHandler) {
Search.configureStorage(storage); Search.configureStorage(storage);
// validate all of these params as a package name // validate all of these params as a package name
@ -43,4 +43,4 @@ module.exports = function(config: Config, auth: IAuth, storage: IStorageHandler)
// We will/may replace current token with JWT in next major release, and it will not expire at all(configurable). // We will/may replace current token with JWT in next major release, and it will not expire at all(configurable).
return route; return route;
}; }

View file

@ -1,22 +1,29 @@
// @flow // @flow
import HTTPError from 'http-errors'; import {HTTP_STATUS} from '../../../lib/constants';
import type {Config} from '@verdaccio/types';
import type {Router} from 'express'; import type {Router} from 'express';
import type {Config, RemoteUser, JWTSignOptions} from '@verdaccio/types';
import type {IAuth, $ResponseExtend, $RequestExtend, $NextFunctionVer} from '../../../../types'; import type {IAuth, $ResponseExtend, $RequestExtend, $NextFunctionVer} from '../../../../types';
import {ErrorCode} from '../../../lib/utils';
import {getSecurity} from '../../../lib/auth-utils';
function addUserAuthApi(route: Router, auth: IAuth, config: Config) { function addUserAuthApi(route: Router, auth: IAuth, config: Config) {
route.post('/login', function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) { route.post('/login', function(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
auth.authenticate(req.body.username, req.body.password, (err, user) => { const {username, password} = req.body;
if (!err) {
auth.authenticate(username, password, async (err, user: RemoteUser) => {
if (err) {
const errorCode = err.message ? HTTP_STATUS.UNAUTHORIZED : HTTP_STATUS.INTERNAL_ERROR;
next(ErrorCode.getCode(errorCode, err.message));
} else {
req.remote_user = user; req.remote_user = user;
const jWTSignOptions: JWTSignOptions = getSecurity(config).web.sign;
next({ next({
token: auth.issueUIjwt(user, '24h'), token: await auth.jwtEncrypt(user, jWTSignOptions),
username: req.remote_user.name, username: req.remote_user.name,
}); });
} else {
next(HTTPError[err.message ? 401 : 500](err.message));
} }
}); });
}); });

View file

@ -3,11 +3,10 @@ import _ from 'lodash';
import fs from 'fs'; import fs from 'fs';
import Search from '../../lib/search'; import Search from '../../lib/search';
import * as Utils from '../../lib/utils'; import * as Utils from '../../lib/utils';
import {WEB_TITLE} from '../../lib/constants'; import {HTTP_STATUS, WEB_TITLE} from '../../lib/constants';
const {securityIframe} = require('../middleware'); const {securityIframe} = require('../middleware');
/* eslint new-cap:off */ /* eslint new-cap:off */
const router = express.Router();
const env = require('../../config/env'); const env = require('../../config/env');
const template = fs.readFileSync(`${env.DIST_PATH}/index.html`).toString(); const template = fs.readFileSync(`${env.DIST_PATH}/index.html`).toString();
const spliceURL = require('../../utils/string').spliceURL; const spliceURL = require('../../utils/string').spliceURL;
@ -15,6 +14,8 @@ const spliceURL = require('../../utils/string').spliceURL;
module.exports = function(config, auth, storage) { module.exports = function(config, auth, storage) {
Search.configureStorage(storage); Search.configureStorage(storage);
const router = express.Router();
router.use(auth.webUIJWTmiddleware()); router.use(auth.webUIJWTmiddleware());
router.use(securityIframe); router.use(securityIframe);
@ -25,7 +26,7 @@ module.exports = function(config, auth, storage) {
if (!err) { if (!err) {
return; return;
} }
if (err.status === 404) { if (err.status === HTTP_STATUS.NOT_FOUND) {
next(); next();
} else { } else {
next(err); next(err);

View file

@ -1,9 +1,60 @@
// @flow // @flow
import _ from 'lodash';
import {convertPayloadToBase64, ErrorCode} from './utils';
import {API_ERROR, HTTP_STATUS, ROLES, TIME_EXPIRATION_7D, TOKEN_BASIC, TOKEN_BEARER} from './constants';
import {ErrorCode} from './utils'; import type {
import {API_ERROR} from './constants'; RemoteUser,
Package,
Callback,
Config,
Security,
APITokenOptions,
JWTOptions} from '@verdaccio/types';
import type {
CookieSessionToken, IAuthWebUI, AuthMiddlewarePayload, AuthTokenHeader, BasicPayload,
} from '../../types';
import {aesDecrypt, verifyPayload} from './crypto-utils';
import type {RemoteUser, Package, Callback} from '@verdaccio/types';
/**
* Create a RemoteUser object
* @return {Object} { name: xx, pluginGroups: [], real_groups: [] }
*/
export function createRemoteUser(name: string, pluginGroups: Array<string>): RemoteUser {
const isGroupValid: boolean = _.isArray(pluginGroups);
const groups = (isGroupValid ? pluginGroups : []).concat([
ROLES.$ALL,
ROLES.$AUTH,
ROLES.DEPRECATED_ALL,
ROLES.DEPRECATED_AUTH,
ROLES.ALL]);
return {
name,
groups,
real_groups: pluginGroups,
};
}
/**
* Builds an anonymous remote user in case none is logged in.
* @return {Object} { name: xx, groups: [], real_groups: [] }
*/
export function createAnonymousRemoteUser(): RemoteUser {
return {
name: undefined,
// groups without '$' are going to be deprecated eventually
groups: [
ROLES.$ALL,
ROLES.$ANONYMOUS,
ROLES.DEPRECATED_ALL,
ROLES.DEPRECATED_ANONUMOUS,
],
real_groups: [],
};
}
export function allow_action(action: string) { export function allow_action(action: string) {
return function(user: RemoteUser, pkg: Package, callback: Callback) { return function(user: RemoteUser, pkg: Package, callback: Callback) {
@ -36,3 +87,162 @@ export function getDefaultPlugins() {
allow_publish: allow_action('publish'), allow_publish: allow_action('publish'),
}; };
} }
export function createSessionToken(): CookieSessionToken {
const tenHoursTime = 10 * 60 * 60 * 1000;
return {
// npmjs.org sets 10h expire
expires: new Date(Date.now() + tenHoursTime),
};
}
const defaultWebTokenOptions: JWTOptions = {
sign: {
expiresIn: TIME_EXPIRATION_7D,
},
verify: {},
};
const defaultApiTokenConf: APITokenOptions = {
legacy: true,
sign: {},
};
export function getSecurity(config: Config): Security {
const defaultSecurity: Security = {
web: defaultWebTokenOptions,
api: defaultApiTokenConf,
};
if (_.isNil(config.security) === false) {
return _.merge(defaultSecurity, config.security);
}
return defaultSecurity;
}
export function getAuthenticatedMessage(user: string): string {
return `you are authenticated as '${user}'`;
}
export function buildUserBuffer(name: string, password: string) {
return Buffer.from(`${name}:${password}`, 'utf8');
}
export function isAESLegacy(security: Security): boolean {
const {legacy, jwt} = security.api;
return _.isNil(legacy) === false &&_.isNil(jwt) && legacy === true;
}
export async function getApiToken(
auth: IAuthWebUI,
config: Config,
remoteUser: RemoteUser,
aesPassword: string): Promise<string> {
const security: Security = getSecurity(config);
if (isAESLegacy(security)) {
// fallback all goes to AES encryption
return await new Promise((resolve) => {
resolve(auth.aesEncrypt(buildUserBuffer((remoteUser: any).name, aesPassword)).toString('base64'));
});
} else {
// i am wiling to use here _.isNil but flow does not like it yet.
const {jwt} = security.api;
if (typeof jwt !== 'undefined' &&
typeof jwt.sign !== 'undefined') {
return await auth.jwtEncrypt(remoteUser, jwt.sign);
} else {
return await new Promise((resolve) => {
resolve(auth.aesEncrypt(buildUserBuffer((remoteUser: any).name, aesPassword)).toString('base64'));
});
}
}
}
export function parseAuthTokenHeader(authorizationHeader: string): AuthTokenHeader {
const parts = authorizationHeader.split(' ');
const [scheme, token] = parts;
return {scheme, token};
}
export function parseBasicPayload(credentials: string): BasicPayload {
const index = credentials.indexOf(':');
if (index < 0) {
return;
}
const user: string = credentials.slice(0, index);
const password: string = credentials.slice(index + 1);
return {user, password};
}
export function parseAESCredentials(
authorizationHeader: string, secret: string) {
const {scheme, token} = parseAuthTokenHeader(authorizationHeader);
// basic is deprecated and should not be enforced
if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
const credentials = convertPayloadToBase64(token).toString();
return credentials;
} else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
const tokenAsBuffer = convertPayloadToBase64(token);
const credentials = aesDecrypt(tokenAsBuffer, secret).toString('utf8');
return credentials;
}
}
export function verifyJWTPayload(token: string, secret: string): RemoteUser {
try {
const payload: RemoteUser = (verifyPayload(token, secret): RemoteUser);
return payload;
} catch (err) {
// #168 this check should be removed as soon AES encrypt is removed.
if (err.name === 'JsonWebTokenError') {
// it might be possible the jwt configuration is enabled and
// old tokens fails still remains in usage, thus
// we return an anonymous user to force log in.
return createAnonymousRemoteUser();
} else {
throw ErrorCode.getCode(HTTP_STATUS.UNAUTHORIZED, err.message);
}
}
}
export function isAuthHeaderValid(authorization: string): boolean {
return authorization.split(' ').length === 2;
}
export function getMiddlewareCredentials(
security: Security,
secret: string,
authorizationHeader: string
): AuthMiddlewarePayload {
if (isAESLegacy(security)) {
const credentials = parseAESCredentials(authorizationHeader, secret);
if (!credentials) {
return;
}
const parsedCredentials = parseBasicPayload(credentials);
if (!parsedCredentials) {
return;
}
return parsedCredentials;
} else {
const {scheme, token} = parseAuthTokenHeader(authorizationHeader);
if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
return verifyJWTPayload(token, secret);
}
}
}

View file

@ -2,19 +2,26 @@
import _ from 'lodash'; import _ from 'lodash';
import {API_ERROR, HTTP_STATUS, ROLES, TOKEN_BASIC, TOKEN_BEARER} from './constants'; import {API_ERROR, TOKEN_BASIC, TOKEN_BEARER} from './constants';
import loadPlugin from '../lib/plugin-loader'; import loadPlugin from '../lib/plugin-loader';
import {buildBase64Buffer, ErrorCode} from './utils'; import {aesEncrypt, signPayload} from './crypto-utils';
import {aesDecrypt, aesEncrypt, signPayload, verifyPayload} from './crypto-utils'; import {
import {getDefaultPlugins} from './auth-utils'; getDefaultPlugins,
getMiddlewareCredentials,
verifyJWTPayload,
createAnonymousRemoteUser,
isAuthHeaderValid,
getSecurity,
isAESLegacy, parseAuthTokenHeader, parseBasicPayload, createRemoteUser,
} from './auth-utils';
import {convertPayloadToBase64, ErrorCode} from './utils';
import {getMatchedPackagesSpec} from './config-utils'; import {getMatchedPackagesSpec} from './config-utils';
import type {Config, Logger, Callback, IPluginAuth, RemoteUser} from '@verdaccio/types'; import type {
Config, Logger, Callback, IPluginAuth, RemoteUser, JWTSignOptions, Security,
} from '@verdaccio/types';
import type {$Response, NextFunction} from 'express'; import type {$Response, NextFunction} from 'express';
import type {$RequestExtend, JWTPayload} from '../../types'; import type {$RequestExtend, IAuth} from '../../types';
import type {IAuth} from '../../types';
const LoggerApi = require('./logger'); const LoggerApi = require('./logger');
@ -23,7 +30,6 @@ class Auth implements IAuth {
logger: Logger; logger: Logger;
secret: string; secret: string;
plugins: Array<any>; plugins: Array<any>;
static DEFAULT_EXPIRE_WEB_TOKEN: string = '7d';
constructor(config: Config) { constructor(config: Config) {
this.config = config; this.config = config;
@ -50,8 +56,9 @@ class Auth implements IAuth {
this.plugins.push(getDefaultPlugins()); this.plugins.push(getDefaultPlugins());
} }
authenticate(user: string, password: string, cb: Callback) { authenticate(username: string, password: string, cb: Callback) {
const plugins = this.plugins.slice(0); const plugins = this.plugins.slice(0);
const self = this;
(function next() { (function next() {
const plugin = plugins.shift(); const plugin = plugins.shift();
@ -59,7 +66,8 @@ class Auth implements IAuth {
return next(); return next();
} }
plugin.authenticate(user, password, function(err, groups) { self.logger.trace( {username}, 'authenticating @{username}');
plugin.authenticate(username, password, function(err, groups) {
if (err) { if (err) {
return cb(err); return cb(err);
} }
@ -74,14 +82,14 @@ class Auth implements IAuth {
if (!!groups && groups.length !== 0) { if (!!groups && groups.length !== 0) {
// TODO: create a better understanding of expectations // TODO: create a better understanding of expectations
if (_.isString(groups)) { if (_.isString(groups)) {
throw new TypeError('invalid type for function'); throw new TypeError('plugin group error: invalid type for function');
} }
const isGroupValid: boolean = _.isArray(groups); const isGroupValid: boolean = _.isArray(groups);
if (!isGroupValid) { if (!isGroupValid) {
throw new TypeError(API_ERROR.BAD_FORMAT_USER_GROUP); throw new TypeError(API_ERROR.BAD_FORMAT_USER_GROUP);
} }
return cb(err, authenticatedUser(user, groups)); return cb(err, createRemoteUser(username, groups));
} }
next(); next();
}); });
@ -91,6 +99,7 @@ class Auth implements IAuth {
add_user(user: string, password: string, cb: Callback) { add_user(user: string, password: string, cb: Callback) {
let self = this; let self = this;
let plugins = this.plugins.slice(0); let plugins = this.plugins.slice(0);
this.logger.trace( {user}, 'add user @{user}');
(function next() { (function next() {
let plugin = plugins.shift(); let plugin = plugins.shift();
@ -122,6 +131,7 @@ class Auth implements IAuth {
let plugins = this.plugins.slice(0); let plugins = this.plugins.slice(0);
// $FlowFixMe // $FlowFixMe
let pkg = Object.assign({name: packageName}, getMatchedPackagesSpec(packageName, this.config.packages)); let pkg = Object.assign({name: packageName}, getMatchedPackagesSpec(packageName, this.config.packages));
this.logger.trace( {packageName}, 'allow access for @{packageName}');
(function next() { (function next() {
const plugin = plugins.shift(); const plugin = plugins.shift();
@ -151,6 +161,7 @@ class Auth implements IAuth {
let plugins = this.plugins.slice(0); let plugins = this.plugins.slice(0);
// $FlowFixMe // $FlowFixMe
let pkg = Object.assign({name: packageName}, getMatchedPackagesSpec(packageName, this.config.packages)); let pkg = Object.assign({name: packageName}, getMatchedPackagesSpec(packageName, this.config.packages));
this.logger.trace( {packageName}, 'allow publish for @{packageName}');
(function next() { (function next() {
const plugin = plugins.shift(); const plugin = plugins.shift();
@ -188,62 +199,96 @@ class Auth implements IAuth {
return _next(); return _next();
}; };
if (_.isUndefined(req.remote_user) === false if (this._isRemoteUserMissing(req.remote_user)) {
&& _.isUndefined(req.remote_user.name) === false) {
return next(); return next();
} }
req.remote_user = buildAnonymousUser();
const authorization = req.headers.authorization; // in case auth header does not exist we return anonymous function
req.remote_user = createAnonymousRemoteUser();
const {authorization} = req.headers;
if (_.isNil(authorization)) { if (_.isNil(authorization)) {
return next(); return next();
} }
const parts = authorization.split(' '); if (!isAuthHeaderValid(authorization)) {
if (parts.length !== 2) { this.logger.trace('api middleware auth heather is not valid');
return next( ErrorCode.getBadRequest(API_ERROR.BAD_AUTH_HEADER) ); return next( ErrorCode.getBadRequest(API_ERROR.BAD_AUTH_HEADER) );
} }
const credentials = this._parseCredentials(parts); const security: Security = getSecurity(this.config);
if (!credentials) { const {secret} = this.config;
return next();
if (isAESLegacy(security)) {
this.logger.trace('api middleware using legacy auth token');
this._handleAESMiddleware(req, security, secret, authorization, next);
} else {
this.logger.trace('api middleware using JWT auth token');
this._handleJWTAPIMiddleware(req, security, secret, authorization, next);
} }
};
}
const index = credentials.indexOf(':'); _handleJWTAPIMiddleware(
if (index < 0) { req: $RequestExtend,
return next(); security: Security,
} secret: string,
authorization: string,
const user: string = credentials.slice(0, index); next: Function) {
const pass: string = credentials.slice(index + 1); const {scheme, token} = parseAuthTokenHeader(authorization);
if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
this.authenticate(user, pass, function(err, user) { // this should happen when client tries to login with an existing user
const credentials = convertPayloadToBase64(token).toString();
const {user, password} = (parseBasicPayload(credentials): any);
this.authenticate(user, password, (err, user) => {
if (!err) { if (!err) {
req.remote_user = user; req.remote_user = user;
next(); next();
} else { } else {
req.remote_user = buildAnonymousUser(); req.remote_user = createAnonymousRemoteUser();
next(err); next(err);
} }
}); });
}; } else {
// jwt handler
const credentials: any = getMiddlewareCredentials(security, secret, authorization);
if (credentials) {
// if the signature is valid we rely on it
req.remote_user = credentials;
next();
} else {
// with JWT throw 401
next(ErrorCode.getForbidden(API_ERROR.BAD_USERNAME_PASSWORD));
}
}
} }
_parseCredentials(parts: Array<string>) { _handleAESMiddleware(req: $RequestExtend,
let credentials; security: Security,
const scheme = parts[0]; secret: string,
if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) { authorization: string,
credentials = buildBase64Buffer(parts[1]).toString(); next: Function) {
this.logger.info(API_ERROR.DEPRECATED_BASIC_HEADER); const credentials: any = getMiddlewareCredentials(security, secret, authorization);
return credentials; if (credentials) {
} else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) { const {user, password} = credentials;
const token = buildBase64Buffer(parts[1]); this.authenticate(user, password, (err, user) => {
if (!err) {
req.remote_user = user;
next();
} else {
req.remote_user = createAnonymousRemoteUser();
next(err);
}
});
} else {
// we force npm client to ask again with basic authentication
return next(ErrorCode.getBadRequest(API_ERROR.BAD_AUTH_HEADER));
}
}
credentials = aesDecrypt(token, this.secret).toString('utf8'); _isRemoteUserMissing(remote_user: RemoteUser): boolean {
return credentials; return _.isUndefined(remote_user) === false &&
} else { (_.isUndefined(remote_user.name) === false);
return;
}
} }
/** /**
@ -251,62 +296,65 @@ class Auth implements IAuth {
*/ */
webUIJWTmiddleware() { webUIJWTmiddleware() {
return (req: $RequestExtend, res: $Response, _next: NextFunction) => { return (req: $RequestExtend, res: $Response, _next: NextFunction) => {
if (_.isNull(req.remote_user) === false && _.isNil(req.remote_user.name) === false) { if (this._isRemoteUserMissing(req.remote_user)) {
return _next(); return _next();
} }
req.pause(); req.pause();
const next = () => { const next = (err) => {
req.resume(); req.resume();
if (err) {
// req.remote_user.error = err.message;
res.status(err.statusCode).send(err.message);
}
return _next(); return _next();
}; };
const token = (req.headers.authorization || '').replace(`${TOKEN_BEARER} `, ''); const {authorization} = req.headers;
if (_.isNil(authorization)) {
return next();
}
if (!isAuthHeaderValid(authorization)) {
return next( ErrorCode.getBadRequest(API_ERROR.BAD_AUTH_HEADER) );
}
const token = (authorization || '').replace(`${TOKEN_BEARER} `, '');
if (!token) { if (!token) {
return next(); return next();
} }
let decoded; let credentials;
try { try {
decoded = this.decode_token(token); credentials = verifyJWTPayload(token, this.config.secret);
} catch (err) { } catch (err) {
// FIXME: intended behaviour, do we want it? // FIXME: intended behaviour, do we want it?
} }
if (decoded) { if (credentials) {
req.remote_user = authenticatedUser(decoded.user, decoded.group); const {name, groups} = credentials;
// $FlowFixMe
req.remote_user = createRemoteUser(name, groups);
} else { } else {
req.remote_user = buildAnonymousUser(); req.remote_user = createAnonymousRemoteUser();
} }
next(); next();
}; };
} }
issueUIjwt(user: any, expiresIn: string) { async jwtEncrypt(user: RemoteUser, signOptions: JWTSignOptions): string {
const {name, real_groups} = user; const {real_groups} = user;
const payload: JWTPayload = { const payload: RemoteUser = {
user: name, ...user,
group: real_groups && real_groups.length ? real_groups : undefined, group: real_groups && real_groups.length ? real_groups : undefined,
}; };
return signPayload(payload, this.secret, {expiresIn: expiresIn || Auth.DEFAULT_EXPIRE_WEB_TOKEN}); const token: string = await signPayload(payload, this.secret, signOptions);
}
/** // $FlowFixMe
* Decodes the token. return token;
* @param {*} token
* @return {Object}
*/
decode_token(token: string) {
let decoded;
try {
decoded = verifyPayload(token, this.secret);
} catch (err) {
throw ErrorCode.getCode(HTTP_STATUS.UNAUTHORIZED, err.message);
}
return decoded;
} }
/** /**
@ -317,37 +365,4 @@ class Auth implements IAuth {
} }
} }
/**
* Builds an anonymous user in case none is logged in.
* @return {Object} { name: xx, groups: [], real_groups: [] }
*/
function buildAnonymousUser() {
return {
name: undefined,
// groups without '$' are going to be deprecated eventually
groups: [ROLES.$ALL, ROLES.$ANONYMOUS, ROLES.DEPRECATED_ALL, ROLES.DEPRECATED_ANONUMOUS],
real_groups: [],
};
}
/**
* Authenticate an user.
* @return {Object} { name: xx, pluginGroups: [], real_groups: [] }
*/
function authenticatedUser(name: string, pluginGroups: Array<any>) {
const isGroupValid: boolean = _.isArray(pluginGroups);
const groups = (isGroupValid ? pluginGroups : []).concat([
ROLES.$ALL,
ROLES.$AUTH,
ROLES.DEPRECATED_ALL,
ROLES.DEPRECATED_AUTH,
ROLES.ALL]);
return {
name,
groups,
real_groups: pluginGroups,
};
}
export default Auth; export default Auth;

View file

@ -15,6 +15,7 @@ import {APP_ERROR} from './constants';
import type { import type {
PackageList, PackageList,
Config as AppConfig, Config as AppConfig,
Security,
Logger, Logger,
} from '@verdaccio/types'; } from '@verdaccio/types';
@ -38,6 +39,7 @@ class Config implements AppConfig {
self_path: string; self_path: string;
storage: string | void; storage: string | void;
plugins: string | void; plugins: string | void;
security: Security;
$key: any; $key: any;
$value: any; $value: any;

View file

@ -1,7 +1,9 @@
// @flow // @flow
export const DEFAULT_PORT = '4873'; export const DEFAULT_PORT: string = '4873';
export const DEFAULT_DOMAIN = 'localhost'; export const DEFAULT_DOMAIN: string = 'localhost';
export const TIME_EXPIRATION_24H: string ='24h';
export const TIME_EXPIRATION_7D: string = '7d';
export const HEADERS = { export const HEADERS = {
JSON: 'application/json', JSON: 'application/json',
@ -63,6 +65,7 @@ export const API_MESSAGE = {
TAG_UPDATED: 'tags updated', TAG_UPDATED: 'tags updated',
TAG_REMOVED: 'tag removed', TAG_REMOVED: 'tag removed',
TAG_ADDED: 'package tagged', TAG_ADDED: 'package tagged',
LOGGED_OUT: 'Logged out',
}; };
export const API_ERROR = { export const API_ERROR = {

View file

@ -1,12 +1,21 @@
// @flow // @flow
import {createDecipher, createCipher, createHash, pseudoRandomBytes} from 'crypto'; import {
createDecipher,
createCipher,
createHash,
pseudoRandomBytes,
} from 'crypto';
import jwt from 'jsonwebtoken'; import jwt from 'jsonwebtoken';
import type {JWTPayload, JWTSignOptions} from '../../types';
import type {JWTSignOptions, RemoteUser} from '@verdaccio/types';
export const defaultAlgorithm = 'aes192'; export const defaultAlgorithm = 'aes192';
export const defaultTarballHashAlgorithm = 'sha1';
export function aesEncrypt(buf: Buffer, secret: string): Buffer { export function aesEncrypt(buf: Buffer, secret: string): Buffer {
// deprecated
// https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options
const c = createCipher(defaultAlgorithm, secret); const c = createCipher(defaultAlgorithm, secret);
const b1 = c.update(buf); const b1 = c.update(buf);
const b2 = c.final(); const b2 = c.final();
@ -16,6 +25,8 @@ export function aesEncrypt(buf: Buffer, secret: string): Buffer {
export function aesDecrypt(buf: Buffer, secret: string) { export function aesDecrypt(buf: Buffer, secret: string) {
try { try {
// deprecated
// https://nodejs.org/api/crypto.html#crypto_crypto_createdecipher_algorithm_password_options
const c = createDecipher(defaultAlgorithm, secret); const c = createDecipher(defaultAlgorithm, secret);
const b1 = c.update(buf); const b1 = c.update(buf);
const b2 = c.final(); const b2 = c.final();
@ -26,7 +37,7 @@ export function aesDecrypt(buf: Buffer, secret: string) {
} }
export function createTarballHash() { export function createTarballHash() {
return createHash('sha1'); return createHash(defaultTarballHashAlgorithm);
} }
/** /**
@ -44,13 +55,18 @@ export function generateRandomHexString(length: number = 8) {
return pseudoRandomBytes(length).toString('hex'); return pseudoRandomBytes(length).toString('hex');
} }
export function signPayload(payload: JWTPayload, secret: string, options: JWTSignOptions) { export async function signPayload(
return jwt.sign(payload, secret, { payload: RemoteUser,
notBefore: '1000', // Make sure the time will not rollback :) secretOrPrivateKey: string,
...options, options: JWTSignOptions): Promise<string> {
return new Promise(function(resolve, reject) {
return jwt.sign(payload, secretOrPrivateKey, {
notBefore: '1000', // Make sure the time will not rollback :)
...options,
}, (error, token) => error ? reject(error) : resolve(token));
}); });
} }
export function verifyPayload(token: string, secret: string) { export function verifyPayload(token: string, secretOrPrivateKey: string) {
return jwt.verify(token, secret); return jwt.verify(token, secretOrPrivateKey);
} }

View file

@ -34,7 +34,7 @@ export function getUserAgent(): string {
return `${pkgName}/${pkgVersion}`; return `${pkgName}/${pkgVersion}`;
} }
export function buildBase64Buffer(payload: string): Buffer { export function convertPayloadToBase64(payload: string): Buffer {
return new Buffer(payload, 'base64'); return new Buffer(payload, 'base64');
} }

View file

@ -10,7 +10,7 @@ class API {
if (token) { if (token) {
if (!options.headers) options.headers = {}; if (!options.headers) options.headers = {};
options.headers.authorization = token; options.headers.authorization = `Bearer ${token}`;
} }
if (!['http://', 'https://', '//'].some((prefix) => url.startsWith(prefix))) { if (!['http://', 'https://', '//'].some((prefix) => url.startsWith(prefix))) {

View file

@ -1,10 +1,10 @@
import fs from 'fs'; import fs from 'fs';
import path from 'path'; import path from 'path';
import assert from 'assert'; import assert from 'assert';
import crypto from 'crypto';
import {readFile} from '../lib/test.utils'; import {readFile} from '../lib/test.utils';
import {HTTP_STATUS} from "../../../src/lib/constants"; import {HTTP_STATUS} from "../../../src/lib/constants";
import {TARBALL} from '../config.functional'; import {TARBALL} from '../config.functional';
import {createTarballHash} from '../../../src/lib/crypto-utils';
function getBinary() { function getBinary() {
return readFile('../fixtures/binary'); return readFile('../fixtures/binary');
@ -35,7 +35,7 @@ export default function (server, server2, server3) {
beforeAll(function () { beforeAll(function () {
const pkg = require('../fixtures/package')(PKG_GH131); const pkg = require('../fixtures/package')(PKG_GH131);
pkg.dist.shasum = crypto.createHash('sha1').update(getBinary()).digest('hex'); pkg.dist.shasum = createTarballHash().update(getBinary()).digest('hex');
return server.putVersion(PKG_GH131, '0.0.1', pkg) return server.putVersion(PKG_GH131, '0.0.1', pkg)
.status(HTTP_STATUS.CREATED) .status(HTTP_STATUS.CREATED)
@ -67,7 +67,7 @@ export default function (server, server2, server3) {
beforeAll(function () { beforeAll(function () {
const pkg = require('../fixtures/package')(PKG_GH1312); const pkg = require('../fixtures/package')(PKG_GH1312);
pkg.dist.shasum = crypto.createHash('sha1').update(getBinary()).digest('hex'); pkg.dist.shasum = createTarballHash().update(getBinary()).digest('hex');
return server2.putVersion(PKG_GH1312, '0.0.1', pkg) return server2.putVersion(PKG_GH1312, '0.0.1', pkg)
.status(HTTP_STATUS.CREATED) .status(HTTP_STATUS.CREATED)

View file

@ -116,7 +116,6 @@ function smartRequest(options: any): Promise<any> {
// store the response on symbol // store the response on symbol
smartObject[requestData].response = res; smartObject[requestData].response = res;
// console.log("======>smartRequest RESPONSE: ", body);
resolve(body); resolve(body);
}); });
}); });

View file

@ -68,25 +68,14 @@ export default class VerdaccioProcess implements IServerProcess {
this.bridge.auth(CREDENTIALS.user, CREDENTIALS.password) this.bridge.auth(CREDENTIALS.user, CREDENTIALS.password)
.status(HTTP_STATUS.CREATED) .status(HTTP_STATUS.CREATED)
.body_ok(new RegExp(CREDENTIALS.user)) .body_ok(new RegExp(CREDENTIALS.user))
.then(() => { .then(() => resolve([this, body.pid]), reject)
resolve([this, body.pid]);
}, reject)
}, reject); }, reject);
} }
}); });
this.childFork.on('error', (err) => { this.childFork.on('error', (err) => reject([err, this]));
console.log('error process', err); this.childFork.on('disconnect', (err) => reject([err, this]));
reject([err, this]); this.childFork.on('exit', (err) => reject([err, this]));
});
this.childFork.on('disconnect', (err) => {
reject([err, this]);
});
this.childFork.on('exit', (err) => {
reject([err, this]);
});
} }
stop(): void { stop(): void {

5
test/unit/__helper.js Normal file
View file

@ -0,0 +1,5 @@
import path from 'path';
export const parseConfigurationFile = (name) => {
return path.join(__dirname, `./partials/config/yaml/${name}.yaml`);
};

View file

@ -0,0 +1,32 @@
// @flow
import {HEADER_TYPE, HEADERS, HTTP_STATUS} from '../../../src/lib/constants';
export function getPackage(
request: any,
header: string,
pkg: string,
statusCode: number = HTTP_STATUS.OK) {
return new Promise((resolve) => {
request.get(`/${pkg}`)
.set('authorization', header)
.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
.expect(statusCode)
.end(function(err, res) {
resolve([err, res]);
});
});
}
export function addUser(request: any, user: string, credentials: any,
statusCode: number = HTTP_STATUS.CREATED) {
return new Promise((resolve, reject) => {
request.put(`/-/user/org.couchdb.user:${user}`)
.send(credentials)
.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
.expect(statusCode)
.end(function(err, res) {
return resolve([err, res]);
});
});
}

View file

@ -0,0 +1,115 @@
// @flow
import request from 'supertest';
import _ from 'lodash';
import path from 'path';
import rimraf from 'rimraf';
import Config from '../../../src/lib/config';
import endPointAPI from '../../../src/api/index';
import {HEADERS, HTTP_STATUS, HEADER_TYPE} from '../../../src/lib/constants';
import {mockServer} from './mock';
import {DOMAIN_SERVERS} from '../../functional/config.functional';
import {parseConfigFile} from '../../../src/lib/utils';
import {parseConfigurationFile} from '../__helper';
import {addUser, getPackage} from './__api-helper';
import {setup} from '../../../src/lib/logger';
import {buildUserBuffer} from '../../../src/lib/auth-utils';
setup([]);
const credentials = { name: 'JotaJWT', password: 'secretPass' };
const parseConfigurationJWTFile = () => {
return parseConfigurationFile(`api-jwt/jwt`);
};
const FORBIDDEN_VUE: string = 'unregistered users are not allowed to access package vue';
describe('endpoint user auth JWT unit test', () => {
let config;
let app;
let mockRegistry;
beforeAll(function(done) {
const store = path.join(__dirname, '../partials/store/test-jwt-storage');
const mockServerPort = 55546;
rimraf(store, async () => {
const confS = parseConfigFile(parseConfigurationJWTFile());
const configForTest = _.clone(confS);
configForTest.storage = store;
configForTest.auth = {
htpasswd: {
file: './test-jwt-storage/.htpasswd'
}
};
configForTest.uplinks = {
npmjs: {
url: `http://${DOMAIN_SERVERS}:${mockServerPort}`
}
};
configForTest.self_path = store;
config = new Config(configForTest);
app = await endPointAPI(config);
mockRegistry = await mockServer(mockServerPort).init();
done();
});
});
afterAll(function(done) {
mockRegistry[0].stop();
done();
});
test('should test add a new user with JWT enabled', async (done) => {
const [err, res] = await addUser(request(app), credentials.name, credentials);
expect(err).toBeNull();
expect(res.body.ok).toBeDefined();
expect(res.body.token).toBeDefined();
const token = res.body.token;
expect(typeof token).toBe('string');
expect(res.body.ok).toMatch(`user '${credentials.name}' created`);
// testing JWT auth headers with token
// we need it here, because token is required
const [err1, resp1] = await getPackage(request(app), `Bearer ${token}`, 'vue');
expect(err1).toBeNull();
expect(resp1.body).toBeDefined();
expect(resp1.body.name).toMatch('vue');
const [err2, resp2] = await getPackage(request(app), `Bearer fake`, 'vue', HTTP_STATUS.FORBIDDEN);
expect(err2).toBeNull();
expect(resp2.statusCode).toBe(HTTP_STATUS.FORBIDDEN);
expect(resp2.body.error).toMatch(FORBIDDEN_VUE);
done();
});
test('should emulate npm login when user already exist', async (done) => {
const credentials = { name: 'jwtUser2', password: 'secretPass' };
// creates an user
await addUser(request(app), credentials.name, credentials);
// it should fails conflict 409
await addUser(request(app), credentials.name, credentials, HTTP_STATUS.CONFLICT);
// npm will try to sign in sending credentials via basic auth header
const token = buildUserBuffer(credentials.name, credentials.password).toString('base64');
request(app).put(`/-/user/org.couchdb.user:${credentials.name}/-rev/undefined`)
.send(credentials)
.set('authorization', `Basic ${token}`)
.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
.expect(HTTP_STATUS.CREATED)
.end(function(err, res) {
expect(err).toBeNull();
expect(res.body.ok).toBeDefined();
expect(res.body.token).toBeDefined();
done();
});
});
test('should fails on try to access with corrupted token', async (done) => {
const [err2, resp2] = await getPackage(request(app), `Bearer fake`, 'vue', HTTP_STATUS.FORBIDDEN);
expect(err2).toBeNull();
expect(resp2.statusCode).toBe(HTTP_STATUS.FORBIDDEN);
expect(resp2.body.error).toMatch(FORBIDDEN_VUE);
done();
});
});

View file

@ -0,0 +1,249 @@
// @flow
import _ from 'lodash';
import Auth from '../../../src/lib/auth';
// $FlowFixMe
import configExample from '../partials/config/index';
import AppConfig from '../../../src/lib/config';
import {setup} from '../../../src/lib/logger';
import {convertPayloadToBase64, parseConfigFile} from '../../../src/lib/utils';
import {
buildUserBuffer,
getApiToken,
getAuthenticatedMessage,
getMiddlewareCredentials,
getSecurity
} from '../../../src/lib/auth-utils';
import {aesDecrypt, verifyPayload} from '../../../src/lib/crypto-utils';
import {parseConfigurationFile} from '../__helper';
import type {IAuth, } from '../../../types/index';
import type {Config, Security, RemoteUser} from '@verdaccio/types';
setup(configExample.logs);
describe('Auth utilities', () => {
const parseConfigurationSecurityFile = (name) => {
return parseConfigurationFile(`security/${name}`);
};
function getConfig(configFileName: string, secret: string) {
const conf = parseConfigFile(parseConfigurationSecurityFile(configFileName));
const secConf= _.merge(configExample, conf);
secConf.secret = secret;
const config: Config = new AppConfig(secConf);
return config;
}
async function signCredentials(
configFileName: string,
username: string,
password: string,
secret = '12345',
methodToSpy: string,
methodNotBeenCalled: string): Promise<string> {
const config: Config = getConfig(configFileName, secret);
const auth: IAuth = new Auth(config);
const spy = jest.spyOn(auth, methodToSpy);
const spyNotCalled = jest.spyOn(auth, methodNotBeenCalled);
const user: RemoteUser = {
name: username,
real_groups: [],
groups: []
};
const token = await getApiToken(auth, config, user, password);
expect(spy).toHaveBeenCalled();
expect(spy).toHaveBeenCalledTimes(1);
expect(spyNotCalled).not.toHaveBeenCalled();
expect(token).toBeDefined();
return token;
}
const verifyJWT = (token: string, user: string, password: string, secret: string) => {
const payload = verifyPayload(token, secret);
expect(payload.name).toBe(user);
expect(payload.groups).toBeDefined();
expect(payload.real_groups).toBeDefined();
};
const verifyAES = (token: string, user: string, password: string, secret: string) => {
const payload = aesDecrypt(convertPayloadToBase64(token), secret).toString('utf8');
const content = payload.split(':');
expect(content[0]).toBe(user);
expect(content[0]).toBe(password);
};
describe('getApiToken test', () => {
test('should sign token with aes and security missing', async () => {
const token = await signCredentials('security-missing',
'test', 'test', '1234567', 'aesEncrypt', 'jwtEncrypt');
verifyAES(token, 'test', 'test', '1234567');
expect(_.isString(token)).toBeTruthy();
});
test('should sign token with aes and security emtpy', async () => {
const token = await signCredentials('security-empty',
'test', 'test', '123456', 'aesEncrypt', 'jwtEncrypt');
verifyAES(token, 'test', 'test', '123456');
expect(_.isString(token)).toBeTruthy();
});
test('should sign token with aes', async () => {
const token = await signCredentials('security-basic',
'test', 'test', '123456', 'aesEncrypt', 'jwtEncrypt');
verifyAES(token, 'test', 'test', '123456');
expect(_.isString(token)).toBeTruthy();
});
test('should sign token with legacy and jwt disabled', async () => {
const token = await signCredentials('security-no-legacy',
'test', 'test', 'x8T#ZCx=2t', 'aesEncrypt', 'jwtEncrypt');
expect(_.isString(token)).toBeTruthy();
verifyAES(token, 'test', 'test', 'x8T#ZCx=2t');
});
test('should sign token with legacy enabled and jwt enabled', async () => {
const token = await signCredentials('security-jwt-legacy-enabled',
'test', 'test', 'secret', 'jwtEncrypt', 'aesEncrypt');
verifyJWT(token, 'test', 'test', 'secret');
expect(_.isString(token)).toBeTruthy();
});
test('should sign token with jwt enabled', async () => {
const token = await signCredentials('security-jwt',
'test', 'test', 'secret', 'jwtEncrypt', 'aesEncrypt');
expect(_.isString(token)).toBeTruthy();
verifyJWT(token, 'test', 'test', 'secret');
});
test('should sign with jwt whether legacy is disabled', async () => {
const token = await signCredentials('security-legacy-disabled',
'test', 'test', 'secret', 'jwtEncrypt', 'aesEncrypt');
expect(_.isString(token)).toBeTruthy();
verifyJWT(token, 'test', 'test', 'secret');
});
});
describe('getAuthenticatedMessage test', () => {
test('should sign token with jwt enabled', () => {
expect(getAuthenticatedMessage('test')).toBe('you are authenticated as \'test\'');
});
});
describe('getMiddlewareCredentials test', () => {
describe('should get AES credentials', () => {
test.concurrent('should unpack aes token and credentials', async () => {
const secret: string = 'secret';
const user: string = 'test';
const pass: string = 'test';
const token = await signCredentials('security-legacy',
user, pass, secret, 'aesEncrypt', 'jwtEncrypt');
const config: Config = getConfig('security-legacy', secret);
const security: Security = getSecurity(config);
const credentials = getMiddlewareCredentials(security, secret, `Bearer ${token}`);
expect(credentials).toBeDefined();
// $FlowFixMe
expect(credentials.user).toEqual(user);
// $FlowFixMe
expect(credentials.password).toEqual(pass);
});
test.concurrent('should unpack aes token and credentials', async () => {
const secret: string = 'secret';
const user: string = 'test';
const pass: string = 'test';
const token = buildUserBuffer(user, pass).toString('base64');
const config: Config = getConfig('security-legacy', secret);
const security: Security = getSecurity(config);
const credentials = getMiddlewareCredentials(security, secret, `Basic ${token}`);
expect(credentials).toBeDefined();
// $FlowFixMe
expect(credentials.user).toEqual(user);
// $FlowFixMe
expect(credentials.password).toEqual(pass);
});
test.concurrent('should return empty credential wrong secret key', async () => {
const secret: string = 'secret';
const token = await signCredentials('security-legacy',
'test', 'test', secret, 'aesEncrypt', 'jwtEncrypt');
const config: Config = getConfig('security-legacy', secret);
const security: Security = getSecurity(config);
const credentials = getMiddlewareCredentials(security, 'BAD_SECRET', `Bearer ${token}`);
expect(credentials).not.toBeDefined();
});
test.concurrent('should return empty credential wrong scheme', async () => {
const secret: string = 'secret';
const token = await signCredentials('security-legacy',
'test', 'test', secret, 'aesEncrypt', 'jwtEncrypt');
const config: Config = getConfig('security-legacy', secret);
const security: Security = getSecurity(config);
const credentials = getMiddlewareCredentials(security, secret, `BAD_SCHEME ${token}`);
expect(credentials).not.toBeDefined();
});
test.concurrent('should return empty credential corrupted payload', async () => {
const secret: string = 'secret';
const config: Config = getConfig('security-legacy', secret);
const auth: IAuth = new Auth(config);
const token = auth.aesEncrypt(new Buffer(`corruptedBuffer`)).toString('base64');
const security: Security = getSecurity(config);
const credentials = getMiddlewareCredentials(security, secret, `Bearer ${token}`);
expect(credentials).not.toBeDefined();
});
});
describe('should get JWT credentials', () => {
test('should return anonymous whether token is corrupted', () => {
const config: Config = getConfig('security-jwt', '12345');
const security: Security = getSecurity(config);
const credentials = getMiddlewareCredentials(security, '12345', 'Bearer fakeToken');
expect(credentials).toBeDefined();
// $FlowFixMe
expect(credentials.name).not.toBeDefined();
// $FlowFixMe
expect(credentials.real_groups).toBeDefined();
// $FlowFixMe
expect(credentials.real_groups).toEqual([]);
});
test('should return anonymous whether token and scheme are corrupted', () => {
const config: Config = getConfig('security-jwt', '12345');
const security: Security = getSecurity(config);
const credentials = getMiddlewareCredentials(security, '12345', 'FakeScheme fakeToken');
expect(credentials).not.toBeDefined();
});
test('should verify succesfully a JWT token', async () => {
const secret: string = 'secret';
const user: string = 'test';
const config: Config = getConfig('security-jwt', secret);
const token = await signCredentials('security-jwt',
user, 'secretTest', secret, 'jwtEncrypt', 'aesEncrypt');
const security: Security = getSecurity(config);
const credentials = getMiddlewareCredentials(security, secret, `Bearer ${token}`);
expect(credentials).toBeDefined();
// $FlowFixMe
expect(credentials.name).toEqual(user);
// $FlowFixMe
expect(credentials.real_groups).toBeDefined();
// $FlowFixMe
expect(credentials.real_groups).toEqual([]);
});
});
});
});

View file

@ -11,107 +11,111 @@ import {setup} from '../../../src/lib/logger';
import type {IAuth} from '../../../types/index'; import type {IAuth} from '../../../types/index';
import type {Config} from '@verdaccio/types'; import type {Config} from '@verdaccio/types';
const authConfig = Object.assign({}, configExample);
// avoid noisy log output
authConfig.logs = [{type: 'stdout', format: 'pretty', level: 'error'}];
setup(configExample.logs); setup(configExample.logs);
describe('AuthTest', () => { describe('AuthTest', () => {
test('should be defined', () => { test('should be defined', () => {
const config: Config = new AppConfig(configExample); const config: Config = new AppConfig(authConfig);
const auth: IAuth = new Auth(config); const auth: IAuth = new Auth(config);
expect(auth).toBeDefined(); expect(auth).toBeDefined();
}); });
describe('authenticate', () => { describe('test authenticate method', () => {
test('should utilize plugin', () => { test('should utilize plugin', () => {
const config: Config = new AppConfig(configPlugins); const config: Config = new AppConfig(configPlugins);
const auth: IAuth = new Auth(config); const auth: IAuth = new Auth(config);
expect(auth).toBeDefined(); expect(auth).toBeDefined();
const callback = jest.fn(); const callback = jest.fn();
const result = [ "test" ]; const result = [ "test" ];
// $FlowFixMe // $FlowFixMe
auth.authenticate(1, null, callback); auth.authenticate(1, null, callback);
// $FlowFixMe // $FlowFixMe
auth.authenticate(null, result, callback); auth.authenticate(null, result, callback);
expect(callback.mock.calls).toHaveLength(2); expect(callback.mock.calls).toHaveLength(2);
expect(callback.mock.calls[0][0]).toBe(1); expect(callback.mock.calls[0][0]).toBe(1);
expect(callback.mock.calls[0][1]).toBeUndefined(); expect(callback.mock.calls[0][1]).toBeUndefined();
expect(callback.mock.calls[1][0]).toBeNull(); expect(callback.mock.calls[1][0]).toBeNull();
expect(callback.mock.calls[1][1].real_groups).toBe(result); expect(callback.mock.calls[1][1].real_groups).toBe(result);
}); });
test('should skip falsy values', () => { test('should skip falsy values', () => {
const config: Config = new AppConfig(configPlugins); const config: Config = new AppConfig(configPlugins);
const auth: IAuth = new Auth(config); const auth: IAuth = new Auth(config);
expect(auth).toBeDefined(); expect(auth).toBeDefined();
const callback = jest.fn(); const callback = jest.fn();
let index = 0; let index = 0;
// as defined by https://developer.mozilla.org/en-US/docs/Glossary/Falsy // as defined by https://developer.mozilla.org/en-US/docs/Glossary/Falsy
for (const value of [ false, 0, "", null, undefined, NaN ]) { for (const value of [ false, 0, "", null, undefined, NaN ]) {
// $FlowFixMe // $FlowFixMe
auth.authenticate(null, value, callback); auth.authenticate(null, value, callback);
const call = callback.mock.calls[index++]; const call = callback.mock.calls[index++];
expect(call[0]).toBeDefined(); expect(call[0]).toBeDefined();
expect(call[1]).toBeUndefined(); expect(call[1]).toBeUndefined();
} }
}); });
test('should error truthy non-array', () => { test('should error truthy non-array', () => {
const config: Config = new AppConfig(configPlugins); const config: Config = new AppConfig(configPlugins);
const auth: IAuth = new Auth(config); const auth: IAuth = new Auth(config);
expect(auth).toBeDefined(); expect(auth).toBeDefined();
const callback = jest.fn(); const callback = jest.fn();
for (const value of [ true, 1, "test", { } ]) { for (const value of [ true, 1, "test", { } ]) {
expect(function ( ) { expect(function ( ) {
// $FlowFixMe // $FlowFixMe
auth.authenticate(null, value, callback); auth.authenticate(null, value, callback);
}).toThrow(TypeError); }).toThrow(TypeError);
expect(callback.mock.calls).toHaveLength(0); expect(callback.mock.calls).toHaveLength(0);
} }
}); });
test('should skip empty array', () => { test('should skip empty array', () => {
const config: Config = new AppConfig(configPlugins); const config: Config = new AppConfig(configPlugins);
const auth: IAuth = new Auth(config); const auth: IAuth = new Auth(config);
expect(auth).toBeDefined(); expect(auth).toBeDefined();
const callback = jest.fn(); const callback = jest.fn();
const value = [ ]; const value = [ ];
// $FlowFixMe // $FlowFixMe
auth.authenticate(null, value, callback); auth.authenticate(null, value, callback);
expect(callback.mock.calls).toHaveLength(1); expect(callback.mock.calls).toHaveLength(1);
expect(callback.mock.calls[0][0]).toBeDefined(); expect(callback.mock.calls[0][0]).toBeDefined();
expect(callback.mock.calls[0][1]).toBeUndefined(); expect(callback.mock.calls[0][1]).toBeUndefined();
}); });
test('should accept valid array', () => { test('should accept valid array', () => {
const config: Config = new AppConfig(configPlugins); const config: Config = new AppConfig(configPlugins);
const auth: IAuth = new Auth(config); const auth: IAuth = new Auth(config);
expect(auth).toBeDefined(); expect(auth).toBeDefined();
const callback = jest.fn(); const callback = jest.fn();
let index = 0; let index = 0;
for (const value of [ [ "" ], [ "1" ], [ "0" ], ["000"] ]) { for (const value of [ [ "" ], [ "1" ], [ "0" ], ["000"] ]) {
// $FlowFixMe // $FlowFixMe
auth.authenticate(null, value, callback); auth.authenticate(null, value, callback);
const call = callback.mock.calls[index++]; const call = callback.mock.calls[index++];
expect(call[0]).toBeNull(); expect(call[0]).toBeNull();
expect(call[1].real_groups).toBe(value); expect(call[1].real_groups).toBe(value);
} }
}); });
}) })
}); });

View file

@ -13,19 +13,19 @@ import {PACKAGE_ACCESS, ROLES} from '../../../src/lib/constants';
describe('Config Utilities', () => { describe('Config Utilities', () => {
const parsePartial = (name) => { const parseConfigurationFile = (name) => {
return path.join(__dirname, `../partials/config/yaml/${name}.yaml`); return path.join(__dirname, `../partials/config/yaml/${name}.yaml`);
}; };
describe('uplinkSanityCheck', () => { describe('uplinkSanityCheck', () => {
test('should test basic conversion', ()=> { test('should test basic conversion', ()=> {
const uplinks = uplinkSanityCheck(parseConfigFile(parsePartial('uplink-basic')).uplinks); const uplinks = uplinkSanityCheck(parseConfigFile(parseConfigurationFile('uplink-basic')).uplinks);
expect(Object.keys(uplinks)).toContain('server1'); expect(Object.keys(uplinks)).toContain('server1');
expect(Object.keys(uplinks)).toContain('server2'); expect(Object.keys(uplinks)).toContain('server2');
}); });
test('should throw error on blacklisted uplink name', ()=> { test('should throw error on blacklisted uplink name', ()=> {
const {uplinks} = parseConfigFile(parsePartial('uplink-wrong')); const {uplinks} = parseConfigFile(parseConfigurationFile('uplink-wrong'));
expect(() => { expect(() => {
uplinkSanityCheck(uplinks) uplinkSanityCheck(uplinks)
@ -35,7 +35,7 @@ describe('Config Utilities', () => {
describe('sanityCheckUplinksProps', () => { describe('sanityCheckUplinksProps', () => {
test('should fails if url prop is missing', ()=> { test('should fails if url prop is missing', ()=> {
const {uplinks} = parseConfigFile(parsePartial('uplink-wrong')); const {uplinks} = parseConfigFile(parseConfigurationFile('uplink-wrong'));
expect(() => { expect(() => {
sanityCheckUplinksProps(uplinks) sanityCheckUplinksProps(uplinks)
}).toThrow('CONFIG: no url for uplink: none-url'); }).toThrow('CONFIG: no url for uplink: none-url');
@ -48,7 +48,7 @@ describe('Config Utilities', () => {
describe('normalisePackageAccess', () => { describe('normalisePackageAccess', () => {
test('should test basic conversion', ()=> { test('should test basic conversion', ()=> {
const {packages} = parseConfigFile(parsePartial('pkgs-basic')); const {packages} = parseConfigFile(parseConfigurationFile('pkgs-basic'));
const access = normalisePackageAccess(packages); const access = normalisePackageAccess(packages);
expect(access).toBeDefined(); expect(access).toBeDefined();
@ -60,7 +60,7 @@ describe('Config Utilities', () => {
}); });
test('should test multi group', ()=> { test('should test multi group', ()=> {
const {packages} = parseConfigFile(parsePartial('pkgs-multi-group')); const {packages} = parseConfigFile(parseConfigurationFile('pkgs-multi-group'));
const access = normalisePackageAccess(packages); const access = normalisePackageAccess(packages);
expect(access).toBeDefined(); expect(access).toBeDefined();
@ -84,7 +84,7 @@ describe('Config Utilities', () => {
test('should deprecated packages props', ()=> { test('should deprecated packages props', ()=> {
const {packages} = parseConfigFile(parsePartial('deprecated-pkgs-basic')); const {packages} = parseConfigFile(parseConfigurationFile('deprecated-pkgs-basic'));
const access = normalisePackageAccess(packages); const access = normalisePackageAccess(packages);
expect(access).toBeDefined(); expect(access).toBeDefined();
@ -118,7 +118,7 @@ describe('Config Utilities', () => {
}); });
test('should check not default packages access', ()=> { test('should check not default packages access', ()=> {
const {packages} = parseConfigFile(parsePartial('pkgs-empty')); const {packages} = parseConfigFile(parseConfigurationFile('pkgs-empty'));
const access = normalisePackageAccess(packages); const access = normalisePackageAccess(packages);
expect(access).toBeDefined(); expect(access).toBeDefined();
@ -137,7 +137,7 @@ describe('Config Utilities', () => {
describe('getMatchedPackagesSpec', () => { describe('getMatchedPackagesSpec', () => {
test('should test basic config', () => { test('should test basic config', () => {
const {packages} = parseConfigFile(parsePartial('pkgs-custom')); const {packages} = parseConfigFile(parseConfigurationFile('pkgs-custom'));
// $FlowFixMe // $FlowFixMe
expect(getMatchedPackagesSpec('react', packages).proxy).toMatch('facebook'); expect(getMatchedPackagesSpec('react', packages).proxy).toMatch('facebook');
// $FlowFixMe // $FlowFixMe
@ -149,7 +149,7 @@ describe('Config Utilities', () => {
}); });
test('should test no ** wildcard on config', () => { test('should test no ** wildcard on config', () => {
const {packages} = parseConfigFile(parsePartial('pkgs-nosuper-wildcard-custom')); const {packages} = parseConfigFile(parseConfigurationFile('pkgs-nosuper-wildcard-custom'));
// $FlowFixMe // $FlowFixMe
expect(getMatchedPackagesSpec('react', packages).proxy).toMatch('facebook'); expect(getMatchedPackagesSpec('react', packages).proxy).toMatch('facebook');
// $FlowFixMe // $FlowFixMe
@ -163,7 +163,7 @@ describe('Config Utilities', () => {
describe('hasProxyTo', () => { describe('hasProxyTo', () => {
test('should test basic config', () => { test('should test basic config', () => {
const packages = normalisePackageAccess(parseConfigFile(parsePartial('pkgs-basic')).packages); const packages = normalisePackageAccess(parseConfigFile(parseConfigurationFile('pkgs-basic')).packages);
// react // react
expect(hasProxyTo('react', 'facebook', packages)).toBeFalsy(); expect(hasProxyTo('react', 'facebook', packages)).toBeFalsy();
expect(hasProxyTo('react', 'google', packages)).toBeFalsy(); expect(hasProxyTo('react', 'google', packages)).toBeFalsy();
@ -178,7 +178,7 @@ describe('Config Utilities', () => {
}); });
test('should test resolve based on custom package access', () => { test('should test resolve based on custom package access', () => {
const packages = normalisePackageAccess(parseConfigFile(parsePartial('pkgs-custom')).packages); const packages = normalisePackageAccess(parseConfigFile(parseConfigurationFile('pkgs-custom')).packages);
// react // react
expect(hasProxyTo('react', 'facebook', packages)).toBeTruthy(); expect(hasProxyTo('react', 'facebook', packages)).toBeTruthy();
expect(hasProxyTo('react', 'google', packages)).toBeFalsy(); expect(hasProxyTo('react', 'google', packages)).toBeFalsy();
@ -193,7 +193,7 @@ describe('Config Utilities', () => {
}); });
test('should not resolve any proxy', () => { test('should not resolve any proxy', () => {
const packages = normalisePackageAccess(parseConfigFile(parsePartial('pkgs-empty')).packages); const packages = normalisePackageAccess(parseConfigFile(parseConfigurationFile('pkgs-empty')).packages);
// react // react
expect(hasProxyTo('react', 'npmjs', packages)).toBeFalsy(); expect(hasProxyTo('react', 'npmjs', packages)).toBeFalsy();
expect(hasProxyTo('react', 'npmjs', packages)).toBeFalsy(); expect(hasProxyTo('react', 'npmjs', packages)).toBeFalsy();

View file

@ -0,0 +1,36 @@
storage: ./storage
plugins: ./plugins
web:
title: Verdaccio
auth:
htpasswd:
file: ./htpasswd
uplinks:
npmjs:
url: https://registry.npmjs.org/
security:
api:
jwt:
sign:
expiresIn: 10m
notBefore: 0
packages:
'@*/*':
access: $all
publish: $authenticated
proxy: npmjs
'vue':
access: $authenticated
publish: $authenticated
proxy: npmjs
'**':
access: $all
publish: $authenticated
proxy: npmjs
middlewares:
audit:
enabled: true
logs:
- {type: stdout, format: pretty, level: http}

View file

@ -0,0 +1,12 @@
security:
api:
legacy: true # use AES algorithm
# jwt enables json web token and disable legacy
# jwt: https://github.com/auth0/node-jsonwebtoken#jwtsignpayload-secretorprivatekey-options-callback
sign:
expiresIn: 7d # 7 days by default
# verify:
web:
sign:
expiresIn: 7d # 7 days by default
# verify: https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback

View file

@ -0,0 +1 @@
security:

View file

@ -0,0 +1,10 @@
security:
api:
legacy: true
jwt:
sign:
expiresIn: 7d
notBefore: 0
web:
sign:
expiresIn: 7d

View file

@ -0,0 +1,6 @@
security:
api:
jwt:
sign:
expiresIn: 7d
notBefore: 0

View file

@ -0,0 +1,3 @@
security:
api:
legacy: false

View file

@ -0,0 +1,3 @@
security:
api:
legacy: true

View file

@ -0,0 +1,9 @@
security:
api:
legacy: false
sign:
expiresIn: 7d
notBefore: 0
web:
sign:
expiresIn: 7d

View file

@ -0,0 +1 @@
{"list":[],"secret":"c884521349204fdb6665e27a20c04dd1fb81863a56fa68cbbab39aebea0dd609"}

View file

@ -8,8 +8,10 @@ import type {
Callback, Callback,
Versions, Versions,
Version, Version,
RemoteUser,
Config, Config,
Logger, Logger,
JWTSignOptions,
PackageAccess, PackageAccess,
StringValue as verdaccio$StringValue, StringValue as verdaccio$StringValue,
Package} from '@verdaccio/types'; Package} from '@verdaccio/types';
@ -30,19 +32,31 @@ export type StartUpConfig = {
export type MatchedPackage = PackageAccess | void; export type MatchedPackage = PackageAccess | void;
export type JWTPayload = { export type JWTPayload = RemoteUser & {
user: string; password?: string;
group: string | void;
} }
export type JWTSignOptions = { export type AESPayload = {
expiresIn: string; user: string;
password: string;
} }
export type AuthTokenHeader = {
scheme: string;
token: string;
}
export type BasicPayload = AESPayload | void;
export type AuthMiddlewarePayload = RemoteUser | BasicPayload;
export type ProxyList = { export type ProxyList = {
[key: string]: IProxy; [key: string]: IProxy;
} }
export type CookieSessionToken = {
expires: Date;
}
export type Utils = { export type Utils = {
ErrorCode: any; ErrorCode: any;
getLatestVersion: Callback; getLatestVersion: Callback;
@ -59,8 +73,9 @@ export type $NextFunctionVer = NextFunction & mixed;
export type $SidebarPackage = Package & {latest: mixed} export type $SidebarPackage = Package & {latest: mixed}
interface IAuthWebUI { export interface IAuthWebUI {
issueUIjwt(user: string, time: string): string; jwtEncrypt(user: RemoteUser, signOptions: JWTSignOptions): string;
aesEncrypt(buf: Buffer): Buffer;
} }
interface IAuthMiddleware { interface IAuthMiddleware {

View file

@ -265,9 +265,9 @@
version "1.0.0" version "1.0.0"
resolved "https://registry.npmjs.org/@verdaccio/streams/-/streams-1.0.0.tgz#d5d24c6747208728b9fd16b908e3932c3fb1f864" resolved "https://registry.npmjs.org/@verdaccio/streams/-/streams-1.0.0.tgz#d5d24c6747208728b9fd16b908e3932c3fb1f864"
"@verdaccio/types@3.4.2": "@verdaccio/types@3.7.1":
version "3.4.2" version "3.7.1"
resolved "https://registry.npmjs.org/@verdaccio/types/-/types-3.4.2.tgz#e1b0952df73167428dbbe071663e72911df3404e" resolved "https://registry.npmjs.org/@verdaccio/types/-/types-3.7.1.tgz#e084ce466e8308c502013a810f29f52615aba124"
"@webassemblyjs/ast@1.5.13": "@webassemblyjs/ast@1.5.13":
version "1.5.13" version "1.5.13"
@ -4872,6 +4872,16 @@ http-errors@1.6.3, http-errors@~1.6.2, http-errors@~1.6.3:
setprototypeof "1.1.0" setprototypeof "1.1.0"
statuses ">= 1.4.0 < 2" statuses ">= 1.4.0 < 2"
http-errors@1.7.0:
version "1.7.0"
resolved "https://registry.npmjs.org/http-errors/-/http-errors-1.7.0.tgz#b6d36492a201c7888bdcb5dd0471140423c4ad2a"
dependencies:
depd "~1.1.2"
inherits "2.0.3"
setprototypeof "1.1.0"
statuses ">= 1.5.0 < 2"
toidentifier "1.0.0"
http-parser-js@>=0.4.0: http-parser-js@>=0.4.0:
version "0.4.13" version "0.4.13"
resolved "https://registry.npmjs.org/http-parser-js/-/http-parser-js-0.4.13.tgz#3bd6d6fde6e3172c9334c3b33b6c193d80fe1137" resolved "https://registry.npmjs.org/http-parser-js/-/http-parser-js-0.4.13.tgz#3bd6d6fde6e3172c9334c3b33b6c193d80fe1137"
@ -9604,7 +9614,7 @@ static-extend@^0.1.1:
define-property "^0.2.5" define-property "^0.2.5"
object-copy "^0.1.0" object-copy "^0.1.0"
"statuses@>= 1.3.1 < 2", "statuses@>= 1.4.0 < 2": "statuses@>= 1.3.1 < 2", "statuses@>= 1.4.0 < 2", "statuses@>= 1.5.0 < 2":
version "1.5.0" version "1.5.0"
resolved "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz#161c7dac177659fd9811f43771fa99381478628c" resolved "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz#161c7dac177659fd9811f43771fa99381478628c"
@ -10110,6 +10120,10 @@ to-regex@^3.0.1, to-regex@^3.0.2:
regex-not "^1.0.2" regex-not "^1.0.2"
safe-regex "^1.1.0" safe-regex "^1.1.0"
toidentifier@1.0.0:
version "1.0.0"
resolved "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.0.tgz#7e1be3470f1e77948bc43d94a3c8f4d7752ba553"
toposort@^1.0.0: toposort@^1.0.0:
version "1.0.7" version "1.0.7"
resolved "https://registry.npmjs.org/toposort/-/toposort-1.0.7.tgz#2e68442d9f64ec720b8cc89e6443ac6caa950029" resolved "https://registry.npmjs.org/toposort/-/toposort-1.0.7.tgz#2e68442d9f64ec720b8cc89e6443ac6caa950029"