Infrastructure/verdaccio
0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2025-04-01 02:42:23 -05:00
Code Issues Activity

fix(middleware): scoped package for allow checks (#5165)

Browse source
This commit is contained in:
Marc Bernard 2025-03-29 13:23:24 +01:00 committed by GitHub
parent bb478f2ab8
commit da1650c421
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 30 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.changeset/odd-fishes-cry.md Normal file
View file

@ -0,0 +1,5 @@
---
'@verdaccio/middleware': patch
---
fix(middleware): scoped package for allow checks

2
packages/middleware/src/middlewares/allow.ts
View file

@ -20,7 +20,7 @@ export function allow<T>(
return function (req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer): void {
req.pause();
const packageName = req.params.scope
? `@${req.params.scope}/${req.params.package}`
? `${req.params.scope}/${req.params.package}`
: req.params.package;
const packageVersion = req.params.filename
? tarballUtils.getVersionFromTarball(req.params.filename)

35
packages/middleware/test/allow.spec.ts
View file

@ -13,7 +13,6 @@ test('should allow request', async () => {
},
});
const app = getApp([]);
// @ts-ignore
app.get('/:package', can('publish'), (req, res) => {
res.status(HTTP_STATUS.OK).json({});
});
@ -28,8 +27,7 @@ test('should allow scope request', async () => {
},
});
const app = getApp([]);
// @ts-ignore
app.get('/:package/:scope', can('publish'), (req, res) => {
app.get('/:scope/:package', can('publish'), (req, res) => {
res.status(HTTP_STATUS.OK).json({});
});
@ -43,7 +41,6 @@ test('should allow filename request', async () => {
},
});
const app = getApp([]);
// @ts-ignore
app.get('/:filename', can('publish'), (req, res) => {
res.status(HTTP_STATUS.OK).json({});
});
@ -58,7 +55,6 @@ test('should not allow request', async () => {
},
});
const app = getApp([]);
// @ts-ignore
app.get('/sec', can('publish'), (req, res) => {
res.status(HTTP_STATUS.OK).json({});
});
@ -73,7 +69,6 @@ test('should handle error request', async () => {
},
});
const app = getApp([]);
// @ts-ignore
app.get('/err', can('publish'));
return request(app).get('/err').expect(HTTP_STATUS.INTERNAL_ERROR);
@ -82,11 +77,12 @@ test('should handle error request', async () => {
test('should allow request with version', async () => {
const can = allow({
allow_publish: (params, remove, cb) => {
return params.packageVersion === '1.0.0' ? cb(null, true) : cb(null, false);
return params.packageName === 'pacman' && params.packageVersion === '1.0.0'
? cb(null, true)
: cb(new Error('not allowed'), false);
},
});
const app = getApp([]);
// @ts-ignore
app.get('/:package/:version', can('publish'), (req, res) => {
res.status(HTTP_STATUS.OK).json({});
});
@ -94,14 +90,31 @@ test('should allow request with version', async () => {
return request(app).get('/pacman/1.0.0').expect(HTTP_STATUS.OK);
});
test('should not allow request with version', async () => {
test('should allow request with scope and version', async () => {
const can = allow({
allow_publish: (params, remove, cb) => {
return params.packageVersion === '1.0.0' ? cb(null, true) : cb(null, false);
return params.packageName === '@verdaccio/core'
? cb(null, true)
: cb(new Error('not allowed'), false);
},
});
const app = getApp([]);
app.get('/:scope/:package', can('publish'), (req, res) => {
res.status(HTTP_STATUS.OK).json({});
});
return request(app).get('/@verdaccio/core').expect(HTTP_STATUS.OK);
});
test('should not allow request with version', async () => {
const can = allow({
allow_publish: (params, remove, cb) => {
return params.packageName === 'pacman' && params.packageVersion === '2.0.0'
? cb(new Error('not allowed'), false)
: cb(null, true);
},
});
const app = getApp([]);
// @ts-ignore
app.get('/:package/:version', can('publish'), (req, res) => {
res.status(HTTP_STATUS.OK).json({});
});