diff --git a/.changeset/odd-fishes-cry.md b/.changeset/odd-fishes-cry.md new file mode 100644 index 000000000..eefbce20f --- /dev/null +++ b/.changeset/odd-fishes-cry.md @@ -0,0 +1,5 @@ +--- +'@verdaccio/middleware': patch +--- + +fix(middleware): scoped package for allow checks diff --git a/packages/middleware/src/middlewares/allow.ts b/packages/middleware/src/middlewares/allow.ts index 23a4c553f..95714e2d2 100644 --- a/packages/middleware/src/middlewares/allow.ts +++ b/packages/middleware/src/middlewares/allow.ts @@ -20,7 +20,7 @@ export function allow( return function (req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer): void { req.pause(); const packageName = req.params.scope - ? `@${req.params.scope}/${req.params.package}` + ? `${req.params.scope}/${req.params.package}` : req.params.package; const packageVersion = req.params.filename ? tarballUtils.getVersionFromTarball(req.params.filename) diff --git a/packages/middleware/test/allow.spec.ts b/packages/middleware/test/allow.spec.ts index c6bc8cd9f..2f9893aa0 100644 --- a/packages/middleware/test/allow.spec.ts +++ b/packages/middleware/test/allow.spec.ts @@ -13,7 +13,6 @@ test('should allow request', async () => { }, }); const app = getApp([]); - // @ts-ignore app.get('/:package', can('publish'), (req, res) => { res.status(HTTP_STATUS.OK).json({}); }); @@ -28,8 +27,7 @@ test('should allow scope request', async () => { }, }); const app = getApp([]); - // @ts-ignore - app.get('/:package/:scope', can('publish'), (req, res) => { + app.get('/:scope/:package', can('publish'), (req, res) => { res.status(HTTP_STATUS.OK).json({}); }); @@ -43,7 +41,6 @@ test('should allow filename request', async () => { }, }); const app = getApp([]); - // @ts-ignore app.get('/:filename', can('publish'), (req, res) => { res.status(HTTP_STATUS.OK).json({}); }); @@ -58,7 +55,6 @@ test('should not allow request', async () => { }, }); const app = getApp([]); - // @ts-ignore app.get('/sec', can('publish'), (req, res) => { res.status(HTTP_STATUS.OK).json({}); }); @@ -73,7 +69,6 @@ test('should handle error request', async () => { }, }); const app = getApp([]); - // @ts-ignore app.get('/err', can('publish')); return request(app).get('/err').expect(HTTP_STATUS.INTERNAL_ERROR); @@ -82,11 +77,12 @@ test('should handle error request', async () => { test('should allow request with version', async () => { const can = allow({ allow_publish: (params, remove, cb) => { - return params.packageVersion === '1.0.0' ? cb(null, true) : cb(null, false); + return params.packageName === 'pacman' && params.packageVersion === '1.0.0' + ? cb(null, true) + : cb(new Error('not allowed'), false); }, }); const app = getApp([]); - // @ts-ignore app.get('/:package/:version', can('publish'), (req, res) => { res.status(HTTP_STATUS.OK).json({}); }); @@ -94,14 +90,31 @@ test('should allow request with version', async () => { return request(app).get('/pacman/1.0.0').expect(HTTP_STATUS.OK); }); -test('should not allow request with version', async () => { +test('should allow request with scope and version', async () => { const can = allow({ allow_publish: (params, remove, cb) => { - return params.packageVersion === '1.0.0' ? cb(null, true) : cb(null, false); + return params.packageName === '@verdaccio/core' + ? cb(null, true) + : cb(new Error('not allowed'), false); + }, + }); + const app = getApp([]); + app.get('/:scope/:package', can('publish'), (req, res) => { + res.status(HTTP_STATUS.OK).json({}); + }); + + return request(app).get('/@verdaccio/core').expect(HTTP_STATUS.OK); +}); + +test('should not allow request with version', async () => { + const can = allow({ + allow_publish: (params, remove, cb) => { + return params.packageName === 'pacman' && params.packageVersion === '2.0.0' + ? cb(new Error('not allowed'), false) + : cb(null, true); }, }); const app = getApp([]); - // @ts-ignore app.get('/:package/:version', can('publish'), (req, res) => { res.status(HTTP_STATUS.OK).json({}); });