* feat: support for npm token
This is an effor of:
This commit intent to provide npm token support.
https: //github.com/verdaccio/verdaccio/issues/541
https: //github.com/verdaccio/verdaccio/pull/1271
https: //github.com/verdaccio/local-storage/pull/168
Co-Authored-By: Manuel Spigolon <behemoth89@gmail.com>
Co-Authored-By: Juan Gabriel Jiménez <juangabreil@gmail.com>
* chore: update secrets baselines
Co-Authored-By: Liran Tal <liran.tal@gmail.com>
* chore: update lock file
* chore: add logger mock methods
* chore: update @verdaccio/types
* refactor: unit test was flacky
adapt the pkg access to the new configuration setup
* refactor: add plugin methods validation
* test: add test for aesEncrypt
* chore: update local-storage dependency
* chore: add support for experimetns
token will be part of the experiment lists
* chore: increase timeout
* chore: increase timeout threshold
* chore: update nock
* chore: update dependencies
* chore: update eslint config
* chore: update dependencies
* test: add unit test for npm token
* chore: update readme
* fix: unpublish and add or remove star colision
The issue was the npm star use a similar payload, but we did not check properly the shape of the payload, this fix and allow unpublish correctly.
Improve unit testing for publishing and unpublishing
Add new code documentation for future changes.
* chore: update secrets baseline
* chore: add missing type
this will requires update types in the future
- Tests suites must be independent each other, this is a refactor that allow star endpoint to be fully independent.
- Add putPackage utility to put new packages
* feat: adds provision to show up environment information
Fixes#1364
* feat: include docker info
* fix: pin envinfo
* fix: lock file
* fix: docker config
* fix: minor refactor
handle async behaviour
* feat: add short version for info
This feature aims to fix a unfair and missleading situation with storage plugins. Until now they were forced to throw Node error codes https://nodejs.org/api/errors.html#nodejs-error-codes when a resource is not found or a file exist already.
Error codes as EEXISTS or ENOENT does not exist in environments where storage is a database or cloud api, thus must be mock.
This PR has backward compability and plugins can safely migrate to new error http codes.
fix #1328 and #720
Type: bug
The following has been addressed in the PR:
Instead of returning a 404 (Not Found) when npm, yarn, etc requests a package and the package cannot be acquired from an uplink due to a connection timeout, socket timeout, or connection reset problem, a 503 (service unavailable) is returned by Verdaccio instead. In limited testing of a few versions of npm and yarn, both of these clients correctly attempt to retry the request when a 503 is returned.
Added functional tests to verify the behavior (this adds a dev dependency on nock, which provides HTTP request mocking
Description:
This resolves issue #1328 and #720, and ensures npm/yarn install commands don't fail immediately when there is an intermittent network timeout problem with an uplink. Instead Verdaccio will appropriately respond to the client with a 503. A 404 response (current behavior) incorrectly tells the client that the package does not exist (which may or may not be true) and to not try again.
When a user has a valid token and tries to login with other credentials the endpoint returns 201.
The reason was if another user logged previously and had a valid token stored in the terminal. We must authenticate any user that tries to log in even if the token stored is valid.
We must check credentials again and return a new token, if the credentials are wrong we reject the login. Furthermore, the new token will update the list of groups.
Add a plugin that can filter all package metadata before being returned.
This enables blocking of packages from verdaccio.
IPluginStorageFilter are loaded like other plugins from the config.
Verdaccio will look for plugins in config.filters and pass this to
storage.init. This is the same design as other plugins and will be
dynamically found with the same rules. These plugins must impliment
a filter_metadata method, which is called serially (in the order
loaded from the config) for every metadata request. It gets a current
copy of a package metadata and may choose to modify it as required.
For example, this may be used to block a bad version of a package or
add a time delay from when new packages can be used from your
registry. Errors in a filter will cause a 404, similar to upLinkErrors
as it is not safe to recover gracefully from them. Note: When version
is removed, be careful about updating tags.
Fixes: #818
* feat: add some security headers for web UI
The idea behind this is have more control over the content is rendered mostly via README.
* chore: rename header for frame options
* chore: rename method better name
