mirror of
https://github.com/verdaccio/verdaccio.git
synced 2024-12-30 22:34:10 -05:00
aeff267d94
feat: add a new configuration value named 'slow_verify_ms' to the htpasswd plugin that when exceeded during password verification will log a warning message chore: update README.md for htpasswd plugin to add additional information about the 'rounds' configuration value and also include the new 'slow_verify_ms' configuration value
88 lines
4.3 KiB
Markdown
88 lines
4.3 KiB
Markdown
[![verdaccio (latest)](https://img.shields.io/npm/v/verdaccio-htpasswd/latest.svg)](https://www.npmjs.com/package/verdaccio-htpasswd)
|
|
[![Known Vulnerabilities](https://snyk.io/test/github/verdaccio/verdaccio-htpasswd/badge.svg?targetFile=package.json)](https://snyk.io/test/github/verdaccio/verdaccio-htpasswd?targetFile=package.json)
|
|
[![CircleCI](https://circleci.com/gh/verdaccio/verdaccio-htpasswd.svg?style=svg)](https://circleci.com/gh/ayusharma/verdaccio-htpasswd) [![codecov](https://codecov.io/gh/ayusharma/verdaccio-htpasswd/branch/master/graph/badge.svg)](https://codecov.io/gh/ayusharma/verdaccio-htpasswd)
|
|
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd?ref=badge_shield)
|
|
[![backers](https://opencollective.com/verdaccio/tiers/backer/badge.svg?label=Backer&color=brightgreen)](https://opencollective.com/verdaccio)
|
|
[![discord](https://img.shields.io/discord/388674437219745793.svg)](http://chat.verdaccio.org/)
|
|
![MIT](https://img.shields.io/github/license/mashape/apistatus.svg)
|
|
[![node](https://img.shields.io/node/v/verdaccio-htpasswd/latest.svg)](https://www.npmjs.com/package/verdaccio-htpasswd)
|
|
|
|
# Verdaccio Module For User Auth Via Htpasswd
|
|
|
|
`verdaccio-htpasswd` is a default authentication plugin for the [Verdaccio](https://github.com/verdaccio/verdaccio).
|
|
|
|
> This plugin is being used as dependency after `v3.0.0-beta.x`. The `v2.x` still contains this plugin built-in.
|
|
|
|
## Install
|
|
|
|
As simple as running:
|
|
|
|
$ npm install -g verdaccio-htpasswd
|
|
|
|
## Configure
|
|
|
|
auth:
|
|
htpasswd:
|
|
file: ./htpasswd
|
|
# Maximum amount of users allowed to register, defaults to "+infinity".
|
|
# You can set this to -1 to disable registration.
|
|
#max_users: 1000
|
|
# Hash algorithm, possible options are: "bcrypt", "md5", "sha1", "crypt".
|
|
#algorithm: bcrypt
|
|
# Rounds number for "bcrypt", will be ignored for other algorithms.
|
|
# Setting this value higher will result in password verification taking longer.
|
|
#rounds: 10
|
|
# Log a warning if the password takes more then this duration in milliseconds to verify.
|
|
#slow_verify_ms: 200
|
|
|
|
### Bcrypt rounds
|
|
|
|
It is important to note that when using the default `bcrypt` algorithm and setting
|
|
the `rounds` configuration value to a higher number then the default of `10`, that
|
|
verification of a user password can cause significantly increased CPU usage and
|
|
additional latency in processing requests.
|
|
|
|
If your Verdaccio instance handles a large number of authenticated requests using
|
|
username and password for authentication, the `rounds` configuration value may need
|
|
to be decreased to prevent excessive CPU usage and request latency.
|
|
|
|
Also note that setting the `rounds` configuration value to a value that is too small
|
|
increases the risk of successful brute force attack. Auth0 has a
|
|
[blog article](https://auth0.com/blog/hashing-in-action-understanding-bcrypt)
|
|
that provides an overview of how `bcrypt` hashing works and some best practices.
|
|
|
|
## Logging In
|
|
|
|
To log in using NPM, run:
|
|
|
|
```
|
|
npm adduser --registry https://your.registry.local
|
|
```
|
|
|
|
## Generate htpasswd username/password combination
|
|
|
|
If you wish to handle access control using htpasswd file, you can generate
|
|
username/password combination form
|
|
[here](http://www.htaccesstools.com/htpasswd-generator/) and add it to htpasswd
|
|
file.
|
|
|
|
## How does it work?
|
|
|
|
The htpasswd file contains rows corresponding to a pair of username and password
|
|
separated with a colon character. The password is encrypted using the UNIX system's
|
|
crypt method and may use MD5 or SHA1.
|
|
|
|
## Plugin Development in Verdaccio
|
|
|
|
There are many ways to extend [Verdaccio](https://github.com/verdaccio/verdaccio),
|
|
currently it support authentication plugins, middleware plugins (since v2.7.0)
|
|
and storage plugins since (v3.x).
|
|
|
|
#### Useful Links
|
|
|
|
- [Plugin Development](http://www.verdaccio.org/docs/en/dev-plugins.html)
|
|
- [List of Plugins](http://www.verdaccio.org/docs/en/plugins.html)
|
|
|
|
## License
|
|
|
|
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fverdaccio%2Fverdaccio-htpasswd?ref=badge_large)
|