762692341a
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
---|---|---|
.. | ||
src | ||
tests | ||
.babelrc | ||
.eslintignore | ||
.eslintrc.json | ||
CHANGELOG.md | ||
htpasswd | ||
jest.config.js | ||
LICENSE | ||
package.json | ||
README.md | ||
tsconfig.build.json | ||
tsconfig.json |
Verdaccio Module For User Auth Via Htpasswd
verdaccio-htpasswd
is a default authentication plugin for the Verdaccio.
This plugin is being used as dependency after
v3.0.0-beta.x
. Thev2.x
still contains this plugin built-in.
Install
As simple as running:
$ npm install -g verdaccio-htpasswd
Configure
auth:
htpasswd:
file: ./htpasswd
# Maximum amount of users allowed to register, defaults to "+infinity".
# You can set this to -1 to disable registration.
#max_users: 1000
# Hash algorithm, possible options are: "bcrypt", "md5", "sha1", "crypt".
#algorithm: bcrypt
# Rounds number for "bcrypt", will be ignored for other algorithms.
# Setting this value higher will result in password verification taking longer.
#rounds: 10
# Log a warning if the password takes more then this duration in milliseconds to verify.
#slow_verify_ms: 200
Bcrypt rounds
It is important to note that when using the default bcrypt
algorithm and setting
the rounds
configuration value to a higher number then the default of 10
, that
verification of a user password can cause significantly increased CPU usage and
additional latency in processing requests.
If your Verdaccio instance handles a large number of authenticated requests using
username and password for authentication, the rounds
configuration value may need
to be decreased to prevent excessive CPU usage and request latency.
Also note that setting the rounds
configuration value to a value that is too small
increases the risk of successful brute force attack. Auth0 has a
blog article
that provides an overview of how bcrypt
hashing works and some best practices.
Logging In
To log in using NPM, run:
npm adduser --registry https://your.registry.local
Generate htpasswd username/password combination
If you wish to handle access control using htpasswd file, you can generate username/password combination form here and add it to htpasswd file.
How does it work?
The htpasswd file contains rows corresponding to a pair of username and password separated with a colon character. The password is encrypted using the UNIX system's crypt method and may use MD5 or SHA1.
Plugin Development in Verdaccio
There are many ways to extend Verdaccio, currently it support authentication plugins, middleware plugins (since v2.7.0) and storage plugins since (v3.x).