0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2024-12-30 22:34:10 -05:00
verdaccio/docs/packages.md
Juan Picado @jotadeveloper fdea0db487
docs: update package access
2018-03-12 07:24:39 +01:00

4.7 KiB

id title
packages Package Access

It's a series of contrains that allow or restrict access to the local storage based in specific criteria.

The security constraints remains on shoulders of the plugin being used, by default verdaccio uses the htpasswd plugin. If you use a different plugin the behaviour might be different. The default plugin does not handles by itself allow_access and allow_publish, it's use an internal fallback in case the plugin is not ready for it.

For more information about permissions visit the authentification section in the wiki.

Usage

packages:
  # scoped packages
  '@scope/*':
    access: all
    publish: all
    proxy: server2

  'private-*':
    access: all
    publish: all
    proxy: uplink1

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    access: all
    publish: all
    proxy: uplink2

if none is specified, the default one remains

packages:
  '**':
     access: all
     publish: $authenticated

The list of valid groups according the default plugins are

'$all', '$anonymous', '@all', '@anonymous', 'all', 'undefined', 'anonymous'

All users recieves all those set of permissions independently of is anonymous or not plus the groups provided by the plugin, in case of htpasswd return the username as a group. For instance, if you are logged as npmUser the list of groups will be.

// groups without '$' are going to be deprecated eventually
'$all', '$anonymous', '@all', '@anonymous', 'all', 'undefined', 'anonymous', 'npmUser'

If you want to protect specific set packages under your group, you need todo something like this. Let's use a Regex that covers all prefixed npmuser- packages. We recomend use a prefix for your packages, in that way it'd be easier to protect them.

packages:
  'npmuser-*':
     access: npmuser
     publish: npmuser

Restart verdaccio and in your console try to install npmuser-core.

$ npm install npmuser-core
npm install npmuser-core
npm ERR! code E403
npm ERR! 403 Forbidden: npmuser-core@latest

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/user/.npm/_logs/2017-07-02T12_20_14_834Z-debug.log

You can change the existing behaviour using a different plugin authentication. verdaccio just check whether the user that try to access or publish specific package belongs to the right group.

Set multiple groups

Define multiple access groups is fairly easy, just define them with a white space between them.

  'company-*':
    access: admin internal
    publish: admin
    proxy: server1
  'supersecret-*':
    access: secret super-secret-area ultra-secret-area
    publish: secret ultra-secret-area
    proxy: server1

Blocking access to set of packages

If you want to block the acccess/publish to a specific group of packages. Just, do not define access and publish.

packages:
  'old-*':
  '**':
     access: all
     publish: $authenticated

Blocking proxying a set of specific packages

You might want to block one or several packages to fetch from remote repositories., but, at the same time, allow others to access different uplinks.

Let's see the following example:

packages:
  'jquery':
     access: $all
     publish: $all
  'my-company-*':
     access: $all
     publish: $authenticated     
  '**':
     access: all
     publish: $authenticated
     proxy: npmjs         

Let's describe what we want with the example above:

  • I want to host my own jquery dependency but I need to avoid proxying it.
  • I want all dependencies that match with my-company-* but I need to avoid proxying them.
  • I want to proxying all the rest dependencies.

Be aware that the order of your packages definitions is important and always use double wilcard. Because if you do not include it verdaccio will include it for you and the way how your dependencies are solved will be affected.

Configuration

You can define mutiple packages and each of them must have an unique Regex.

Property Type Required Example Support Description
access string No $all all define groups allowed to access the package
publish string No $authenticated all define groups allowed to publish
proxy string No npmjs all limit look ups for specific uplink
storage boolean No [true,false] all TODO

We higlight recommend do not use allow_access/allow_publish and proxy_access anymore, those are deprecated and soon will be removed, please use the short version of each of those (access/publish/proxy).