0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2025-01-20 22:52:46 -05:00
verdaccio/docs/config.md
Juan Picado @jotadeveloper a68d247a44
feat: add support for jwt on api (#896)
* feat: add support for jwt on api

* test: add unit test for sign token with jwt

add multiple scenarios with configuration file

* chore: add JWT verification on middleware

* chore: restore headless

* chore: restore middleware header validation

* refactor: fix login whether user exists

* refactor: JWT is signed asynchronously

* refactor: better structure and new naming convention

* test: add unit test for token signature

* test: add unit test for creating user with JWT enabled

#168

* docs: add security section jwt

* refactor: renable  web auth middleware

* test(auth): add legacy disabled scenario

* chore: update gitignore

* chore: add some es6 sugar

* feat: enable JWT token signature for new installations

* chore: add yaml files to git

I forgot add this before 😷

* chore: trace log on auth

in case we want more output
2018-08-21 08:05:34 +02:00

234 lines
6.2 KiB
Markdown

---
id: configuration
title: "Configuration File"
---
This file is the cornerstone of verdaccio where you can modify the default behaviour, enable plugins and extend features.
A default configuration file is created the very first time you run `verdaccio`.
## Default Configuration
The default configuration has support for **scoped** packages and allow any user to access all packages but only **authenticated users to publish**.
```yaml
storage: ./storage
auth:
htpasswd:
file: ./htpasswd
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
'@*/*':
access: $all
publish: $authenticated
proxy: npmjs
'**':
proxy: npmjs
logs:
- {type: stdout, format: pretty, level: http}
```
## Sections
The following sections explain what each property means and the different options.
### Storage
Is the location of the default storage. **Verdaccio is by default based on local file system**.
```yaml
storage: ./storage
```
### Plugins
Is the location of the plugin directory. Useful for Docker/Kubernetes based deployments.
```yaml
plugins: ./plugins
```
### Authentification
The authentification set up is done here, the default auth is based on `htpasswd` and is built-in. You can modify this behaviour via [plugins](plugins.md). For more information about this section read the [auth page](auth.md).
```yaml
auth:
htpasswd:
file: ./htpasswd
max_users: 1000
```
### Security
<small>Since: `verdaccio@4.0.0` due [#168](https://github.com/verdaccio/verdaccio/pull/168)</small>
The security block allows you to customise the token signature. To enable [JWT (json web token)](https://jwt.io/) new signture you need to add the block `jwt` to `api` section, `web` uses by default `jwt`.
The configuration is separated in two sections, `api` and `web`. To use JWT on `api`, it has to be defined, otherwise will use the legacy token signature (`aes192`). For JWT you might customize the [signature](https://github.com/auth0/node-jsonwebtoken#jwtsignpayload-secretorprivatekey-options-callback) and the token [verification](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback) with your own properties.
```
security:
api:
legacy: true
jwt:
sign:
expiresIn: 29d
verify:
someProp: [value]
web:
sign:
expiresIn: 7d # 7 days by default
verify:
someProp: [value]
```
> We highly recommend move to JWT since legacy signature (`aes192`) is deprecated and will disappear in future versions.
### Web UI
This properties allow you to modify the look and feel of the web UI. For more information about this section read the [web ui page](web.md).
```yaml
web:
enable: true
title: Verdaccio
logo: logo.png
scope:
```
### Uplinks
Uplinks is the ability of the system to fetch packages from remote registries when those packages are not available locally. For more information about this section read the [uplinks page](uplinks.md).
```yaml
uplinks:
npmjs:
url: https://registry.npmjs.org/
```
### Packages
Packages allow the user to control how the packages are gonna be accessed. For more information about this section read the [packages page](packages.md).
```yaml
packages:
'@*/*':
access: $all
publish: $authenticated
proxy: npmjs
```
## Advanced Settings
### Offline Publish
By default `verdaccio` does not allow to publish when the client is offline, that behavior can be overridden by setting this to *true*.
```yaml
publish:
allow_offline: false
```
<small>Since: `verdaccio@2.3.6` due [#223](https://github.com/verdaccio/verdaccio/pull/223)</small>
### URL Prefix
```yaml
url_prefix: https://dev.company.local/verdaccio/
```
Since: `verdaccio@2.3.6` due [#197](https://github.com/verdaccio/verdaccio/pull/197)
### Max Body Size
By default the maximum body size for a JSON document is `10mb`, if you run in errors as `"request entity too large"` you may increase this value.
```yaml
max_body_size: 10mb
```
### Listen Port
`verdaccio` runs by default in the port `4873`. Changing the port can be done via [cli](cli.md) or in the configuration file, the following options are valid.
```yaml
listen:
# - localhost:4873 # default value
# - http://localhost:4873 # same thing
# - 0.0.0.0:4873 # listen on all addresses (INADDR_ANY)
# - https://example.org:4873 # if you want to use https
# - "[::1]:4873" # ipv6
# - unix:/tmp/verdaccio.sock # unix socket
```
### HTTPS
To enable `https` in `verdaccio` it's enough to set the `listen` flag with the protocol *https://*. For more information about this section read the [ssl page](ssl.md).
```yaml
https:
key: ./path/verdaccio-key.pem
cert: ./path/verdaccio-cert.pem
ca: ./path/verdaccio-csr.pem
```
### Proxy
Proxies are special-purpose HTTP servers designed to transfer data from remote servers to local clients.
#### http_proxy and https_proxy
If you have a proxy in your network you can set a `X-Forwarded-For` header using the following properties.
```yaml
http_proxy: http://something.local/
https_proxy: https://something.local/
```
#### no_proxy
This variable should contain a comma-separated list of domain extensions proxy should not be used for.
```yaml
no_proxy: localhost,127.0.0.1
```
### Notifications
Enabling notifications to third-party tools is fairly easy via web hooks. For more information about this section read the [notifications page](notifications.md).
```yaml
notify:
method: POST
headers: [{'Content-Type': 'application/json'}]
endpoint: https://usagge.hipchat.com/v2/room/3729485/notification?auth_token=mySecretToken
content: '{"color":"green","message":"New package published: * {{ name }}*","notify":true,"message_format":"text"}'
```
> For more detailed configuration settings, please [check the source code](https://github.com/verdaccio/verdaccio/tree/master/conf).
### Audit
<small>Since: `verdaccio@3.0.0`</small>
`npm audit` is a new command released with [npm 6.x](https://github.com/npm/npm/releases/tag/v6.1.0). Verdaccio includes
a built-in middleware plugin to handle this command.
> If you have a new installation it comes by default, otherwise you need to add the following props to your config file
```yaml
middlewares:
audit:
enabled: true
```