0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2024-12-30 22:34:10 -05:00
verdaccio/docs/config.md
Juan Picado @jotadeveloper a68d247a44
feat: add support for jwt on api (#896)
* feat: add support for jwt on api

* test: add unit test for sign token with jwt

add multiple scenarios with configuration file

* chore: add JWT verification on middleware

* chore: restore headless

* chore: restore middleware header validation

* refactor: fix login whether user exists

* refactor: JWT is signed asynchronously

* refactor: better structure and new naming convention

* test: add unit test for token signature

* test: add unit test for creating user with JWT enabled

#168

* docs: add security section jwt

* refactor: renable  web auth middleware

* test(auth): add legacy disabled scenario

* chore: update gitignore

* chore: add some es6 sugar

* feat: enable JWT token signature for new installations

* chore: add yaml files to git

I forgot add this before 😷

* chore: trace log on auth

in case we want more output
2018-08-21 08:05:34 +02:00

6.2 KiB

id title
configuration Configuration File

This file is the cornerstone of verdaccio where you can modify the default behaviour, enable plugins and extend features.

A default configuration file is created the very first time you run verdaccio.

Default Configuration

The default configuration has support for scoped packages and allow any user to access all packages but only authenticated users to publish.

storage: ./storage
auth:
  htpasswd:
    file: ./htpasswd
uplinks:
  npmjs:
    url: https://registry.npmjs.org/
packages:
  '@*/*':
    access: $all
    publish: $authenticated
    proxy: npmjs
  '**':
    proxy: npmjs
logs:
  - {type: stdout, format: pretty, level: http}

Sections

The following sections explain what each property means and the different options.

Storage

Is the location of the default storage. Verdaccio is by default based on local file system.

storage: ./storage

Plugins

Is the location of the plugin directory. Useful for Docker/Kubernetes based deployments.

plugins: ./plugins

Authentification

The authentification set up is done here, the default auth is based on htpasswd and is built-in. You can modify this behaviour via plugins. For more information about this section read the auth page.

auth:
  htpasswd:
    file: ./htpasswd
    max_users: 1000

Security

Since: verdaccio@4.0.0 due #168

The security block allows you to customise the token signature. To enable JWT (json web token) new signture you need to add the block jwt to api section, web uses by default jwt.

The configuration is separated in two sections, api and web. To use JWT on api, it has to be defined, otherwise will use the legacy token signature (aes192). For JWT you might customize the signature and the token verification with your own properties.

security:
  api:
    legacy: true
    jwt:
      sign:
        expiresIn: 29d
      verify:
        someProp: [value]
   web:
     sign:
       expiresIn: 7d # 7 days by default
     verify:
     	someProp: [value]

We highly recommend move to JWT since legacy signature (aes192) is deprecated and will disappear in future versions.

Web UI

This properties allow you to modify the look and feel of the web UI. For more information about this section read the web ui page.

web:
  enable: true
  title: Verdaccio
  logo: logo.png
  scope:

Uplinks is the ability of the system to fetch packages from remote registries when those packages are not available locally. For more information about this section read the uplinks page.

uplinks:
  npmjs:
    url: https://registry.npmjs.org/

Packages

Packages allow the user to control how the packages are gonna be accessed. For more information about this section read the packages page.

packages:
  '@*/*':
    access: $all
    publish: $authenticated
    proxy: npmjs

Advanced Settings

Offline Publish

By default verdaccio does not allow to publish when the client is offline, that behavior can be overridden by setting this to true.

publish:
  allow_offline: false

Since: verdaccio@2.3.6 due #223

URL Prefix

url_prefix: https://dev.company.local/verdaccio/

Since: verdaccio@2.3.6 due #197

Max Body Size

By default the maximum body size for a JSON document is 10mb, if you run in errors as "request entity too large" you may increase this value.

max_body_size: 10mb

Listen Port

verdaccio runs by default in the port 4873. Changing the port can be done via cli or in the configuration file, the following options are valid.

listen:
# - localhost:4873            # default value
# - http://localhost:4873     # same thing
# - 0.0.0.0:4873              # listen on all addresses (INADDR_ANY)
# - https://example.org:4873  # if you want to use https
# - "[::1]:4873"                # ipv6
# - unix:/tmp/verdaccio.sock    # unix socket

HTTPS

To enable https in verdaccio it's enough to set the listen flag with the protocol https://. For more information about this section read the ssl page.

https:
    key: ./path/verdaccio-key.pem
    cert: ./path/verdaccio-cert.pem
    ca: ./path/verdaccio-csr.pem

Proxy

Proxies are special-purpose HTTP servers designed to transfer data from remote servers to local clients.

http_proxy and https_proxy

If you have a proxy in your network you can set a X-Forwarded-For header using the following properties.

http_proxy: http://something.local/
https_proxy: https://something.local/

no_proxy

This variable should contain a comma-separated list of domain extensions proxy should not be used for.

no_proxy: localhost,127.0.0.1

Notifications

Enabling notifications to third-party tools is fairly easy via web hooks. For more information about this section read the notifications page.

notify:
  method: POST
  headers: [{'Content-Type': 'application/json'}]
  endpoint: https://usagge.hipchat.com/v2/room/3729485/notification?auth_token=mySecretToken
  content: '{"color":"green","message":"New package published: * {{ name }}*","notify":true,"message_format":"text"}'

For more detailed configuration settings, please check the source code.

Audit

Since: verdaccio@3.0.0

npm audit is a new command released with npm 6.x. Verdaccio includes a built-in middleware plugin to handle this command.

If you have a new installation it comes by default, otherwise you need to add the following props to your config file

middlewares:
  audit:
    enabled: true