github.com/verdaccio
1
0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2024-11-13 03:35:52 +01:00
Code Releases Wiki Activity
1e48f1c077
verdaccio/website/docs/auth.md
Abraham Schilling ddb42431d1 build: configure prettier as formatter for json, yaml and markdown (#1930) 
* build: configure pretter as formatter for most files

* chore: reformat code (#1931)

* chore: re-format all files

* chore: force run quality anaylsis test

Co-authored-by: Juan Picado @jotadeveloper <juanpicado19@gmail.com>

Co-authored-by: Juan Picado @jotadeveloper <juanpicado19@gmail.com>
2021-04-09 17:54:19 +02:00

3.0 KiB
Raw Blame History

id title
authentification Authentification

The authentification is tied to the auth plugin you are using. The package restrictions also is handled by the Package Access.

''

The client authentification is handled by npm client itself. Once you login to the application:

npm adduser --registry http://localhost:4873

A token is generated in the npm configuration file hosted in your user home folder. For more information about .npmrc read the official documentation.

cat .npmrc
registry=http://localhost:5555/
//localhost:5555/:_authToken="secretVerdaccioToken"
//registry.npmjs.org/:_authToken=secretNpmjsToken

Anonymous publish

verdaccioallows you to enable anonymous publish, to achieve that you will need to set up correctly your packages access.

Eg:

'my-company-*':
  access: $anonymous
  publish: $anonymous
  proxy: npmjs

As is described on issue #212 until npm@5.3.0 and all minor releases won't allow you publish without a token.

Understanding Groups

The meaning of $all and $anonymous

As you know Verdaccio uses the htpasswd by default. That plugin does not implement the methods allow_access, allow_publish and allow_unpublish. Thus, Verdaccio will handle that in the following way:

  • If you are not logged in (you are anonymous), $all and $anonymous means exactly the same.
  • If you are logged in, $anonymous won't be part of your groups and $all will match any logged user. A new group $authenticated will be added to the list.

As a takeaway, $all will match all users, independently whether is logged or not.

The previous behavior only applies to the default authentication plugin. If you are using a custom plugin and such plugin implements allow_access, allow_publish or allow_unpublish, the resolution of the access depends on the plugin itself. Verdaccio will only set the default groups.

Let's recap:

  • logged: $all, $authenticated, + groups added by the plugin
  • anonymous (logged out): $all and $anonymous.

Default htpasswd

In order to simplify the setup, verdaccio use a plugin based on htpasswd. Since version v3.0.x the verdaccio-htpasswd plugin is used by default.

auth:
  htpasswd:
    file: ./htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    #max_users: 1000
Property Type Required Example Support Description
file string Yes ./htpasswd all file that host the encrypted credentials
max_users number No 1000 all set limit of users

In case to decide do not allow user to login, you can set max_users: -1.