Bug Report

CLI breaks with error syntax error near unexpected token `(' when run with npx verdaccio-github-oauth-ui --registry https://registry.website.com/.

Versions

Expected behavior

CLI should open the web browser and authenticate.

Observed behaviour

CLI breaks with error syntax error near unexpected token `('. CLI works fine till 2.3.2. Breaks in 2.3.3

Steps to reproduce

1. Run npx verdaccio-github-oauth-ui --registry https://registry.website.com/(Or run with exact version number. npx [email protected] --registry https://registry.website.com/)
2. CLI should break with error syntax error near unexpected token `('

As shown in title , I know how to debug verdaccio source code .
I tried to introduce it in verdaccio , and Modify main in package.json is
"src/server/index.ts". but it didn't succeed. so can give me some advice ? thanks.

Bug Report

The registry info dialog no longer displays the instructions to add the authToken in verdaccio 5.5 and up. It seems the UI has changed slightly that the selector does not match any more.

Versions

Observed behavior

The registry info dialog displays instructions for

npm set registry https://registry.example.com/
npm adduser --registry https://registry.example.com/
npm profile set password --registry https://registry.example.com/

Expected behavior

It should contain

npm config set //registry.example.com:_authToken myauthtoken
npm config set //registry.example.com:always-auth true

After setting up the plugin successfully, I manage to oauth in and see packages listed by basic auth users.

I copy the commands shown and my .npmrc file looks like this

//npm.mycompani.io/:_authToken="i/sKvYrKJKXupSfYB5dtYTI6un65wGg4f/rBF8YanVrTw8NjUzT5GPTJNbDa0NJCnVmIWQIXMfSsV5og1+QrYw=="
//npm.mycompani.io/:always-auth=true

Though when I try to publish or whoami with the --registry xxx flag I get

Your auth token is no longer valid. Please log in again.

This is moments after creating it. From my understanding, Verdaccio should be persisting the npm token somewhere so that it can match it later. (like how .htpasswd plugin works)

But after looking around in my Verdaccio instance, I can see no mention of my token or my github username.

p.s. cool plugin =D

Bug Report

Versions

Expected behavior

Verdaccio starts up with the plugin enabled.

Observed behaviour

Verdaccio crashes on startup because the plugin cannot be found.

Steps to reproduce

1. Install verdaccio and this plugin in version 2.3.1
2. Configure verdaccio to use the plugin
3. Start verdaccio
4. Error: plugin not found. try npm install verdaccio-github-oauth-ui

If instead version 2.3.0 or below is installed, there is no issue.

Additional context

You can use the following minimal Dockerfile and config.yaml to reproduce the problem.

FROM verdaccio/verdaccio:4.7.2

USER root

RUN yarn add [email protected] # 2.3.0 works fine
COPY config.yaml /verdaccio/conf/config.yaml

USER verdaccio

storage: /verdaccio/storage/data
plugins: /verdaccio/plugins

web:
  title: Verdaccio

packages:
  '**':
    access: $all
    publish: $authenticated
    unpublish: $authenticated

middlewares:
  github-oauth-ui:
    enabled: true

Hello!

I am trying to automate the Login experience to be simpler for non developer team members, so this is not a feature request, neither a bug report.

What I am trying to do is to set up the Token for npm from an application (.exe) without the need to enter the website and copy all the lines from there.

Is it even possible to do so before I dive in into web, because I am literally zero in web development, I am a Unity Developer, that's why I am trying to do this feature in a WPF application (like doing all the console commands in the background, because the artists will mess up with that 100%)))).

Thanks!

Is it possible to install this plugin alongside the official docker image?
I have a Verdaccio docker image running on unraid, with a "plugin" path defined. Ideally I'd be able to download the plugin externally (not through npm), put it in the plugins folder, and somehow get them to talk to each other. I also use a proxy server, so I'd imagine I would need to put a variable called GLOBAL_AGENT_HTTP_PROXY into my docker compose file in order to get things to behave properly?

Hi, I am making my wrapper to integrate Verdaccio with Unity based on your plugin.
I have a problem with creating a _authToken.
As I understand the algorithm of actions:

1. Request a user's GitHub identity https://github.com/login/oauth/authorize?client_id={value}&scope=read%23org,repo
2. Getting code from github {my-host-ip}/-/oauth/callback?code={code-from-github}
3. Create string {username}:{code-from-github}
4. AES encrypt this string (What is the key?)
5. Convert to Base64 string. (Will the result be an _authToken?)

Thanks in advance for your help!
Thanks for the plugin!

Describe the bug
After configuring plugin everything works as expected on the npm cli side, access and publish permissions per package and scope are enforced, but I don't see any published packages via WebUI, instead only No Package Published Yet message is shown.

This is not the case if I'm using htpasswd plugin, with this plugin everything works as expected on both sides.

Expected behavior
To see published packages via WebUI if proper access permissions are applied

CLI side

# npm whoami --registry $REGISTRY_URL
username1
#

Package access constraints (server configuration)

packages:
  'my-published-pkgs*':
    access: username1
    publish: username1

TL;DR
published packages can be installed via npm yet they are not visible via WebUI.

I'm not able to follow the setup instructions in the README. "Click the login button and get redirected to GitHub."

When I press the Login button top-right on the navbar I simply get the default username/password prompt. I am not forwarded to github. If I use the npx method it works but then I'm not logged into the website and can't browse packages visually.

# config.yaml

plugins: ./node_modules
storage: ./storage

auth:
  github-oauth-ui:
    org: foobarorg
    client-id: xxxx
    client-secret: yyyy

logs:
  - { type: stdout, format: pretty, level: http }

middlewares:
  audit:
    enabled: true
  github-oauth-ui:
    enabled: true
  https:
    enabled: true

packages:
  '@*/*':
    access: $authenticated
    publish: $authenticated
    proxy: npmjs
  '**':
    proxy: npmjs

uplinks:
  npmjs:
    url: https://registry.npmjs.org/

web:
  enable: true
  title: "FooBar Registry"
  primary_color: "#525252"
  gravatar: true
  sort_packages: asc

# versions
  "verdaccio": "^4.4.0",
  "verdaccio-github-oauth-ui": "^2.2.1",
  "verdaccio-https": "^1.0.11",
  "verdaccio-s3-storage": "^0.2.1"

Bug Report

Versions

Expected behavior

If Github cannot authenticate the user, Verdaccio should try the next configured authentication plug-in.

Observed behaviour

This plug-in raises an error and the user is denied access despite having valid htpasswd credentials.

Steps to reproduce

1. Configure Verdaccio with both htpasswd and Github authentication
2. Attempt to access the registry with valid htpasswd credentials
3. Observe the error thrown by JSON.parse in Verdaccio's log

My diagnosis

A quick scan of the code leads me to suspect that calls to GithubOauthUiPlugin.denied should be replaced with 'null' values.

Bug Report

Forgive me if this isn't the right place to ask, I'm just trying to better understand this plugin and how it interacts with the verdaccio UI and if I'm possibly misunderstanding how this works.

Versions

Expected behavior

So I have the plugin working, enough where I can login as a user via a web browser to verdaccio, which is being told to only allow users from a specified Github Organization. I'm able to successfully whoami from the cli as well with that user. So kudos for making this actually fairly simple and straight forward.

However, when I switch to a user not in the specified Github Organization, I'm still able to authenticate into the UI via a web browser and see packages inside of the verdaccio repo. I'm not able to successfully whoami via the cli with this user, which is to be expected, although I don't know if the error being returned is exactly the one I expect.

What I do expect is for the first user which is in part of the Organization to be able to access the UI and authenticate via CLI; just as it is. However, I don't expect the second user to be able to authenticate into the UI and see packages inside of the verdaccio repo, in either a browser or via cli.

Observed behaviour

A user not in the specified Github Organization is able to successfully authenticate in and see packages listed inside of the verdaccio repo in a browser.

Steps to reproduce

1. Setup verdaccio-github-oauth-ui to restrict auth access to an org
2. Attempt to authenticate with a user not in that specified org via web browser
3. You should be able to successfully authenticate and see packages listed inside of the repo (at least I was)

Additional context

I have tried setting access to $authenticated in this setup as well, instead of $all, but that hasn't seem to impact my ability to login as a user not in the specified org.

This is my config file.

#
storage: /opt/verdaccio/cache

web:
  title: Verdaccio NPM Registry

auth:
  github-oauth-ui:
    org: Someorganization

uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    # scoped packages
    access: $authenticated
    publish: $authenticated
    proxy: npmjs

  '**':
    access: $authenticated
    publish: $authenticated
    proxy: npmjs

middlewares:
  audit:
    enabled: true
  github-oauth-ui:
    client-id: github-client-id
    client-secret: github-client-secret

logs:
  - {type: file, path: /var/log/verdaccio/verdaccio.log, level: info}

listen: 0.0.0.0:4873

This is the good cli output from my user which should work.

npm info it worked if it ends with ok
npm verb cli [ '/Users/joebob/.nvm/versions/node/v8.11.3/bin/node',
npm verb cli   '/Users/joebob/.nvm/versions/node/v8.11.3/bin/npm',
npm verb cli   '-dd',
npm verb cli   'whoami',
npm verb cli   '--registry',
npm verb cli   'https://verdaccio.some.registry' ]
npm info using [email protected]
npm info using [email protected]
npm verb request uri https://verdaccio.some.registry/-/whoami
npm verb request always-auth set; sending authorization
npm info attempt registry request try #1 at 12:20:24
npm verb request using bearer token for auth
npm verb request id 3eedb60a6e4a2691
npm http request GET https://verdaccio.some.registry/-/whoami
npm http 200 https://verdaccio.some.registry/-/whoami
npm verb headers { 'access-control-allow-origin': '*',
npm verb headers   'content-type': 'application/json; charset=utf-8',
npm verb headers   date: 'Thu, 11 Oct 2018 19:20:24 GMT',
npm verb headers   etag: '"f4ff006b5175c72c079cb9583afc1394"',
npm verb headers   vary: 'Accept-Encoding',
npm verb headers   'x-powered-by': 'verdaccio/3.8.3',
npm verb headers   'x-status-cat': 'http://flic.kr/p/aVuVsF',
npm verb headers   'content-length': '29',
npm verb headers   connection: 'keep-alive' }
mhwest13
npm verb exit [ 0, true ]
npm timing npm Completed in 608ms
npm info ok

This is the bad cli output from the user that shouldn't work; I guess I actually expected more like a 403 to be returned, not an invalid auth token message.

npm info it worked if it ends with ok
npm verb cli [ '/Users/joebob/.nvm/versions/node/v8.11.3/bin/node',
npm verb cli   '/Users/joebob/.nvm/versions/node/v8.11.3/bin/npm',
npm verb cli   '-dd',
npm verb cli   'whoami',
npm verb cli   '--registry',
npm verb cli   'https://verdaccio.some.registry' ]
npm info using [email protected]
npm info using [email protected]
npm verb request uri https://verdaccio.some.registry/-/whoami
npm verb request always-auth set; sending authorization
npm info attempt registry request try #1 at 12:16:03
npm verb request using bearer token for auth
npm verb request id 93b3eb6268b44496
npm http request GET https://verdaccio.some.registry/-/whoami
npm http 200 https://verdaccio.some.registry/-/whoami
npm verb headers { 'access-control-allow-origin': '*',
npm verb headers   'content-type': 'application/json; charset=utf-8',
npm verb headers   date: 'Thu, 11 Oct 2018 19:16:03 GMT',
npm verb headers   etag: '"8a80554c91d9fca8acb82f023de02f11"',
npm verb headers   vary: 'Accept-Encoding',
npm verb headers   'x-powered-by': 'verdaccio/3.8.3',
npm verb headers   'x-status-cat': 'http://flic.kr/p/aVuVsF',
npm verb headers   'content-length': '3',
npm verb headers   connection: 'keep-alive' }
npm verb stack Error: Your auth token is no longer valid. Please log in again.
npm verb stack     at /Users/joebob/.nvm/versions/node/v8.11.3/lib/node_modules/npm/lib/whoami.js:27:32
npm verb stack     at /Users/joebob/.nvm/versions/node/v8.11.3/lib/node_modules/npm/node_modules/npm-registry-client/lib/whoami.js:19:5
npm verb stack     at f (/Users/joebob/.nvm/versions/node/v8.11.3/lib/node_modules/npm/node_modules/once/once.js:25:25)
npm verb stack     at /Users/joebob/.nvm/versions/node/v8.11.3/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:78:16
npm verb stack     at /Users/joebob/.nvm/versions/node/v8.11.3/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:105:12
npm verb stack     at f (/Users/joebob/.nvm/versions/node/v8.11.3/lib/node_modules/npm/node_modules/once/once.js:25:25)
npm verb stack     at RegClient.<anonymous> (/Users/joebob/.nvm/versions/node/v8.11.3/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:311:12)
npm verb stack     at Request._callback (/Users/joebob/.nvm/versions/node/v8.11.3/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:216:14)
npm verb stack     at Request.self.callback (/Users/joebob/.nvm/versions/node/v8.11.3/lib/node_modules/npm/node_modules/request/request.js:185:22)
npm verb stack     at emitTwo (events.js:126:13)
npm verb cwd /Users/joebob/code/bots/slackbot
npm verb Darwin 16.7.0
npm verb argv "/Users/joebob/.nvm/versions/node/v8.11.3/bin/node" "/Users/joebob/.nvm/versions/node/v8.11.3/bin/npm" "-dd" "whoami" "--registry" "https://verdaccio.some.registry"
npm verb node v8.11.3
npm verb npm  v6.1.0
npm ERR! code ENEEDAUTH
npm ERR! need auth Your auth token is no longer valid. Please log in again.
npm ERR! need auth You need to authorize this machine using `npm adduser`
npm verb exit [ 1, true ]
npm timing npm Completed in 614ms

Hi,

I have configured the github oauth plugin and it's working well allowing me to restrict access to users of my org.

What I would like to do now is to setup the publishing of an artifact to happen from a github actions workflow. So basically I would like to configure a authToken as a secret which would then be used by the publishing action.

As far as I can see the authToken generated by the oauth process changes whenever the verdaccio server is restarted. So this is a "temporary" token that will expire and hence is not very usable for automation.

I was wondering if anyone has a similar issue. Github workflows get injected a github_token. Is there a way to use that to authenticate with verdaccio? Alternatively I was thinking that maybe I can configure htpasswd in addition to github-oauth-ui and have a basic authentication with a non-expiring token via htpasswd.

Any advice welcome.
Thanks for great plugin!
Andre

Feature Request

Description

Currently, using github-oauth-ui requires a very high level of permissions for granular repo access, namely the repo scope:

Grants full access to repositories, including private repositories. That includes read/write access to code, commit statuses, repository and organization projects, invitations, collaborators, adding team memberships, deployment statuses, and repository webhooks for repositories and organizations. Also grants ability to manage user projects.

This is scary, and rightfully so! It shows a big warning when people click on "Login" that whoever requested the login will gain very permissive access rights that are actually not needed.

I believe it was necessary at the time of implementation because this was the only scope available for repos, but by now there's (I believe) a new one that might be sufficient - repo:status:

Grants read/write access to commit statuses in public and private repositories. This scope is only necessary to grant other users or services access to private repository commit statuses without granting access to the code.

Suggested implementation

Use repo:status instead of repo oauth scope

Possible alternatives

Alternative thing to try could be repo_deployment.

Bug Report

Versions

Expected behavior

Github Oauth callback uses the proxy, executes successfully and returns a JWT when the environment variable http_proxy is set.

Observed behaviour

Timeout errors when trying to reach api.github.com.

Steps to reproduce

1. Go to '/'
2. Click on 'Login'
3. Complete Oauth Login

Additional context

The library for requests got does not have proxy support by default but we could use something like global-tunnel to inject support dynamically.

Bug Report

Plugin breaks with Cannot GET / in the UI when running with npx [email protected] --registry https://registry.website.com/. This started happening from 2.3.1. The plugin works fine till 2.3.0.

Tested on Mac and Ubuntu, facing the same issue.

Versions

Expected behavior

Should successfully authenticate and update the .npmrc file.

Observed behaviour

Plugin breaks with Cannot GET / in the UI

Steps to reproduce

1. Run npx [email protected] --registry https://registry.website.com/
2. Plugin breaks with Cannot GET / in the UI

Bug Report

Versions

Expected behavior

Logging in with the CLI via the instructions here and running npm whoami --registry http://localhost:4873 should show the user's github username.

Observed behaviour

I get an auth token error.

npm ERR! code ENEEDAUTH
npm ERR! need auth Your auth token is no longer valid. Please log in again.
npm ERR! need auth You need to authorize this machine using `npm adduser`

As a result, I can't run npm publish

Steps to reproduce

Follow the instructions in https://github.com/n4bb12/verdaccio-github-oauth-ui#command-line to setup the config.yaml file.
To confirm that it at least works nominally, I can log on via the Web UI. When logging in on the web, I see the Github Oauth page and after accepting it, I get to the normal Verdaccio page.

Additional context

My ~/.npmrc file (to confirm that the instructions ran correctly):

registry=http://localhost:4873/
//localhost:4873/:_authToken=[AUTH_TOKEN]
//localhost:4873/:always-auth=true

Not sure if this is relevant but on the terminal logs, after I log in on the web, I see the following:

...
verdaccio    | github-oauth-ui Access denied: user "vshia" is not a member of "[ORG]"
verdaccio    |  http <-- 304, user: vshia(172.28.0.1), req: 'GET /-/verdaccio/packages', bytes: 0/0
verdaccio    | github-oauth-ui Access denied: user "vshia" is not a member of "[ORG]"
verdaccio    |  http <-- 304, user: vshia(172.28.0.1), req: 'GET /-/verdaccio/packages', bytes: 0/0
verdaccio    |  http <-- 304, user: null(172.28.0.1), req: 'GET /-/static/b1e0d4d4ee23474aee6616f444fc7aa9.svg', bytes: 0/0
...

which is strange b/c the web UI seems to successfully login and show that I'm logged in.

Did I miss something? or is this a new issue with Verdaccio 4?

Bug Report

Versions

Expected behavior

• When removing a user from GitHub organization ..
• When revoking all user tokens in the GitHub OAuth application..
  .. user shouldnt be able anymore to pull packages

Observed behaviour

User is still able to npm install packages with the old token.

You have to restart verdaccio and then the user is blocked.

Additional context

Verdaccio is installed on kubernetes with Helm Chart.

I was reading the plugin code and had the impression the tokens are saved nowhere besides browser LocalStorage aswell as cached for 30s but then re-validated against GitHub.

I cannot explain to myself how verdaccio still accepts the invalid tokens?

Bug Report

Versions

Expected behavior

I am planning to setup a verdaccio server in a VM. I installed verdaccio and verdaccio-github-oauth-ui globally using npm i -g verdaccio verdaccio-github-oauth-ui.

Observed behaviour

The github-oauth-ui plugin is not detected when I tried running verdaccio

Steps to reproduce

1. Install verdaccio & verdaccio-github-oauth-ui globally
2. Update config.yaml
3. Run verdaccio

Additional context

Bug Report

Versions

Environment

Observed behavior

When I try to copy the command line commands, it doesn't do anything, so I can find the full token only if I inspect the page. Also it throws some errors

Expected behavior

It should copy the commands

Steps to reproduce

1. Try to copy the commands
2. Paste somewhere to find out it was not copied

Additional context

CVE-2020-7720 - High Severity Vulnerability

Vulnerable Library - node-forge-0.7.6.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.6.tgz

Path to dependency file: verdaccio-github-oauth-ui/package.json

Path to vulnerable library: verdaccio-github-oauth-ui/node_modules/node-forge/package.json

Dependency Hierarchy:

• parcel-bundler-1.12.4.tgz (Root Library)
  • ❌ node-forge-0.7.6.tgz (Vulnerable Library)

Found in HEAD commit: 99da7c55141cde3ee9a451a1dc45852574b194f8

Found in base branch: master

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md

Release Date: 2020-09-13

Fix Resolution: node-forge - 0.10.0

Step up your Open Source Security Game with WhiteSource here

Feature Request

From the docs (and from my tests), it looks like currently per-org and per-team access is supported.
Would it be possible to add per-repo? While per-team works for many usecases, per-repo would be better in some cases.

Most relevant usecase there would be that on a per-repository level access can be configured to contain Outside Collaborators, while on a per-team level people are always org members and can't be outside collaborators.

Is your feature request related to a problem? Please describe.

Teams can't contain outside collaborators, and thus grouping outside collaborators with access rights in Verdaccio through this plugin is impossible right now (or I'm missing something to configure per-repo access rights).

Describe the solution you'd like

Ability to use the same syntax (github/org/stuff) but the latter part could either be a team (as-is) or a repo (new).

Describe alternatives you've considered

As far as I can see the alternative would be adding invidual users which also might not be supported (or I couldn't find it); this would kinda defeat the purpose of using a middleware though.

EDIT: I think the right place to add something like this would be somewhere around here or here; my javascript/typescript knowledge is pretty limited though :(

Bug Report

Versions

Expected behavior

I should be able to login in Verdaccio GUI after successful authentication in enterprise github.

Observed behaviour

Configured OAuth App in my github organization. Using clientid/secret and org name + github enterprise url configure verdaccio.
Tried to login - got redirected to my corporate auth server, successfully authenticated there and got redirected to verdaccio with error: Access denied. Log shows this error: Access denied: User "my name" is not member of "my organization name". How it can be - on my profile->organization page I am an owner!!!

Steps to reproduce

Additional context

Bug Report

Versions

Expected behavior

Click the Login button, be redirected to Enterprise Github installation to authorize access to the plugin.

Observed behaviour

Page redirects to REGISTRY_URL/-/oauth/callback?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fenterprise%2F2.19%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch and displays { "error": "internal server error" }.

Logs show the following:

info <-- 127.0.0.1 requested 'GET /-/oauth/authorize'
 http <-- 302, user: null(0.0.0.0, 0.0.0.0 via 127.0.0.1), req: 'GET /-/oauth/authorize', bytes: 0/328
 info <-- 127.0.0.1 requested 'GET /-/oauth/callback?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fenterprise%2F2.19%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch'
 error--- unexpected error: Response code 401 (Unauthorized)
HTTPError: Response code 401 (Unauthorized)
    at EventEmitter.emitter.on (/usr/local/share/.config/yarn/global/node_modules/got/source/as-promise.js:74:19)
    at <anonymous>
    at process._tickDomainCallback (internal/process/next_tick.js:229:7)
 http <-- 500, user: null(0.0.0.0, 0.0.0.0 via 127.0.0.1), req: 'GET /-/oauth/callback?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fenterprise%2F2.19%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch', error: internal server error

Steps to reproduce

1. Install plugin
2. Configure Github OAuth app per README.md
3. Update verdaccio config per README.md
4. Restart verdaccio (and httpd for good measure)
5. Click Login from the homepage

Additional context

Github OAuth App config

Verdaccio Config

storage: /var/lib/verdaccio/storage
plugins: /var/lib/verdaccio/plugins

middlewares:
  audit:
    enabled: true
  npm-urls:
    enabled: true
  github-oauth-ui:
    enabled: true

auth:
  github-oauth-ui:
    org: my-org
    client-id: my-client-id
    client-secret: my-client-secret
    enterprise-origin: https://git.example.com/
#  github-auth:
#    octokit:
#      baseUrl: https://git.example.com/api/v3
#      log:
#        debug: console.debug
#        info: console.log
#
#    mode: basic
#    '**':
#      access: $authenticated

web:
  gravatar: true
  logo: /var/lib/verdaccio/logo.png
  primary_color: '#00703c'
  title: UPM - Package Management
  sort_packages: asc

url_prefix: /npm/

uplinks:
  npmjs:
    url: https://registry.npmjs.org/
    timeout: 10000ms
    fail_timeout: 10s

packages:
  '@*/*':
    # scoped packages
    access: $all
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs

  '**':
    access: $all
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs

server:
  keepAliveTimeout: 60

# log settings
logs:
  - {type: file, path: /var/log/verdaccio/verdaccio.log, format: pretty, level: info}
  #- {type: stdout, format: pretty, level: trace}

Bug Report

I have the verdaccio setup similar to #43. I'm trying to login using cli(npx verdaccio-github-oauth-ui --registry https://domain.com/npm-registry/) and registry URL is being wrongly saved in .npmrc.

My registry URL is https://domain.com/npm-registry/, The bug is with this line of code.

Since the trailing slash is removed in this line, the registry URL in the .npmrc doesn't have a trailing slash when the registry URL has a custom pathname.

i.e, it's saved as //domain.com/npm-registry:_authToken="CPP3LQ..." instead of //domain.com/npm-registry/:_authToken="CPP3LQ..." in .npmrc.

Note: This is a critical bug for anyone hosting registry at the subfolder level(when there is a pathname in the registry URL).

Versions

Expected behavior

The authToken should be saved as //domain.com/npm-registry/:_authToken="CPP3LQ..."

Observed behaviour

The authToken is being saved as //domain.com/npm-registry:_authToken="CPP3LQ..." resulting in npm completely ignoring the token and request is being rejected as unauthorized.

At this line, url.pathname is /npm-registry instead of /npm-registry/.

Steps to reproduce

Host verdaccio at a custom path(like /npm-registry/) and try to use it with this plugin. Login using cli(command mentioned above) and check .npmrc. registry URL should be wrongly saved.

Additional context

None

Bug Report

Versions

Expected behavior

Verdaccio should be able to start up with the plugin loaded.

Observed behaviour

With Verdaccio 5.4.0, the plugin crashes while validating config:

[github-oauth-ui] Version: [email protected]
 error--- error loading a plugin github-oauth-ui: TypeError: Cannot read properties of undefined (reading 'replace')
    at getMajorVersion (/verdaccio/node_modules/verdaccio-github-oauth-ui/dist/server.js:843:29)
    at new Verdaccio (/verdaccio/node_modules/verdaccio-github-oauth-ui/dist/server.js:1786:54)
    at new Plugin (/verdaccio/node_modules/verdaccio-github-oauth-ui/dist/server.js:2680:22)
    at /verdaccio/node_modules/verdaccio/build/lib/plugin-loader.js:125:32
    at Array.map (<anonymous>)
    at loadPlugin (/verdaccio/node_modules/verdaccio/build/lib/plugin-loader.js:62:37)
    at Auth._loadPlugin (/verdaccio/node_modules/verdaccio/build/lib/auth.js:56:38)
    at new Auth (/verdaccio/node_modules/verdaccio/build/lib/auth.js:46:25)
    at defineAPI (/verdaccio/node_modules/verdaccio/build/api/index.js:43:16)
    at _default (/verdaccio/node_modules/verdaccio/build/api/index.js:130:10)
 error--- verdaccio-github-oauth-ui doesn't look like a valid plugin
 fatal--- uncaught exception, please report this
Error: sanity check has failed, "github-oauth-ui" is not a valid plugin

The TypeError is thrown from here:

This appears to be caused by Verdaccio 5.4.0 defaulting to not having its own user-agent, instead copying the user-agent from the requesting client. Upstream PR: verdaccio/verdaccio#2793

Steps to reproduce

1. Install the newest version of things:

   {
     "name": "@private/verdaccio",
     "version": "1.0.0",
     "private": true,
     "dependencies": {
       "verdaccio": "5.4.0",
       "verdaccio-github-oauth-ui": "3.2.0"
     }
   }

2. Run Verdaccio with a config file:

   ./node_modules/.bin/verdaccio --config config-with-github-oauth-ui.yaml
   

Additional context

Adding user_agent: true to the Verdaccio config is a valid workaround for the issue.

Currently the npm token is too long to be displayed or is cut off due to suboptimal layout.
A small copy button could maybe help with copying and avoid some confusion.

Bug Report

Versions

Expected behavior

Login with GitHub works

Observed behaviour

Login flow seems to be correct, can authorize with GitHub, however on return to verdaccio I get:

URL looks like this:
https://packages.XXXXX.tools/-/oauth/callback?code=XXXXXe4043aafc24bc4

Additional context

I'm sure there must be some additional configuration step I'm missing. Both the GitHub app (created through an org - does that make a difference?) and Verdaccio seem to be set up correctly, double-checked all entries.

Any help is appreciated!

EDIT: if I understand #43 right, it seems Verdaccio just thinks this is a package. I'm using nginx as reverse proxy; do I need to forward traffic differently to this plugin? I thought it would be handled internally in Verdaccio.

Bug Report

Versions

Expected behavior

If client-id and client-secret are missing, the plugin should throw a descriptive error and stop Verdaccio from starting up.

Observed behaviour

If client-id and client-secret are missing, no errors are brought up on the Verdaccio log and the login button in UI will just open the default login modal.

Steps to reproduce

1. Leave out the middlewares block from Verdaccio's config.yaml
2. Start Verdaccio
3. Click the Login-button on the UI

Additional context

I had written incorrectly middleware: instead of middlewares: in the config.yaml and was wondering for a long time why the plugin wouldn't work (login button opened the default login modal). Some sort of error from missing required configuration would make debugging a lot easier.

Hello @n4bb12!

Thanks for all your work on this plugin. Are you open to receiving Pull Requests? I'm initially interested in adding environment variable support for the Github tokens.

Bug Report

I was trying to run npm run dev locally to test changes to the plugin.
However, it seems that doesn't work anymore- seems the plugin is loaded (I can see that in the terminal), but the actual deployment file isn't found and thus while Verdaccio works, the OAuth UI doesn't:

Terminal output looks ok:

So I can only assume that some of the copy steps aren't correct anymore maybe?
Are there additional steps for local development?

Suggested implementation

Would be great if there are steps listed in the Readme for setting up local development.

Bug Report

Versions

Expected behavior

When clicking on Login, it should take to the auth page.

Observed behaviour

The login button leads to the regular login form.
When manually pointed to http://0.0.0.0:4873/-/oauth/authorize/ , it's authorized me on GitHub and then on callback, I've got the following error:

 http <-- 302, user: null(127.0.0.1), req: 'GET /-/oauth/authorize', bytes: 0/364
 error--- unexpected error: this.auth.issueUIjwt is not a function
TypeError: this.auth.issueUIjwt is not a function
    at Callback.<anonymous> (/Users/aaa/.nvm/versions/node/v8.15.0/lib/node_modules/verdaccio-github-oauth-ui/dist/server/plugin/Callback.js:54:49)
    at Generator.next (<anonymous>)
    at fulfilled (/Users/aaa/.nvm/versions/node/v8.15.0/lib/node_modules/verdaccio-github-oauth-ui/dist/server/plugin/Callback.js:4:58)
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:189:7)
 http <-- 500, user: null(127.0.0.1), req: 'GET /-/oauth/callback?code=******', error: internal server error

and the response is:

{
error: "internal server error"
}

Steps to reproduce

1. npm i -g verdaccio
2. npm i -g verdaccio-github-oauth-ui
3. set configuration:

auth:
  github-oauth-ui:
    org: myorg # required, people within this org will be able to auth
middlewares:
  github-oauth-ui:
    client-id: myId # required
    client-secret: mySecret # required

Bug Report

When using the verdaccio-github-oauth-ui plugin auth is broken if you enable the jwt setting but do not set legacy: true (i.e. you move to JWT instead of using the deprecated legacy signature).

Versions

Expected behavior

If JWT is enabled in the API then the npm tokens gh-oauth-ui generates should be JWT tokens, not legacy tokens.

Observed behaviour

I tried enabling the htaccess plugin alongside gh-oauth-ui and logging in with npm login. htaccess generates proper JWTs, so this is a gh-oauth-ui issue.

This appears to be the code generating the npm token (I searched around the codebase and followed the code to confirm this was the specific function called).

Steps to reproduce

1. Use the following security settings:

security:
  api:
    jwt:
      sign:
        expiresIn: 90d
  web:
    sign:
      expiresIn: 7d

2. Sign in with GitHub
3. Follow the npm set token commands
4. Try publishing a package, it will fail because the token is a legacy token

Bug Report

Seems there's a regression from 3.0.0 to 3.1.0: when trying to log in, a 431 error is raised. A google search seems to point towards the authorization headers being too large (too much stuff requested in the header), potentially related to #136.

The issue doesn't repro on 3.0.0.
It seems its caused by having access to many orgs and repositories.

Versions

Expected behavior

Can login independent of the number of repos and orgs a user has access to.

Observed behaviour

431 error (Auth Headers Too Large) when trying to log in

Steps to reproduce

1. Update to 3.1.0
2. Try to log in with an account that has access to many (>50? >100?) repos and/or orgs
3. Note the 431 error
4. Downgrade to 3.0.0
5. Try to log in
6. Note it works

Bug Report

When installing this plugin with npm according to the README, it doesnt work due to dependency problems.
The explanation is quite simple: verdaccio itself uses yarn and a yarn.lock file in contrary to a package-lock.json , so adding new dependencies such as this plugin, needs to be done with yarn add verdaccio-github-oauth-ui

Versions

Expected behavior

following README will work

Observed behaviour

installation according to README fails

CVE-2020-26870 - Medium Severity Vulnerability

Vulnerable Library - dompurify-2.0.8.tgz

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.0.8.tgz

Path to dependency file: verdaccio-github-oauth-ui/package.json

Path to vulnerable library: verdaccio-github-oauth-ui/node_modules/dompurify/package.json

Dependency Hierarchy:

• verdaccio-4.10.0.tgz (Root Library)
  • readme-9.7.3.tgz
    • ❌ dompurify-2.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 99da7c55141cde3ee9a451a1dc45852574b194f8

Found in base branch: master

Vulnerability Details

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

Publish Date: 2020-10-07

URL: CVE-2020-26870

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26870

Release Date: 2020-10-07

Fix Resolution: 2.0.17

Step up your Open Source Security Game with WhiteSource here

Bug Report

Versions

Expected behavior

The plugin should load when starting Verdaccio.

Observed behaviour

The loader bails out because Cannot find module 'lodash'

Additional context

lodash is declared as a peer dependency, however on my Verdaccio install, when trying to load the plugin, it gives me an error on lodash. Doing npm install lodash inside your plugin's directory solves the issue.

It's related to this issue where it all started:
verdaccio/verdaccio#1677 (comment)

Bug Report

Versions

Environment

Observed behavior

Can't assign package access to a GitHub team with whitespace in its name.

Expected behavior

Package access config should work with team with whitespace in its name.

Steps to reproduce

1. Create a GitHub team with whitespaces in its name, Package Publisher in organization MyOrg for example.
2. With a working verdaccio instance, add package access config to this team, like:
   publish: 'github/owner/MyOrg/team/Package Publisher', then restart verdaccio server.
3. Login with a user in this team, in server log, notice group of the team does not appear in real_groups
4. Try npm publishing a package as a member of Package Publisher.
5. npm fail with 403 Forbidden
6. Change team name to PackagePublisher on GitHub.
7. Change group name in config file to publish: 'github/owner/MyOrg/team/PackagePublisher' and restart server.
8. Login again, group of the team shows up in server log.
9. Do npm publish again.
10. npm publish succeed.

Feature Request

As I can see in log after authentication real_groups is filled with ALL organizations which are visible for me even though I am not a member of any teams there. It's not good. The purpose of organization is to restrict access only for users who are members of any team in organization. Go even further use team filter to allow only members of particular teams in organization. Using only team_name instead of github/org_name/team_name will help with access templates, something like this

packages:
   "@*/*":
      access: $authenticated
      publish: $groups
      unpublish: admin_group

In this case member of team "developers" will have publish access for "@developers/package_1" instead of name like: "@github/my-org/developers/package_1"

Bug Report

I wanted to use verdaccio with docker-compose, but couldn't load the plugin, so I searched the issues here and found #119 . I tried building the docker image, and that's all fine, but when I start the image using the config.yaml in this repo, it fails to load the plugin.

Versions

this repo 3.0.0 (26b85e4)

In the dockerfile, it just starts from verdaccio/verdaccio:latest I also tried specifying a tag for the verdaccio image:

• 5.0.4 (same behavior)
• 5.0.0 (same behavior)

Expected behavior

verdaccio doesn't complain about the plugin not being found.

Observed behaviour

~/dev/verdaccio-github-oauth-ui master docker build . -t verdaccio-github-image
[+] Building 1.9s (8/8) FINISHED
 => [internal] load build definition from Dockerfile                                                                            0.0s
 => => transferring dockerfile: 176B                                                                                            0.0s
 => [internal] load .dockerignore                                                                                               0.1s
 => => transferring context: 55B                                                                                                0.0s
 => [internal] load metadata for docker.io/verdaccio/verdaccio:latest                                                           1.5s
 => [1/3] FROM docker.io/verdaccio/verdaccio@sha256:5cd19a46453f7217a5e83bba77060fa541d8a218bb4ac233bef72a981ae25b22            0.0s
 => [internal] load build context                                                                                               0.1s
 => => transferring context: 851B                                                                                               0.0s
 => CACHED [2/3] RUN yarn add verdaccio-github-oauth-ui                                                                         0.0s
 => [3/3] COPY config.yaml /verdaccio/conf/config.yaml                                                                          0.1s
 => exporting to image                                                                                                          0.1s
 => => exporting layers                                                                                                         0.1s
 => => writing image sha256:998d3491168e7c7e483a6826a7b4df9944556c4a3722c5b2246e5d0790742327                                    0.0s
 => => naming to docker.io/library/verdaccio-github-image                                                                       0.0s

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
~/dev/verdaccio-github-oauth-ui master docker run --rm -it verdaccio-github-image
 warn --- config file  - /verdaccio/conf/config.yaml
(node:8) Warning: deprecate: multiple logger configuration is deprecated, please check the migration guide.
(Use `node --trace-warnings ...` to show where the warning was created)
[github-oauth-ui] Version: [email protected]
 error--- plugin not found. try npm install verdaccio-github-oauth-ui
(node:8) UnhandledPromiseRejectionWarning: Error:
        verdaccio-github-oauth-ui plugin not found. try "npm install verdaccio-github-oauth-ui"
    at /opt/verdaccio/build/lib/plugin-loader.js:110:13
    at Array.map (<anonymous>)
    at loadPlugin (/opt/verdaccio/build/lib/plugin-loader.js:62:37)
    at Auth._loadPlugin (/opt/verdaccio/build/lib/auth.js:56:38)
    at new Auth (/opt/verdaccio/build/lib/auth.js:46:25)
    at defineAPI (/opt/verdaccio/build/api/index.js:43:16)
    at _default (/opt/verdaccio/build/api/index.js:124:10)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
(node:8) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:8) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

Steps to reproduce

clone this repo

docker build . -t verdaccio-github-image
docker run --rm -it verdaccio-github-image

Additional info

I also tried a hacky way of instlaling plugins in docker that works for the "auth-memory" plugin: verdaccio/verdaccio#1677 (comment) . Unfortunately, that didn't do the trick here, I get slightly different logs then:

FROM verdaccio/verdaccio:5.0.0

USER root

RUN npm install -g --no-bin-links --prefix /tmp/plugins-install verdaccio-github-oauth-ui \
    && mv /tmp/plugins-install/lib/node_modules/* /verdaccio/plugins \
    && chown -R 100001:65533 /verdaccio \
    && rm -rf /tmp/plugins-install

COPY config.yaml /verdaccio/conf/config.yaml

USER verdaccio

 warn --- config file  - /verdaccio/conf/config.yaml
(node:9) Warning: deprecate: multiple logger configuration is deprecated, please check the migration guide.
(Use `node --trace-warnings ...` to show where the warning was created)
 error--- plugin not found. try npm install verdaccio-github-oauth-ui
(node:9) UnhandledPromiseRejectionWarning: Error:
        verdaccio-github-oauth-ui plugin not found. try "npm install verdaccio-github-oauth-ui"
    at /opt/verdaccio/build/lib/plugin-loader.js:110:13
    at Array.map (<anonymous>)
    at loadPlugin (/opt/verdaccio/build/lib/plugin-loader.js:62:37)
    at Auth._loadPlugin (/opt/verdaccio/build/lib/auth.js:56:38)
    at new Auth (/opt/verdaccio/build/lib/auth.js:46:25)
    at defineAPI (/opt/verdaccio/build/api/index.js:43:16)
    at _default (/opt/verdaccio/build/api/index.js:124:10)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
(node:9) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:9) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

So one shows a line with [github-oauth-ui] Version: [email protected], but the other doesn't. I don't understand enough npm, yarn plugin loading etc. to debug this further.

Hi,

we're maintaining internally a fork of this plugin to connect to Azure Active Directories via OpenID, since the process is similar (except group authentication) and I wanted to ask if there's generally interest to extend this plugin to support multiple platforms and/or more generalized OpenID logins.

If not, we're going to keep our fork separate.

So i basically trying to make a unity npm registry by following this guide.
https://medium.com/@markushofer/run-your-own-unity-package-server-b4fe9995704e

Seems like this is the only working solution for auth with github.
Also correct me if im wrong, would im be able to push packages from github using this auth?

Bug Report

Error: Failed requesting GitHub user info: Not Found
at GitHubClient. (/usr/lib/node_modules/verdaccio-github-oauth-ui/dist/server.js:1102:21)
at step (/usr/lib/node_modules/verdaccio-github-oauth-ui/dist/server.js:997:17)
at Object.throw (/usr/lib/node_modules/verdaccio-github-oauth-ui/dist/server.js:928:14)
at rejected (/usr/lib/node_modules/verdaccio-github-oauth-ui/dist/server.js:890:32)

Error: Failed requesting GitHub user teams: Not Found
at GitHubClient. (/usr/lib/node_modules/verdaccio-github-oauth-ui/dist/server.js:1178:21)
at step (/usr/lib/node_modules/verdaccio-github-oauth-ui/dist/server.js:997:17)
at Object.throw (/usr/lib/node_modules/verdaccio-github-oauth-ui/dist/server.js:928:14)
at rejected (/usr/lib/node_modules/verdaccio-github-oauth-ui/dist/server.js:890:32)

Versions

Expected behavior

Verdaccio successfully auths with github.

Observed behaviour

Getting a Error: Failed requesting GitHub user info: Not Found error.

Steps to reproduce

1.Follow this tutorial https://medium.com/@markushofer/run-your-own-unity-package-server-b4fe9995704e
2.Install verdaccio-github-oauth-ui
3.Use this config https://prnt.sc/20ag2ca
4.Run verdaccio
5.Login

Additional context

https://prnt.sc/20aez8h
https://prnt.sc/20am5tc

Feature Request

Is your feature request related to a problem? Please describe.

With [email protected], it fails to startup(like log below). It seems verdaccio-github-oauth-ui is not compatible with verdaccio@5.
Also, url_prefix behavior changed.

{"level":40,"time":1618542664227,"pid":9,"hostname":"npm-registry-verdaccio-74c467f7cd-d9ld7","file":"/verdaccio/conf/config.yaml","msg":"config file  - @{file}"}
{"level":40,"time":1618542664449,"pid":9,"hostname":"npm-registry-verdaccio-74c467f7cd-d9ld7","content":"aws-s3-storage","prefix":"verdaccio","msg":"Plugin successfully loaded: @{prefix}-@{content}"}
[github-oauth-ui] Version: [email protected]
[github-oauth-ui] Proxy config: {"HTTP_PROXY":null,"HTTPS_PROXY":null,"NO_PROXY":null}
{"level":40,"time":1618542665458,"pid":9,"hostname":"npm-registry-verdaccio-74c467f7cd-d9ld7","content":"github-oauth-ui","prefix":"verdaccio","msg":"Plugin successfully loaded: @{prefix}-@{content}"}
{"level":40,"time":1618542665483,"pid":9,"hostname":"npm-registry-verdaccio-74c467f7cd-d9ld7","content":"audit","prefix":"verdaccio","msg":"Plugin successfully loaded: @{prefix}-@{content}"}
[github-oauth-ui] Proxy config: {"HTTP_PROXY":null,"HTTPS_PROXY":null,"NO_PROXY":null}
{"level":40,"time":1618542665484,"pid":9,"hostname":"npm-registry-verdaccio-74c467f7cd-d9ld7","content":"github-oauth-ui","prefix":"verdaccio","msg":"Plugin successfully loaded: @{prefix}-@{content}"}
{"level":30,"time":1618542665485,"pid":9,"hostname":"npm-registry-verdaccio-74c467f7cd-d9ld7","msg":"unhandledRejection caught"}
{"level":50,"time":1618542665485,"pid":9,"hostname":"npm-registry-verdaccio-74c467f7cd-d9ld7","errno":-2,"syscall":"open","code":"ENOENT","path":"/opt/verdaccio/node_modules/verdaccio-github-oauth-ui/dist/public/verdaccio-5.css","stack":"Error: ENOENT: no such file or directory, open '/opt/verdaccio/node_modules/verdaccio-github-oauth-ui/dist/public/verdaccio-5.css'\n    at Object.openSync (fs.js:476:3)\n    at Object.readFileSync (fs.js:377:35)\n    at new PatchHtml (/opt/verdaccio/node_modules/verdaccio-github-oauth-ui/dist/server.js:2362:38)\n    at Plugin.register_middlewares (/opt/verdaccio/node_modules/verdaccio-github-oauth-ui/dist/server.js:2645:54)\n    at /opt/verdaccio/build/api/index.js:72:12\n    at Array.forEach (<anonymous>)\n    at defineAPI (/opt/verdaccio/build/api/index.js:71:11)\n    at _default (/opt/verdaccio/build/api/index.js:124:10)\n    at processTicksAndRejections (internal/process/task_queues.js:93:5)","type":"Error","msg":"error caused exit"}
{"level":30,"time":1618542665486,"pid":9,"hostname":"npm-registry-verdaccio-74c467f7cd-d9ld7","msg":"exit caught"}

Describe the solution you'd like

Describe alternatives you've considered

Additional context

Bug Report

Versions

Expected behavior

Click Copy to clipboard button should always copy the text.

Observed behaviour

Copy failed with error when copy long text (end with ...)

Steps to reproduce

1. Open Registry Info window
2. Find a long string (clipped by the window) to copy
3. Click Copy to clipboard button
4. The string is not copied to clipboard

Additional context

Browser error after click, filename: /-/static/github-oauth-ui/verdaccio-5.js

What would be the best approach if I want to use github oauth for authentication where user will be used just to generate the auth token which will be later used as part of some automated CI process in order to successfully publish finalized package in to the registry?
What kind/type of user I have to create on the GitHub side?

#136 adds restricting via repository but also adds the requirement of private repository access when logging in. We don't use this feature and would rather limit the scopes as much as possible.

Using GitHub OAuth, it's very easy to get an auth token. Thanks for this lib!

But if I accidentally post my auth token somewhere, I should be able to revoke/invalidate my token using the built-in npm token revoke command. Seamless secret invalidation is considered an important security feature.

Let me know if you need help with this.

Feature Request

Currently, the 2nd and 3rd lines in the Registry Info will be replaced by a hardcoded set of strings. It would be nice if this was configurable (e.g. via config.yaml in Verdaccio), for two reasons:

• we're using a different package manager (Unity Package Manager) and want to adjust the text there
• currently the text becomes very long when a package is selected (so all commands look the same).

Is your feature request related to a problem? Please describe.

See above

Describe the solution you'd like

1. Ability to use Verdaccio's config.yaml to specify a string, e.g. "myprefix {{auth}} mypostfix"
2. Ability to specify if the always-auth command is also replaced
3. Ability to specify in the config under which conditions this is replaced (e.g. we only want that "Unity Package Manager" tab actually)

Additional context

See very long text here

Bug Report

After adding the plugin to the base docker image on Dockerfile and trying to run the new image, the following error appears.

 warn --- config file  - /verdaccio/conf/config.yaml
[github-oauth-ui] Version: [email protected]
 error--- error loading a plugin github-oauth-ui: TypeError: Cannot read property 'replace' of undefined
    at getMajorVersion (/opt/verdaccio/.yarn/$$virtual/verdaccio-github-oauth-ui-virtual-9d25d7ba2e/0/cache/verdaccio-github-oauth-ui-npm-3.2.0-4b8c0d5db8-ee0a13eb08.zip/node_modules/verdaccio-github-oauth-ui/dist/server.js:843:29)
    at new Verdaccio (/opt/verdaccio/.yarn/$$virtual/verdaccio-github-oauth-ui-virtual-9d25d7ba2e/0/cache/verdaccio-github-oauth-ui-npm-3.2.0-4b8c0d5db8-ee0a13eb08.zip/node_modules/verdaccio-github-oauth-ui/dist/server.js:1786:54)
    at new Plugin (/opt/verdaccio/.yarn/$$virtual/verdaccio-github-oauth-ui-virtual-9d25d7ba2e/0/cache/verdaccio-github-oauth-ui-npm-3.2.0-4b8c0d5db8-ee0a13eb08.zip/node_modules/verdaccio-github-oauth-ui/dist/server.js:2680:22)
    at /opt/verdaccio/build/lib/plugin-loader.js:125:32
    at Array.map (<anonymous>)
    at loadPlugin (/opt/verdaccio/build/lib/plugin-loader.js:62:37)
    at Auth._loadPlugin (/opt/verdaccio/build/lib/auth.js:56:38)
    at new Auth (/opt/verdaccio/build/lib/auth.js:46:25)
    at defineAPI (/opt/verdaccio/build/api/index.js:43:16)
    at _default (/opt/verdaccio/build/api/index.js:130:10)

Versions

Expected behavior

Verdaccio should work.

Observed behaviour

Steps to reproduce

1. On branch 5.x, use this docker file to generate the image (I just added one line to install de plugin)

FROM --platform=${BUILDPLATFORM:-linux/amd64} node:14.18.1-alpine as builder

ENV NODE_ENV=production \
    VERDACCIO_BUILD_REGISTRY=https://registry.npmjs.org  \
    HUSKY_SKIP_INSTALL=1 \
    CI=true \
    HUSKY_DEBUG=1

RUN apk --no-cache add openssl ca-certificates wget && \
    apk --no-cache add g++ gcc libgcc libstdc++ linux-headers make python2 && \
    wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub && \
    wget -q https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.25-r0/glibc-2.25-r0.apk && \
    apk add glibc-2.25-r0.apk

WORKDIR /opt/verdaccio-build
COPY . .

RUN yarn config set npmRegistryServer $VERDACCIO_BUILD_REGISTRY && \
    yarn config set enableProgressBars true && \
    yarn config set enableTelemetry true && \
    yarn config set enableGlobalCache false && \
    yarn install && \
    yarn code:docker-build && \
    yarn cache clean && \
    yarn workspaces focus --production

FROM node:14.18.1-alpine
LABEL maintainer="https://github.com/verdaccio/verdaccio"

ENV VERDACCIO_APPDIR=/opt/verdaccio \
    VERDACCIO_USER_NAME=verdaccio \
    VERDACCIO_USER_UID=10001 \
    VERDACCIO_PORT=4873 \
    VERDACCIO_PROTOCOL=http
ENV PATH=$VERDACCIO_APPDIR/docker-bin:$PATH \
    HOME=$VERDACCIO_APPDIR

WORKDIR $VERDACCIO_APPDIR

RUN apk --no-cache add openssl dumb-init

RUN mkdir -p /verdaccio/storage /verdaccio/plugins /verdaccio/conf

RUN yarn add verdaccio-github-oauth-ui

COPY --from=builder /opt/verdaccio-build .


ADD conf/docker.yaml /verdaccio/conf/config.yaml

RUN adduser -u $VERDACCIO_USER_UID -S -D -h $VERDACCIO_APPDIR -g "$VERDACCIO_USER_NAME user" -s /sbin/nologin $VERDACCIO_USER_NAME && \
    chmod -R +x $VERDACCIO_APPDIR/bin $VERDACCIO_APPDIR/docker-bin && \
    chown -R $VERDACCIO_USER_UID:root /verdaccio/storage && \
    chmod -R g=u /verdaccio/storage /etc/passwd

USER $VERDACCIO_USER_UID

EXPOSE $VERDACCIO_PORT

VOLUME /verdaccio/storage

ENTRYPOINT ["uid_entrypoint"]

CMD node -r ./.pnp.js $VERDACCIO_APPDIR/bin/verdaccio --config /verdaccio/conf/config.yaml --listen $VERDACCIO_PROTOCOL://0.0.0.0:$VERDACCIO_PORT

2. Set parameters on config.yaml to enable the plugin (add your own GitHub credentials)

middlewares:
  github-oauth-ui:
    enabled: true
  audit:
    enabled: true

auth:
  github-oauth-ui:
    client-id: xxxx
    client-secret: xxxx
    org: xxxx

3. Run the image like any other container

Bug Report

Verdaccio auth plugins usually fall back gracefully in the order of declaration, however, it seems that github-oauth-ui blocks access to htpasswd (the default auth plugin).

Expected behavior

When logging in via npm with a user:password combination that is registered in the htpasswd file, user can log in.

Observed behaviour

Some logs appear that github-oauth-ui tries to add the user, which fails since it exists, and the user can't log in.

Steps to reproduce

1. Make sure htpasswd auth and github-oauth-ui are both on
2. Try to log in via npm login with a user:password combination as set in htpasswd
3. Note the logs on the server that the user can't be created and hasn't successfully logged in