pfdgithub / verdaccio-auth-gitlab Goto Github PK
View Code? Open in Web Editor NEWVerdaccio authentication plugin by gitlab personal access token or oauth token or ci job token.
License: MIT License
Verdaccio authentication plugin by gitlab personal access token or oauth token or ci job token.
License: MIT License
I checked the jwt token after a gitlab user successly logged in and found the following claims:
{
...
"real_groups": [
"$gitlab:user",
"$gitlab:user:XXX",
"$gitlab:group:YYY:member",
"$all",
"$authenticated",
"@all",
"@authenticated",
"all"
],
"name": "XXX",
"groups": [
"$gitlab:user",
"$gitlab:user:XXX",
"$gitlab:group:YYY:member",
"$all",
"$authenticated",
"@all",
"@authenticated",
"all"
],
...
}
Which means that every gitlab user belongs to $authenticated
. Therefore every gitlab user can login in to npm registry which is using the plugin. Of course by setting the roles correctly in verdaccios config.yaml
you can make sure that $authenticated
doesn't give you any rights at all.
Is it possible to extend the plugin to deny a login at all to users which do not fullfill e.g. a config like $gitlab:group:YYY:member
?
I'm trying to authenticate using access: $gitlab:group:impakt-dev:member
, where impakt-dev
is my group name. I'm 100% sure I am a member (and owner) of the group, yet I get unauthorized. It works fine if using $gitlab:user. I've also tried with fullGroupPath: true
. If I call https://gitlab.com/api/v4/groups
and use my token (same one I use to login on the verdaccio front-end), I also see my group within the array.
Using verdaccio/verdaccio:5.15.4
on localhost
Is there anything I am missing? Would appreciate any help.
Thanks!
@pfdgithub ++
Hi,
could you add a version range for the verdaccio peer dependency? Like from >=4.8 <=5.x or something like that. It works well with verdaccio 5. But this plugin installs verdaccio 4.8 as well and deprecation warnings pop up. It's not a big problem but would be nice.
I could open a pull request, but that would be a little over the top for this.
Thanks in advance
Managing verdaccio authentication using verdaccio-auth-gitlab
is convenient and secure. So when accessing the verdaccio via the Web or using npm/yarn cli is also convenient because all the time user have their own personal access token with them. But, if we want to use the same private npm registry for a CI job, we should be able to do that via a Job token rather than exposing a personal access token.
Currently, verdaccio-auth-gitlab
only support one token type. This issue is reported in #11.
According to the discussion comment, CI_JOB_TOKEN
can be used even with tokenType: personal
configuration?
Verdaccio Version: 5.18
verdaccio-auth-gitlab Plugin Version: latest
Environment: Docker
Scenario:
User tries to login with username and the personal access token. Once user successfully authenticated, user details will be cached by the plugin as I understood. Now, user logout and tries to login again. But this time, user provides correct username but incorrect personal access token (i.e. Remove several characters of the token and try to sign in)
Expected Outcome:
Verdaccio should decline login.
Actual Outcome:
User can successfully login even though the personal token is invalid.
Reproducing steps:
When naming a repository in GitLab, generally we use CamelCase/Pascal Case style. But npm does not allow upper case letters anymore. Thus, we are facing an issue when this is used in config file.
publish: $gitlab:project:[pkgName]:owner
As an example, if the GitLab repo name is SampleNameRepo
, we will not be able to make a npm pacakge which contains the same repo name because of npm naming scheme restrictions. Thus, we may have to name the pacakge assample-name-repo
.
This means, even the owner will not be able to publish the package.
Adding a new property in the config file which will automatically convert the name of the package to predefined case. In the above example, CamelCase/Pascal Case
will be converted to kebab-case
.
I'd like to hear some suggestions from you too. Also I can support to implement this feature as well.
It will cause HTTP Error 431 Request Header Fields Too Large after you log in if you have tons of projects and groups. I suggest we can add a project/group filter to reduce the redundant roles. Sorry for my poor English.
Would be great if we make this plugin available for Verdaccio 4 because Verdaccio 3 is EOL in about 6 months.
If I have time next month I look into it but no guarantees.
Kind regards,
Lennard
It would be helpful if the plugin uses the job token type when the username is gitlab-ci-token. This would make it possible to use this plugin for CI login and user login simultaneously.
Hi,
I tried to log in to several accounts with the same machine, but one account failed to log in (the git clone can be used by token, but I cannot log in). It shows error log: Response code 403 (Forbidden)
How did this happen?
In gitlab ci you get a token for the runner to use to pull dependend repositories etc. It's being used with the user gitlab-ci-token as far as i know. It would be great if this could be somehow used to pull and push packages.
Plugin returns 500 HTTP status
for invalid Personal Access Tokens when trying to obtain the npm access token via CLI
I'm trying to obtain the npm
access token via the below curl request and it works as expected without any issue if the personal access token is valid. But when it is invalid, unexpected error occurs.
TOKEN=$(curl -s \
-H "Accept: application/json" \
-H "Content-Type:application/json" \
-X PUT --data '{"name": "username_here", "password": "password_here"}' \
http://your_registry/-/user/org.couchdb.user:username_here 2>&1 | grep -Po \
'(?<="token": ")[^"]*')
When the password is invalid, response should return 401 Unauthorised
.
When the password is invalid, response returns 500 internal server error
.
Hi !
It seems like the project and group paths that must be passed as parameters can lead to errors when a user is member of multiple groups or projects with the same path (ignoring namespace).
It seems that either using the ids or the full path (path_with_namespace) could resolve this
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.