confusion about authentication

[jampy]

I just installed Verdaccio 6.0.0 (verdaccio/verdaccio:6.0.0 Docker image). It should act as a private NPM proxy/cache and also host a handful of private packages.

My goal is to have a single Verdaccio user with a certain password and have a long-term NPM/Yarn configuration (though Kubernetes secrets) that is able to login to Verdaccio. User registration should be disabled (max_users: -1)

• since Verdaccio by default uses a so-called htpasswd mechanism I tried to create a typical htpasswd file by using printf "USER:$(openssl passwd -5 -stdin)\n", which usually works with HTTP servers. That didn't work. I guess Verdaccio expects a certain (different) format/hashing mechanism.

  • I solved this by temporarily enabling user registration and using npm register to create a working .htpasswd on the server and saving it (I want to store it as a read-only Kubernetes secret).

• I tried to enable authentication on Yarn v1 following this description, but could not get Yarn to ask for the password

• I moved on to authenticate using standard npm (since Yarn should also support it). npm login succeded. It wrote an _authToken (100 characters) to the .npmrc.

  • I see there is now a file /verdaccio/storage/data/.verdaccio-db.json on the server containing {"list":[],"secret":"xxxxxxx"} (secret is 32 characters long).
    • I don't understand the role of the "secret". Is the secret fixed and the same secret is used for all users? The .verdaccio-db.json JSON structure implies that since the secret is not part of an array or similar.
  • I've read the Authentication config section, which talks about legacy and JWT token signature. I'm not sure which kind of token my setup uses now. The page says that the legacy property is enabled by default so I think it is a legacy secret.
  • Does the auth token expire? I would like to avoid that.
    • There is a security.api.jwt.sign.expiresIn config option but obviously that does not apply to the "legacy" tokens I guess. Is there an "expire" option for those legacy tokens?
    • It confuses me that this config snippet both has a legacy: true setting and configures the jwt section, which should activate JWT. Isn't that a contradiction?

I would be happy if you could help me understand how the configuration works. Thanks a lot in advance!

The config.yaml I'm using at the moment:

    storage: /verdaccio/storage/data
    web:
      title: Verdaccio
    auth:
      htpasswd:
        file: /verdaccio/htpasswd
        max_users: -1   # do not allow users to register
    uplinks:
      npmjs:
        url: https://registry.npmjs.org/
        agent_options:
          keepAlive: true
          maxSockets: 40
          maxFreeSockets: 10
    packages:
      '@myscope/*':
        access: $authenticated
        publish: $authenticated
      '**':
        access: $authenticated
        proxy: npmjs
    middlewares:
      audit:
        enabled: true  # enable "npm audit"
    log: {type: stdout, format: pretty, level: http}

[mbtools]

1. Single user

• Run Verdaccio once with max_users: 1
• Create your user with npm adduser
• Change the config to max_users: -1

Now you will have a correct htpasswd file.

2. secret

The secret is used to verify the jwt payload. If you change it, all existing tokens become invalid.

3. legacy vs jwt

You are correct. The jwt doc chapter should not contain the legacy setting. I will remove it.

4. yarn

As you can see here, it took yarn until v4 to get the login process working properly with Verdaccio. However, yarn 1 should work with legacy: true and without a jwt block.

[juanpicado]

secret is 32 characters long

@jampy @mbtools the secret should be 64 characters long, not 32. corrections bellow

Since https://github.com/verdaccio/verdaccio/releases/tag/v5.31.0 was introduced migrateToSecureLegacySignature in order to do that for you, of course with side effects (read the release)

You are using version 6.x you can use migrateToSecureLegacySignature to fix that automatically for you.

I don't understand the role of the "secret". Is the secret fixed and the same secret is used for all users?

yes, the secret is used for singing tokens, either if you use legacy or jwt.

I'm not sure which kind of token my setup uses now. The page says that the legacy property is enabled by default so I think it is a legacy secret.

If you don't use the security property, uses the legacy by default.

Does the auth token expire? I would like to avoid that.

Only if you choose use JWT but by default (legacy) does not expires.

Regarding JWT

The request to the API can be set either jwt or legacy, but the login through web UI are jwt by default because it's important to expires tokens after certain amount of time, this is very specific for those uses login from User Interface.

For such cases you can use security but seems not to be your case.

security:
   web:
     sign:
       expiresIn: 1h # 1 hour by default
     verify:
        someProp: [value]

[mbtools]

32 checkSecret 😉

[juanpicado]

Opss thanks 🥲 I am getting old