support private packages

[jdx]

Originally this project was needed to ensure that only authenticated users could publish packages, but they needed to be installable by anyone. For most projects, however, you would want only authenticated users to be able to publish or install packages.

This will have to be a configurable option.

[zeke]

I'm watching this repo :)

[jdx]

this is actively used! https://cli-npm.heroku.com/package-json-to-readme

[raulb]

Hi @zeke 👋

[zeke]

🙌

[resistdesign]

👍

[jdx]

I've got an idea how to make this work and still have the CDN stuff. Hopefully I'll get some time to work on it soon-ish.

[ealves-pt]

@dickeyxxx I don't know what is your plan but it would be nice if we could manage organizations, teams and users with it.

[jdx]

That would be pretty complicated. I wonder if I could piggyback on the existing npm commands to manage orgs though.

[danielo515]

I'm confused about this, are the published packages publicly available? There is no way to make them private?

[milankinen]

Hi @dickeyxxx!

I could make a PR making read/write auth configurable if it's ok for you. In my implementation there would be two environment variables:

• AUTH_WRITE=true|false (defaults true)
  • All post/put/delete routes except auth (= basically routes having auth middleware enabled currently)
• AUTH_READ=true|false (defaults false)
  • All get routes except index and auth

auth route authentication would remain as it is (non-configurable). No CDN support though.. 😕

Thoughts?

[jdx]

@milankinen that sounds reasonable, but maybe prefix the var with NPM_REGISTER_* so they won't conflict with anything else

[milankinen]

@dickeyxxx Absolutely! 👍

[danielo515]

What is the state of this? I would love to use this in production,but I need packages to be totally private .

Regards

[milankinen]

Sorry I had other pending tasks that I had to complete first, but finally here is my first attempt: #62