Internal Server Error When Attempting to Login with url_prefix

[d42ohpaz]

Bug Report

Versions

	Version
verdaccio	4.4.1
verdaccio-github-oauth-ui	2.2.2

Expected behavior

Click the Login button, be redirected to Enterprise Github installation to authorize access to the plugin.

Observed behaviour

Page redirects to REGISTRY_URL/-/oauth/callback?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fenterprise%2F2.19%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch and displays { "error": "internal server error" }.

Logs show the following:

info <-- 127.0.0.1 requested 'GET /-/oauth/authorize'
 http <-- 302, user: null(0.0.0.0, 0.0.0.0 via 127.0.0.1), req: 'GET /-/oauth/authorize', bytes: 0/328
 info <-- 127.0.0.1 requested 'GET /-/oauth/callback?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fenterprise%2F2.19%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch'
 error--- unexpected error: Response code 401 (Unauthorized)
HTTPError: Response code 401 (Unauthorized)
    at EventEmitter.emitter.on (/usr/local/share/.config/yarn/global/node_modules/got/source/as-promise.js:74:19)
    at <anonymous>
    at process._tickDomainCallback (internal/process/next_tick.js:229:7)
 http <-- 500, user: null(0.0.0.0, 0.0.0.0 via 127.0.0.1), req: 'GET /-/oauth/callback?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fenterprise%2F2.19%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch', error: internal server error

Steps to reproduce

1. Install plugin
2. Configure Github OAuth app per README.md
3. Update verdaccio config per README.md
4. Restart verdaccio (and httpd for good measure)
5. Click Login from the homepage

Additional context

Github OAuth App config

Verdaccio Config

storage: /var/lib/verdaccio/storage
plugins: /var/lib/verdaccio/plugins

middlewares:
  audit:
    enabled: true
  npm-urls:
    enabled: true
  github-oauth-ui:
    enabled: true

auth:
  github-oauth-ui:
    org: my-org
    client-id: my-client-id
    client-secret: my-client-secret
    enterprise-origin: https://git.example.com/
#  github-auth:
#    octokit:
#      baseUrl: https://git.example.com/api/v3
#      log:
#        debug: console.debug
#        info: console.log
#
#    mode: basic
#    '**':
#      access: $authenticated

web:
  gravatar: true
  logo: /var/lib/verdaccio/logo.png
  primary_color: '#00703c'
  title: UPM - Package Management
  sort_packages: asc

url_prefix: /npm/

uplinks:
  npmjs:
    url: https://registry.npmjs.org/
    timeout: 10000ms
    fail_timeout: 10s

packages:
  '@*/*':
    # scoped packages
    access: $all
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs

  '**':
    access: $all
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs

server:
  keepAliveTimeout: 60

# log settings
logs:
  - {type: file, path: /var/log/verdaccio/verdaccio.log, format: pretty, level: info}
  #- {type: stdout, format: pretty, level: trace}

[n4bb12]

Hi @9ae8sdf76, thanks for the report.

It looks like you are using a relative url_prefix which is currently not supported. Please see https://github.com/n4bb12/verdaccio-github-oauth-ui#url_prefix-optional.

Could you try changing it to https://repo.YOUR_DOMAIN/npm?

[d42ohpaz]

Ok, so making the url_prefix absolute does work for the login, but there seems to be an issue in verdaccio that treats the url_prefix as relative; in other words, it breaks because it makes the links look like https://repo.YOUR_DOMAIN/npm/https://repo.YOUR_DOMAIN/npm. 😞

[n4bb12]

Okay, I guess it's best if the plugin supports both. I'll have a look.

[n4bb12]

Tried a few things but I don't even get as far as viewing the repository home page when using a prefix. Verdaccio just thinks it's a package name.

It seems the url_prefix is only intented to work in combination with a reverse proxy.

Are you accessing this locally or through a proxy?

[n4bb12]

Related

verdaccio/verdaccio#1523
https://github.com/verdaccio/ui/issues/263

[n4bb12]

Looking at all the old and new issues with url_prefix on the Verdaccio repo, it seems using this option is not very stable.

A plain Verdaccio with url_prefix option doesn't work for me either (with and without proxy).

Based on this I'm not sure if I really want to support this option.

I'm wondering why anyone would choose to host things on subdirectories in the first place. Using subdomains is so much simpler and doesn't require rewriting URLs and juggling with prefixes.

What do you think?

[d42ohpaz]

It seems the url_prefix is only intented to work in combination with a reverse proxy.

Are you accessing this locally or through a proxy?

I am on a reverse proxy where all traffic goes to a load balancer over HTTPS, and then gets transferred from the load balancer to the actual server using HTTP (yay).

I'm wondering why anyone would choose to host things on subdirectories in the first place.

I work in an environment where I already have a server for satis, which already has its own https certificate. I'm hard-pressed to justify a whole other SSL certificate to the sysadmins for something that the software is advertised as supporting.

Unfortunately for me, it's been the bane of my existence and not a high priority for the verdaccio devs to fix.

Using subdomains is so much simpler and doesn't require rewriting URLs and juggling with prefixes.

I agree with you; maybe I should try going back to the sysadmins and throwing myself on their mercy.

[ganapativs]

Had the similar setup where the reverse proxy was resolving HTTPS and the actual server was using HTTP.

Here is my workaround:
Removing the url_prefix and setting authorization callback url protocol to http, instead of https(https://registry.website.com/-/oauth/callback -> http://registry.website.com/-/oauth/callback) in Github OAuth App config fixed the issue.

Only drawback is the resolved URL in lock file will have http instead of https in it.
Eg: resolved "http://registry.website.com/@private%2fsecret-package/-/secret-package-0.0.7.tgz#31d77ec61ade14d51f7c18aa6e0f600ad7664523"

This setup works perfectly fine, if your reverse proxy automatically redirects http to https on request.

You can still use https when referring to registry everywhere else.
Eg: npx verdaccio-github-oauth-ui --registry https://registry.website.com/

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[d42ohpaz]

Please reopen.

[ITR13]

Having the project work fine with a relative url_prefix, only exception is that the website tries to load -/static/github-oauth-ui/verdaccio-5.js without adding the url prefix first, making it show the original login screen instead.

Fixed it locally by just serving everything under url_prefix/-/ on /-/ too, but it redirects to the front page at the end which is slightly annoying.