jsonp is not working for registry.npmjs.org #157

Closed
anvaka opened this Issue Mar 2, 2014 · 13 comments

Projects

None yet

6 participants

@anvaka
anvaka commented Mar 2, 2014

Hello,

I'm trying to use npm from a browser.

This returns valid jsonp response:
http://isaacs.iriscouch.com/registry/_design/scratch/_view/byField?callback=foo&limit=10

However isaacs.iriscouch.com was not stable recently, and I'm trying to change endpoint to registry.npmjs.org:

http://registry.npmjs.org/-/_view/byField?callback=foo&limit=10

This returns data, but completely ignores callback argument (which makes it unusable for jsonp scenario).

Neither does skimdb respects it:

https://skimdb.npmjs.com/registry/_design/scratch/_view/byField?callback=foo&limit=10

Would really appreciate your help.

Cheers,
Andrei

@isaacs
Member
isaacs commented Mar 2, 2014

Indeed. This is actually a security problem if we enable it at the moment. Here's why:

If you go to https://skimdb.npmjs.com/_users/_design/_auth/_view/listAll?startkey=%22org.couchdb.user:isaacs%22&limit=1, you will get an error that you're not allowed to perform views on that database, because you're not a server admin.

However, if you ran the same view, but via a script tag with &callback=steal_all_teh_secrets, then your evil code could steal private user credentials if you can get any npm server admin to visit your page. Since you can't (afaik?) configure couchdb to allow jsonp on ONE database, and not another.

We are currently working on making some slight modifications to the setup so that we can have a skimdb couch exposed in every which way as a downstream, so there's no chance of user credentials being leaked.

@isaacs isaacs closed this Mar 2, 2014
@anvaka
anvaka commented Mar 3, 2014

Interesting. In that case can you enable CORS? It's just one header in the response Access-Control-Allow-Origin: *

This would really help

@anvaka
anvaka commented Mar 3, 2014

This is what needs to be changed in CouchDB config:

[httpd]
enable_cors = true

[cors]
origins = *
@anvaka anvaka added a commit to anvaka/npmgraph.an that referenced this issue Mar 5, 2014
@anvaka anvaka Added `fake` attribute
In case if isaacs.iriscouch.com is down during presentation
add fake argument to query string to get fake data visualized

See also: npm/npm-registry-couchapp#157
7034f7b
@isaacs
Member
isaacs commented Mar 9, 2014

Cors will be allowed eventually, but not until we do some more security fixes and enhancements to prevent bad behavior from potentially causing trouble in the production registry. We'll announce on our blog when this is live.

@isaacs
Member
isaacs commented Mar 9, 2014

jsonp will be enabled as well. But again, not until it can be done safely.

@anvaka
anvaka commented Sep 4, 2014

Hi @isaacs

I was working on npm visualization from a browser, and isaacs.iriscouch.com is down again. Is there any timeline of getting CORS enabled?

@anvaka anvaka referenced this issue in anvaka/npmgraph.an Sep 9, 2014
Closed

registry #1

@anvaka
anvaka commented Nov 27, 2014

Hi @isaacs, sorry for bugging you again. Is it safe to enable CORS now :)?

@ericfong

I am also working on jsonp or cors ajax to npm.

Listing and searching related npm modules.

Any work around for this?

@zeke
zeke commented Dec 15, 2014

I want this too, but there is apparently a security issue in the version of CouchDB we're running that makes it unsafe to enable CORS. I think @isaacs said something about the CouchDB CORS configuration being all-or-nothing, rather than granular, i.e. GET-only.

We are currently building a relational follower of the registry that will enable this. In the mean time, you'll have to use a proxy. If you're not doing tons of traffic with it, you can use mine or stand up your own version of it: https://github.com/zeke/npm-registry-cors-proxy

@smikes
smikes commented Jan 29, 2015

I believe @maxogden said that there is a dat stream for npm registry -- see https://github.com/maxogden/dat

@maxogden

oh yea we have http://npm.dathub.org/, it's experimental though so don't build anything production off of it

@anvaka
anvaka commented Jan 29, 2015

@maxogden I was hoping to use CORS or JSONP enabled endpoint to render dependencies graph here: https://github.com/anvaka/npmgraph.an

http://npm.dathub.org/api/rows?limit=10 - looks promising, thought it seems CORS/JSONP are not available here either?

@maxogden

It supports CORS GET, but not JSONP

On Wed, Jan 28, 2015 at 8:53 PM, Andrei Kashcha notifications@github.com
wrote:

@maxogden https://github.com/maxogden I was hoping to use CORS or JSONP
enabled endpoint to render dependencies graph here:
https://github.com/anvaka/npmgraph.an

http://npm.dathub.org/api/rows?limit=10 - looks promising, thought it
seems CORS/JSONP are not available here either?


Reply to this email directly or view it on GitHub
#157 (comment)
.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment