Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

jsonp is not working for registry.npmjs.org #157

Closed
anvaka opened this Issue · 13 comments

6 participants

@anvaka

Hello,

I'm trying to use npm from a browser.

This returns valid jsonp response:
http://isaacs.iriscouch.com/registry/_design/scratch/_view/byField?callback=foo&limit=10

However isaacs.iriscouch.com was not stable recently, and I'm trying to change endpoint to registry.npmjs.org:

http://registry.npmjs.org/-/_view/byField?callback=foo&limit=10

This returns data, but completely ignores callback argument (which makes it unusable for jsonp scenario).

Neither does skimdb respects it:

https://skimdb.npmjs.com/registry/_design/scratch/_view/byField?callback=foo&limit=10

Would really appreciate your help.

Cheers,
Andrei

@isaacs
Owner

Indeed. This is actually a security problem if we enable it at the moment. Here's why:

If you go to https://skimdb.npmjs.com/_users/_design/_auth/_view/listAll?startkey=%22org.couchdb.user:isaacs%22&limit=1, you will get an error that you're not allowed to perform views on that database, because you're not a server admin.

However, if you ran the same view, but via a script tag with &callback=steal_all_teh_secrets, then your evil code could steal private user credentials if you can get any npm server admin to visit your page. Since you can't (afaik?) configure couchdb to allow jsonp on ONE database, and not another.

We are currently working on making some slight modifications to the setup so that we can have a skimdb couch exposed in every which way as a downstream, so there's no chance of user credentials being leaked.

@isaacs isaacs closed this
@anvaka

Interesting. In that case can you enable CORS? It's just one header in the response Access-Control-Allow-Origin: *

This would really help

@anvaka

This is what needs to be changed in CouchDB config:

[httpd]
enable_cors = true

[cors]
origins = *
@anvaka anvaka referenced this issue from a commit in anvaka/npmgraph.an
@anvaka anvaka Added `fake` attribute
In case if isaacs.iriscouch.com is down during presentation
add fake argument to query string to get fake data visualized

See also: npm/npm-registry-couchapp#157
7034f7b
@isaacs
Owner

Cors will be allowed eventually, but not until we do some more security fixes and enhancements to prevent bad behavior from potentially causing trouble in the production registry. We'll announce on our blog when this is live.

@isaacs
Owner

jsonp will be enabled as well. But again, not until it can be done safely.

@anvaka

Hi @isaacs

I was working on npm visualization from a browser, and isaacs.iriscouch.com is down again. Is there any timeline of getting CORS enabled?

@anvaka anvaka referenced this issue in anvaka/npmgraph.an
Closed

registry #1

@anvaka

Hi @isaacs, sorry for bugging you again. Is it safe to enable CORS now :)?

@ericfong

I am also working on jsonp or cors ajax to npm.

Listing and searching related npm modules.

Any work around for this?

@zeke

I want this too, but there is apparently a security issue in the version of CouchDB we're running that makes it unsafe to enable CORS. I think @isaacs said something about the CouchDB CORS configuration being all-or-nothing, rather than granular, i.e. GET-only.

We are currently building a relational follower of the registry that will enable this. In the mean time, you'll have to use a proxy. If you're not doing tons of traffic with it, you can use mine or stand up your own version of it: https://github.com/zeke/npm-registry-cors-proxy

@smikes

I believe @maxogden said that there is a dat stream for npm registry -- see https://github.com/maxogden/dat

@maxogden

oh yea we have http://npm.dathub.org/, it's experimental though so don't build anything production off of it

@anvaka

@maxogden I was hoping to use CORS or JSONP enabled endpoint to render dependencies graph here: https://github.com/anvaka/npmgraph.an

http://npm.dathub.org/api/rows?limit=10 - looks promising, thought it seems CORS/JSONP are not available here either?

@maxogden
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.