This repository has been archived by the owner on Aug 11, 2022. It is now read-only.
_auth doesn't depend on repository #4711
Labels
Comments
This was referenced Feb 18, 2014
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Login and password are stored and transferred over a wire in plain text.
It might be fine, but it's too easy to send them into the wrong place:
$ npm adduser $ npm publish --reg http://localhost:12345/ $ nc -l 12345 POST /_session HTTP/1.1 host: localhost:1234 accept: application/json content-type: application/json content-length: 27 Connection: keep-alive {"name":"foo","password":"bar"}Whoops.
Add-auth option is especially dangerous, because
npm install whatever --registry http://localhost:12345/ --add-auth=truewill send your credentials even on install.Web browser will never send your password to a different domain, so npm behaviour is unexpected and might open a few social engineering possibilities.
Ideally, the fix would be to lock "_auth" string with a "repository" it belongs to, and drop it if repository changes for whatever reason.
The text was updated successfully, but these errors were encountered: