feat: refactor middleware and bufixes (#3922)

.yarnrc.yml

@@ -4,6 +4,7 @@ enableGlobalCache: false
 
 npmRegistryServer: "https://registry.npmjs.org"
 
+# for local development usage
 # npmRegistryServer: "http://localhost:4873/"
 # unsafeHttpWhitelist:
 # - localhost

package.json

@@ -19,21 +19,20 @@
     "url": "https://opencollective.com/verdaccio"
   },
   "dependencies": {
-    "@verdaccio/config": "6.0.0-6-next.72",
-    "@verdaccio/core": "6.0.0-6-next.72",
+    "@verdaccio/config": "6.0.0-6-next.74",
+    "@verdaccio/core": "6.0.0-6-next.74",
     "@verdaccio/local-storage": "10.3.3",
-    "@verdaccio/logger-7": "6.0.0-6-next.17",
-    "@verdaccio/middleware": "6.0.0-6-next.51",
+    "@verdaccio/logger-7": "6.0.0-6-next.19",
+    "@verdaccio/middleware": "6.0.0-6-next.53",
     "@verdaccio/search": "6.0.0-6-next.2",
     "@verdaccio/signature": "6.0.0-6-next.2",
     "@verdaccio/streams": "10.2.1",
-    "@verdaccio/tarball": "11.0.0-6-next.41",
-    "@verdaccio/ui-theme": "6.0.0-6-next.72",
-    "@verdaccio/url": "11.0.0-6-next.38",
-    "@verdaccio/utils": "6.0.0-6-next.40",
+    "@verdaccio/tarball": "11.0.0-6-next.43",
+    "@verdaccio/ui-theme": "6.0.0-6-next.74",
+    "@verdaccio/url": "11.0.0-6-next.40",
+    "@verdaccio/utils": "6.0.0-6-next.42",
     "JSONStream": "1.3.5",
     "async": "3.2.4",
-    "body-parser": "1.20.2",
     "clipanion": "3.2.1",
     "compression": "1.7.4",
     "cookies": "0.8.0",
@@ -56,8 +55,8 @@
     "request": "2.88.2",
     "semver": "7.5.4",
     "validator": "13.9.0",
-    "verdaccio-audit": "11.0.0-6-next.35",
-    "verdaccio-htpasswd": "11.0.0-6-next.41"
+    "verdaccio-audit": "11.0.0-6-next.37",
+    "verdaccio-htpasswd": "11.0.0-6-next.44"
   },
   "devDependencies": {
     "@babel/cli": "7.22.6",
@@ -186,10 +185,5 @@
     "url": "https://opencollective.com/verdaccio",
     "logo": "https://opencollective.com/verdaccio/logo.txt"
   },
-  "packageManager": "yarn@3.6.0",
-  "dependenciesMeta": {
-    "@verdaccio/types@11.0.0-6-next.24": {
-      "unplugged": true
-    }
-  }
+  "packageManager": "yarn@3.6.0"
 }

src/api/endpoint/api/search.ts

@@ -1,106 +1,11 @@
-import { API_ERROR, HEADERS } from '../../../lib/constants';
+import { HTTP_STATUS } from '../../../lib/constants';
 import { logger } from '../../../lib/logger';
-import { ErrorCode } from '../../../lib/utils';
 
-export default function (route, auth, storage): void {
+export default function (route): void {
   // searching packages
-  route.get('/-/all(/since)?', function (req, res, next) {
-    let received_end = false;
-    let response_finished = false;
-    let processing_pkgs = 0;
-    let firstPackage = true;
-    logger.warn('/-/all search endpoint is deprecated, might be removed in the next major release');
-    res.status(200);
-    res.set(HEADERS.CONTENT_TYPE, HEADERS.JSON_CHARSET);
-
-    /*
-     * Offical NPM registry (registry.npmjs.org) no longer return whole database,
-     * They only return packages matched with keyword in `referer: search pkg-name`,
-     * And NPM client will request server in every search.
-     *
-     * The magic number 99999 was sent by NPM registry. Modify it may caused strange
-     * behaviour in the future.
-     *
-     * BTW: NPM will not return result if user-agent does not contain string 'npm',
-     * See: method 'request' in up-storage.js
-     *
-     * If there is no cache in local, NPM will request /-/all, then get response with
-     * _updated: 99999, 'Date' in response header was Mon, 10 Oct 1983 00:12:48 GMT,
-     * this will make NPM always query from server
-     *
-     * Data structure also different, whel request /-/all, response is an object, but
-     * when request /-/all/since, response is an array
-     */
-    const respShouldBeArray = req.path.endsWith('/since');
-    if (!respShouldBeArray) {
-      res.set('Date', 'Mon, 10 Oct 1983 00:12:48 GMT');
-    }
-    const check_finish = function (): void {
-      if (!received_end) {
-        return;
-      }
-      if (processing_pkgs) {
-        return;
-      }
-      if (response_finished) {
-        return;
-      }
-      response_finished = true;
-      if (respShouldBeArray) {
-        res.end(']\n');
-      } else {
-        res.end('}\n');
-      }
-    };
-
-    if (respShouldBeArray) {
-      res.write('[');
-    } else {
-      res.write('{"_updated":' + 99999);
-    }
-
-    const stream = storage.search(req.query.startkey || 0, { req: req });
-
-    stream.on('data', function each(pkg) {
-      processing_pkgs++;
-
-      auth.allow_access({ packageName: pkg.name }, req.remote_user, function (err, allowed) {
-        processing_pkgs--;
-
-        if (err) {
-          if (err.status && String(err.status).match(/^4\d\d$/)) {
-            // auth plugin returns 4xx user error,
-            // that's equivalent of !allowed basically
-            allowed = false;
-          } else {
-            stream.abort(err);
-          }
-        }
-
-        if (allowed) {
-          if (respShouldBeArray) {
-            res.write(`${firstPackage ? '' : ','}${JSON.stringify(pkg)}\n`);
-            if (firstPackage) {
-              firstPackage = false;
-            }
-          } else {
-            res.write(',\n' + JSON.stringify(pkg.name) + ':' + JSON.stringify(pkg));
-          }
-        }
-
-        check_finish();
-      });
-    });
-
-    stream.on('error', function (err) {
-      logger.error('search `/-/all endpoint has failed @{err}', err);
-      received_end = true;
-      check_finish();
-    });
-
-    stream.on('end', function () {
-      received_end = true;
-      check_finish();
-    });
+  route.get('/-/all(/since)?', function (_req, res) {
+    logger.warn('search endpoint has been removed, please use search v1');
+    res.status(HTTP_STATUS.NOT_FOUND);
+    res.json({ error: 'not found, endpoint removed' });
   });
 }

src/api/endpoint/api/user.ts

@@ -107,21 +107,5 @@ export default function (route: Router, auth: Auth, config: Config): void {
     }
   );
 
-  // placeholder 'cause npm require to be authenticated to publish
-  // we do not do any real authentication yet
-  userRouter.post(
-    '/_session',
-    Cookies.express(),
-    function (req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer): void {
-      res.cookies.set('AuthSession', String(Math.random()), createSessionToken());
-
-      next({
-        ok: true,
-        name: 'somebody',
-        roles: [],
-      });
-    }
-  );
-
   route.use(userRouter);
 }

src/api/endpoint/api/v1/profile.ts

@@ -21,8 +21,7 @@ export interface Profile {
   fullname: string;
 }
 
-export default function (auth: Auth, config: ConfigYaml): Router {
-  const profileRoute = Router(); /* eslint new-cap: 0 */
+export default function (router: Router, auth: Auth, config: ConfigYaml) {
   function buildProfile(name: string): Profile {
     return {
       tfa: false,
@@ -36,8 +35,8 @@ export default function (auth: Auth, config: ConfigYaml): Router {
     };
   }
 
-  profileRoute.get(
-    '/user',
+  router.get(
+    '/-/npm/v1/user',
     rateLimit(config?.userRateLimit),
     function (req: $RequestExtend, res: Response, next: $NextFunctionVer): void {
       if (_.isNil(req.remote_user.name) === false) {
@@ -51,8 +50,8 @@ export default function (auth: Auth, config: ConfigYaml): Router {
     }
   );
 
-  profileRoute.post(
-    '/user',
+  router.post(
+    '/-/npm/v1/user',
     rateLimit(config?.userRateLimit),
     function (req: $RequestExtend, res: Response, next: $NextFunctionVer): void {
       if (_.isNil(req.remote_user.name)) {
@@ -98,6 +97,4 @@ export default function (auth: Auth, config: ConfigYaml): Router {
       }
     }
   );
-
-  return profileRoute;
 }

src/api/endpoint/api/v1/token.ts

@@ -27,10 +27,9 @@ function normalizeToken(token: Token): NormalizeToken {
 }
 
 // https://github.com/npm/npm-profile/blob/latest/lib/index.js
-export default function (auth: Auth, storage: Storage, config: Config): Router {
-  const tokenRoute = Router(); /* eslint new-cap: 0 */
-  tokenRoute.get(
-    '/tokens',
+export default function (router: Router, auth: Auth, storage: Storage, config: Config) {
+  router.get(
+    '/-/npm/v1/tokens',
     rateLimit(config?.userRateLimit),
     async function (req: $RequestExtend, res: Response, next: $NextFunctionVer) {
       const { name } = req.remote_user;
@@ -56,8 +55,8 @@ export default function (auth: Auth, storage: Storage, config: Config): Router {
     }
   );
 
-  tokenRoute.post(
-    '/tokens',
+  router.post(
+    '/-/npm/v1/tokens',
     rateLimit(config?.userRateLimit),
     function (req: $RequestExtend, res: Response, next: $NextFunctionVer) {
       const { password, readonly, cidr_whitelist } = req.body;
@@ -122,8 +121,8 @@ export default function (auth: Auth, storage: Storage, config: Config): Router {
     }
   );
 
-  tokenRoute.delete(
-    '/tokens/token/:tokenKey',
+  router.delete(
+    '/-/npm/v1/tokens/token/:tokenKey',
     rateLimit(config?.userRateLimit),
     async (req: $RequestExtend, res: Response, next: $NextFunctionVer) => {
       const {
@@ -145,6 +144,4 @@ export default function (auth: Auth, storage: Storage, config: Config): Router {
       return next(ErrorCode.getUnauthorized());
     }
   );
-
-  return tokenRoute;
 }

src/api/endpoint/api/whoami.ts

@@ -3,14 +3,6 @@ import { Response, Router } from 'express';
 import { $NextFunctionVer, $RequestExtend } from '../../../types';
 
 export default function (route: Router): void {
-  route.get('/whoami', (req: $RequestExtend, res: Response, next: $NextFunctionVer): void => {
-    if (req.get('referer') === 'whoami') {
-      next({ username: req.remote_user.name });
-    } else {
-      next('route');
-    }
-  });
-
   route.get('/-/whoami', (req: $RequestExtend, res: Response, next: $NextFunctionVer): any => {
     next({ username: req.remote_user.name });
   });

src/api/endpoint/index.ts

@@ -11,8 +11,9 @@ import publish from './api/publish';
 import search from './api/search';
 import stars from './api/stars';
 import user from './api/user';
-import npmV1 from './api/v1';
+import profile from './api/v1/profile';
 import v1Search from './api/v1/search';
+import token from './api/v1/token';
 import whoami from './api/whoami';
 
 const {
@@ -46,16 +47,16 @@ export default function (config: Config, auth: Auth, storage: Storage) {
   app.use(antiLoop(config));
   // encode / in a scoped package name to be matched as a single parameter in routes
   app.use(encodeScopePackage);
-  // for "npm whoami"
   whoami(app);
-  pkg(app, auth, storage, config);
-  search(app, auth, storage);
+  profile(app, auth, config);
+  search(app);
+  user(app, auth, config);
   distTags(app, auth, storage);
   publish(app, auth, storage, config);
   ping(app);
   stars(app, storage);
   v1Search(app, auth, storage);
-  user(app, auth, config);
-  app.use(npmV1(auth, storage, config));
+  token(app, auth, storage, config);
+  pkg(app, auth, storage, config);
   return app;
 }