Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is anonymous publishing allowed? #212

Closed
mattwwarren opened this issue Jun 14, 2017 · 9 comments

Comments

Projects
None yet
4 participants
@mattwwarren
Copy link

commented Jun 14, 2017

My reason:

We recently switched to sinopia to verdaccio (had an issue with scoped packages and discovered sinopia was dead) and we were able to move to a private network server.

In an attempt to make my developers' lives easier, I thought I could set $all for access and publish in our config. But it would seem no one can publish packages at the moment.

Steps to reproduce:

Using the config below, attempt to publish a package.

App Version:

Current docker release

Config file:

# path to a directory with all packages
storage: /verdaccio/storage
max_body_size: 10mb

auth:

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    # scoped packages
    access: $all
    publish: $all
    proxy: npmjs

  '**':
    access: $all
    publish: $all
    proxy: npmjs

# log settings
logs:
  - {type: stdout, format: pretty, level: http}
@mattwwarren

This comment has been minimized.

Copy link
Author

commented Jun 14, 2017

After a little playing around, I'm fairly certain this is an npm configuration problem and not a verdaccio problem.

I had to enter fake auth information in my npmrc and now it works.

@juanpicado

This comment has been minimized.

Copy link
Member

commented Jun 14, 2017

@mattwwarren that's right. According https://github.com/npm/npm-registry-client/blob/master/lib/publish.js#L27 a token must be present in the npm publish request header. What I do is just fake one in the .npmrc file as:

//localhost:4873/:_authToken="fooBar"

Dirty hack, but it's a npm "issue".

@juanpicado

This comment has been minimized.

Copy link
Member

commented Jun 14, 2017

but ... yarn seems be more "permissive". I've removed the .npmrc token and then

&> yarn publish --registry http://localhost:4873/

// and in the config file I set (config.yaml)
publish: $authenticated
yarn publish v0.24.5
[1/4] Bumping version...
info Current version: 1.1.1
question New version: 1.2.1
info New version: 1.2.1
[2/4] Logging in...
[3/4] Publishing...
error An unexpected error occurred: "http://localhost:4873/npm_test: unregistered users are not allowed to publish package npm_test".
info If you think this is a bug, please open a bug report with the information provided in "/Users/user/projects/npm_test/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/publish for documentation about this command.

It fails as is expected, but, then with publish: $all I tried again and it worked out, no token is required, but yarn notify you the token is missing.

yarn publish v0.24.5
[1/4] Bumping version...
info Current version: 1.2.1
question New version: 1.3.1
info New version: 1.3.1
[2/4] Logging in...
[3/4] Publishing...
success Published.
[4/4] Revoking token...
info Not revoking login token, specified via config file.
✨  Done in 5.17s.

So, it seems the workaround seems to be either use yarn or the dirty hack.

@Meeeeow

This comment has been minimized.

Copy link
Member

commented Jun 15, 2017

@mattwwarren Hi, Can login with any username and password mean you have not disabled sign up feature. Just set max_users to -1

@mattwwarren

This comment has been minimized.

Copy link
Author

commented Jun 15, 2017

@juanpicado thanks for the tip about yarn. Many of my developers are switching to it and this will make them very happy.

@Meeeeow I also tried with max_users: -1 but as juan pointed out in the npm-registry-client lib, my request never even made it to the server.

In light of all this information, I'm going to close this issue. Thanks for the responses, all.

@JamesWebDev

This comment has been minimized.

Copy link

commented Jun 15, 2017

@mattwwarren fyi in npm@5 now has a lock file like yarn, and is faster now than Yarn, and defaults to --save like yarn, so I don't know if there are any reasons to use Yarn anymore, and your developers might all switch back to npm

@juanpicado

This comment has been minimized.

Copy link
Member

commented Jun 15, 2017

@JamesWebDev Does npm5 allows publish without has a token at .npmrc before ?

@Meeeeow

This comment has been minimized.

Copy link
Member

commented Jun 15, 2017

snipaste_20170616_003033
snipaste_20170616_003447

@juanpicado No, npm say need auth to publish package
@mattwwarren Maybe your request sent to a different server? I can't login with fake credential. And it was sent to verdaccio server.

@lock

This comment has been minimized.

Copy link

commented Jul 24, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot added the outdated label Jul 24, 2018

@lock lock bot locked as resolved and limited conversation to collaborators Jul 24, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.