cannot unpublish a package

[p3x-robot]

My reason:

Cannot unpublish a package

Steps to reproduce:

For example, if I logout form Verdaccio, I see:

I login and it looks like this:

root@srv1:~# npm config get registry
https://npm.ngivr.sygnus.hu/
root@srv1:~# npm unpublish --force ng-ivr-material --registry https://npm.ngivr.sygnus.hu
npm WARN using --force I sure hope you know what you are doing.
- ng-ivr-material

Then I check if it is unpublished:

I see the log say this:

http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material
 http <-- 403, user: undefined(192.168.140.88 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material

But of course if i log out and try to install this package I cannot install, but if I login with npm login --registry https://npm.ngivr.sygnus.hu, I can install this package.

App Version:

root@srv1:~# verdaccio --version
Verdaccio doesn't need superuser privileges. Don't run it under root.
2.7.4
root@srv1:~# npm -v
5.6.0
root@srv1:~# verdaccio --version
Verdaccio doesn't need superuser privileges. Don't run it under root.
2.7.4

Config file:

#
# This is the default config file. It allows all users to do anything,
# so don't use it on production systems.
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#

# path to a directory with all packages
storage: /home/www/npm.ngivr.sygnus.hu/npm/storage

auth:
  htpasswd:
    file: ./htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    max_users: -1

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.npmjs.org/
#    url: https://registry.yarnpkg.com

packages:
  '@*/*':
    # scoped packages
#    access: $all
    access: $authenticated
    publish: $authenticated
    proxy: npmjs

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: $authenticated
#    access: $all

    # allow all known users to publish packages
    # (anyone can register by default, remember?)
    publish: $authenticated

    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs

# log settings
logs:
#  - {type: stdout, format: pretty, level: http}
  - {type: file, format: pretty, path: /home/www/npm.ngivr.sygnus.hu/npm/log/verdaccio.log, level: http }

url_prefix: https://npm.ngivr.sygnus.hu

listen:
# - localhost:4873            # default value
# - http://localhost:4873     # same thing
 - 0.0.0.0:4873              # listen on all addresses (INADDR_ANY)
# - https://example.org:4873  # if you want to use https
# - [::1]:4873                # ipv6
# - unix:/tmp/verdaccio.sock    # unix socket

Additional information:

• $ set DEBUG=express:* verdaccio enable extreme verdaccio debug mode

express:router dispatching PUT /-/user/org.couchdb.user:sygnus +46s
  express:router query  : /-/user/org.couchdb.user:sygnus +2ms
  express:router expressInit  : /-/user/org.couchdb.user:sygnus +0ms
  express:router corsMiddleware  : /-/user/org.couchdb.user:sygnus +1ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +1ms
  express:router error_reporting_middleware  : /-/user/org.couchdb.user:sygnus +1ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +0ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +1ms
  express:router compression  : /-/user/org.couchdb.user:sygnus +0ms
  express:router router  : /-/user/org.couchdb.user:sygnus +0ms
  express:router dispatching PUT /-/user/org.couchdb.user:sygnus +1ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +0ms
  express:router jsonParser  : /-/user/org.couchdb.user:sygnus +0ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +24ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +0ms
  express:router router  : /-/user/org.couchdb.user:sygnus +4ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +0ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +1ms
  express:router dispatching GET /ng-ivr-material?write=true +49s
  express:router query  : /ng-ivr-material?write=true +1ms
  express:router expressInit  : /ng-ivr-material?write=true +0ms
  express:router corsMiddleware  : /ng-ivr-material?write=true +1ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router error_reporting_middleware  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router compression  : /ng-ivr-material?write=true +0ms
  express:router router  : /ng-ivr-material?write=true +0ms
  express:router dispatching GET /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router jsonParser  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router router  : /ng-ivr-material?write=true +1ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router dispatching GET /ng-ivr-material?write=true +14s
  express:router query  : /ng-ivr-material?write=true +0ms
  express:router expressInit  : /ng-ivr-material?write=true +0ms
  express:router corsMiddleware  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +1ms
  express:router error_reporting_middleware  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router compression  : /ng-ivr-material?write=true +0ms
  express:router router  : /ng-ivr-material?write=true +0ms
  express:router dispatching GET /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router jsonParser  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +1ms
  express:router router  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms

• $ npm --verbose prints:

npm info it worked if it ends with ok
npm verb cli [ '/usr/bin/node', '/usr/bin/npm', '--verbose' ]
npm info using npm@5.6.0
npm info using node@v9.5.0

Usage: npm <command>

where <command> is one of:
    access, adduser, bin, bugs, c, cache, completion, config,
    ddp, dedupe, deprecate, dist-tag, docs, doctor, edit,
    explore, get, help, help-search, i, init, install,
    install-test, it, link, list, ln, login, logout, ls,
    outdated, owner, pack, ping, prefix, profile, prune,
    publish, rb, rebuild, repo, restart, root, run, run-script,
    s, se, search, set, shrinkwrap, star, stars, start, stop, t,
    team, test, token, tst, un, uninstall, unpublish, unstar,
    up, update, v, version, view, whoami

npm <command> -h     quick help on <command>
npm -l           display full usage info
npm help <term>  search for help on <term>
npm help npm     involved overview

Specify configs in the ini-formatted file:
    /root/.npmrc
or on the command line via: npm <command> --key value
Config info can be viewed via: npm help config

• $ npm config get registry prints:

https://npm.ngivr.sygnus.hu/

• Verdaccio terminal output

http <-- 409, user: undefined(127.0.0.1 via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:sygnus', error: maximum amount of users reached
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material

This maximum amount of users reached is weird, because i am not trying to register, so I set it to -1. I set to 1, but the same error:

http <-- 409, user: undefined(127.0.0.1 via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:sygnus', error: maximum amount of users reached
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material

• Windows, OS X/macOS, or Linux?: LINUX
• Verdaccio configuration file, eg: cat ~/.config/verdaccio/config.yaml

Provided already.

Additional verbose log:

patrikx3@workstation:~/Projects/sygnus/ng-ivr$ npm unpublish --force ng-ivr-material --registry https://npm.ngivr.sygnus.hu --verbose
npm info it worked if it ends with ok
npm verb cli [ '/usr/bin/node',
npm verb cli   '/usr/bin/npm',
npm verb cli   'unpublish',
npm verb cli   '--force',
npm verb cli   'ng-ivr-material',
npm verb cli   '--registry',
npm verb cli   'https://npm.ngivr.sygnus.hu',
npm verb cli   '--verbose' ]
npm info using npm@5.6.0
npm info using node@v9.5.0
npm WARN using --force I sure hope you know what you are doing.
npm verb getPublishConfig null
npm verb request uri https://npm.ngivr.sygnus.hu/ng-ivr-material?write=true
npm verb request no auth needed
npm info attempt registry request try #1 at 10:28:04
npm verb request id 0e7bfed3b87acaa2
npm http request GET https://npm.ngivr.sygnus.hu/ng-ivr-material?write=true
npm http 403 https://npm.ngivr.sygnus.hu/ng-ivr-material?write=true
npm verb headers { server: 'nginx/1.10.3 (Ubuntu)',
npm verb headers   date: 'Fri, 16 Feb 2018 09:28:04 GMT',
npm verb headers   'content-type': 'application/json; charset=utf-8',
npm verb headers   'content-length': '86',
npm verb headers   connection: 'keep-alive',
npm verb headers   'x-powered-by': 'verdaccio/2.7.4',
npm verb headers   'access-control-allow-origin': '*',
npm verb headers   etag: 'W/"56-Av/ucDEVjfs/tBlvvcbE8cwTk24"',
npm verb headers   vary: 'Accept-Encoding',
npm verb headers   'x-status-cat': 'http://flic.kr/p/aV6jFK' }
npm info unpublish https://npm.ngivr.sygnus.hu/ng-ivr-material not published
- ng-ivr-material
npm verb exit [ 0, true ]
npm info ok 

[p3x-robot]

I think, something changed in NPM 5.6.0 because with Verdaccio the authToken is not generated.

Instead, now, it looks like this:

//registry.npmjs.org/:_authToken=********-****-****-****-********
//npm.patrikx3.com/:_authToken="*******************************************="
//registry.yarnpkg.com/:_authToken=********-****-****-****-********
config=registry
//npm.ngivr.sygnus.hu/:always-auth=false
//npm.ngivr.sygnus.hu/:_password=****************
//npm.ngivr.sygnus.hu/:username=sygnus
//npm.ngivr.sygnus.hu/:email=secure@email.com

[p3x-robot]

Right now, the only solution is like this:

docker run --rm -it node:9.2.0-alpine sh
/ # npm login --registry https://npm.company.com
Username: admin
Password:
Email: (this IS public) admin@company.com
Logged in as admin on https://npm.company.com/.
/ # cat ~/.npmrc
//npm.company.com/:_authToken=Rwl9t+GHjlgP+brFJ6WycIe1y6r3Z+ShUEqsLusmFC11w3n6ex8JdmkMoKv/0U/D
/ #

[p3x-robot]

Another solution is like this:

# project .npmrc
registry = "https://registry.acmeco.com"
ca = null
always-auth = true

[juanpicado]

Related or possible duplicated #509

[juanpicado]

@p3x-robot please check whether is a dupe and close this one and let's follow up #509

btw. amazing ;-) detailed bug description.

[PhilThurston]

We still cannot unpublish packages. and think that this issue should be repopened since #509 is solved

Even though tokens are properly generated now it looks like we still cannot unpublish packages

ubuntu@npm:~$ verdaccio --version
3.2.0
ubuntu@npm:~$ npm -v
6.1.0

[PhilThurston]

I'm so sorry. I spoke before double checking my work. It turns out there was an HTTP authentication issue happening after checking stdout. Thanks for the help we were able to upublish.

[juanpicado]

No problem @PhilThurston thanks for reporting! 👍