New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cannot unpublish a package #577

Closed
p3x-robot opened this Issue Feb 16, 2018 · 8 comments

Comments

Projects
None yet
4 participants
@p3x-robot

p3x-robot commented Feb 16, 2018

My reason:

Cannot unpublish a package

Steps to reproduce:

For example, if I logout form Verdaccio, I see:
image

I login and it looks like this:
image

root@srv1:~# npm config get registry
https://npm.ngivr.sygnus.hu/
root@srv1:~# npm unpublish --force ng-ivr-material --registry https://npm.ngivr.sygnus.hu
npm WARN using --force I sure hope you know what you are doing.
- ng-ivr-material

Then I check if it is unpublished:
image

I see the log say this:

http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material
 http <-- 403, user: undefined(192.168.140.88 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material

But of course if i log out and try to install this package I cannot install, but if I login with npm login --registry https://npm.ngivr.sygnus.hu, I can install this package.

App Version:

root@srv1:~# verdaccio --version
Verdaccio doesn't need superuser privileges. Don't run it under root.
2.7.4
root@srv1:~# npm -v
5.6.0
root@srv1:~# verdaccio --version
Verdaccio doesn't need superuser privileges. Don't run it under root.
2.7.4

Config file:

#
# This is the default config file. It allows all users to do anything,
# so don't use it on production systems.
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#

# path to a directory with all packages
storage: /home/www/npm.ngivr.sygnus.hu/npm/storage

auth:
  htpasswd:
    file: ./htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    max_users: -1

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.npmjs.org/
#    url: https://registry.yarnpkg.com

packages:
  '@*/*':
    # scoped packages
#    access: $all
    access: $authenticated
    publish: $authenticated
    proxy: npmjs

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: $authenticated
#    access: $all

    # allow all known users to publish packages
    # (anyone can register by default, remember?)
    publish: $authenticated

    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs

# log settings
logs:
#  - {type: stdout, format: pretty, level: http}
  - {type: file, format: pretty, path: /home/www/npm.ngivr.sygnus.hu/npm/log/verdaccio.log, level: http }

url_prefix: https://npm.ngivr.sygnus.hu

listen:
# - localhost:4873            # default value
# - http://localhost:4873     # same thing
 - 0.0.0.0:4873              # listen on all addresses (INADDR_ANY)
# - https://example.org:4873  # if you want to use https
# - [::1]:4873                # ipv6
# - unix:/tmp/verdaccio.sock    # unix socket

Additional information:

  • $ set DEBUG=express:* verdaccio enable extreme verdaccio debug mode
express:router dispatching PUT /-/user/org.couchdb.user:sygnus +46s
  express:router query  : /-/user/org.couchdb.user:sygnus +2ms
  express:router expressInit  : /-/user/org.couchdb.user:sygnus +0ms
  express:router corsMiddleware  : /-/user/org.couchdb.user:sygnus +1ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +1ms
  express:router error_reporting_middleware  : /-/user/org.couchdb.user:sygnus +1ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +0ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +1ms
  express:router compression  : /-/user/org.couchdb.user:sygnus +0ms
  express:router router  : /-/user/org.couchdb.user:sygnus +0ms
  express:router dispatching PUT /-/user/org.couchdb.user:sygnus +1ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +0ms
  express:router jsonParser  : /-/user/org.couchdb.user:sygnus +0ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +24ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +0ms
  express:router router  : /-/user/org.couchdb.user:sygnus +4ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +0ms
  express:router <anonymous>  : /-/user/org.couchdb.user:sygnus +1ms
  express:router dispatching GET /ng-ivr-material?write=true +49s
  express:router query  : /ng-ivr-material?write=true +1ms
  express:router expressInit  : /ng-ivr-material?write=true +0ms
  express:router corsMiddleware  : /ng-ivr-material?write=true +1ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router error_reporting_middleware  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router compression  : /ng-ivr-material?write=true +0ms
  express:router router  : /ng-ivr-material?write=true +0ms
  express:router dispatching GET /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router jsonParser  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router router  : /ng-ivr-material?write=true +1ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router dispatching GET /ng-ivr-material?write=true +14s
  express:router query  : /ng-ivr-material?write=true +0ms
  express:router expressInit  : /ng-ivr-material?write=true +0ms
  express:router corsMiddleware  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +1ms
  express:router error_reporting_middleware  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router compression  : /ng-ivr-material?write=true +0ms
  express:router router  : /ng-ivr-material?write=true +0ms
  express:router dispatching GET /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router jsonParser  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +1ms
  express:router router  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  express:router <anonymous>  : /ng-ivr-material?write=true +0ms
  • $ npm --verbose prints:
npm info it worked if it ends with ok
npm verb cli [ '/usr/bin/node', '/usr/bin/npm', '--verbose' ]
npm info using npm@5.6.0
npm info using node@v9.5.0

Usage: npm <command>

where <command> is one of:
    access, adduser, bin, bugs, c, cache, completion, config,
    ddp, dedupe, deprecate, dist-tag, docs, doctor, edit,
    explore, get, help, help-search, i, init, install,
    install-test, it, link, list, ln, login, logout, ls,
    outdated, owner, pack, ping, prefix, profile, prune,
    publish, rb, rebuild, repo, restart, root, run, run-script,
    s, se, search, set, shrinkwrap, star, stars, start, stop, t,
    team, test, token, tst, un, uninstall, unpublish, unstar,
    up, update, v, version, view, whoami

npm <command> -h     quick help on <command>
npm -l           display full usage info
npm help <term>  search for help on <term>
npm help npm     involved overview

Specify configs in the ini-formatted file:
    /root/.npmrc
or on the command line via: npm <command> --key value
Config info can be viewed via: npm help config
  • $ npm config get registry prints:

https://npm.ngivr.sygnus.hu/

  • Verdaccio terminal output
http <-- 409, user: undefined(127.0.0.1 via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:sygnus', error: maximum amount of users reached
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material

This maximum amount of users reached is weird, because i am not trying to register, so I set it to -1. I set to 1, but the same error:

http <-- 409, user: undefined(127.0.0.1 via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:sygnus', error: maximum amount of users reached
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material
 http <-- 403, user: undefined(127.0.0.1 via 127.0.0.1), req: 'GET /ng-ivr-material?write=true', error: unregistered users are not allowed to access package ng-ivr-material
  • Windows, OS X/macOS, or Linux?: LINUX
  • Verdaccio configuration file, eg: cat ~/.config/verdaccio/config.yaml

Provided already.

Additional verbose log:

patrikx3@workstation:~/Projects/sygnus/ng-ivr$ npm unpublish --force ng-ivr-material --registry https://npm.ngivr.sygnus.hu --verbose
npm info it worked if it ends with ok
npm verb cli [ '/usr/bin/node',
npm verb cli   '/usr/bin/npm',
npm verb cli   'unpublish',
npm verb cli   '--force',
npm verb cli   'ng-ivr-material',
npm verb cli   '--registry',
npm verb cli   'https://npm.ngivr.sygnus.hu',
npm verb cli   '--verbose' ]
npm info using npm@5.6.0
npm info using node@v9.5.0
npm WARN using --force I sure hope you know what you are doing.
npm verb getPublishConfig null
npm verb request uri https://npm.ngivr.sygnus.hu/ng-ivr-material?write=true
npm verb request no auth needed
npm info attempt registry request try #1 at 10:28:04
npm verb request id 0e7bfed3b87acaa2
npm http request GET https://npm.ngivr.sygnus.hu/ng-ivr-material?write=true
npm http 403 https://npm.ngivr.sygnus.hu/ng-ivr-material?write=true
npm verb headers { server: 'nginx/1.10.3 (Ubuntu)',
npm verb headers   date: 'Fri, 16 Feb 2018 09:28:04 GMT',
npm verb headers   'content-type': 'application/json; charset=utf-8',
npm verb headers   'content-length': '86',
npm verb headers   connection: 'keep-alive',
npm verb headers   'x-powered-by': 'verdaccio/2.7.4',
npm verb headers   'access-control-allow-origin': '*',
npm verb headers   etag: 'W/"56-Av/ucDEVjfs/tBlvvcbE8cwTk24"',
npm verb headers   vary: 'Accept-Encoding',
npm verb headers   'x-status-cat': 'http://flic.kr/p/aV6jFK' }
npm info unpublish https://npm.ngivr.sygnus.hu/ng-ivr-material not published
- ng-ivr-material
npm verb exit [ 0, true ]
npm info ok 
@p3x-robot

This comment has been minimized.

p3x-robot commented Feb 16, 2018

I think, something changed in NPM 5.6.0 because with Verdaccio the authToken is not generated.

Instead, now, it looks like this:

//registry.npmjs.org/:_authToken=********-****-****-****-********
//npm.patrikx3.com/:_authToken="*******************************************="
//registry.yarnpkg.com/:_authToken=********-****-****-****-********
config=registry
//npm.ngivr.sygnus.hu/:always-auth=false
//npm.ngivr.sygnus.hu/:_password=****************
//npm.ngivr.sygnus.hu/:username=sygnus
//npm.ngivr.sygnus.hu/:email=secure@email.com
@p3x-robot

This comment has been minimized.

p3x-robot commented Feb 16, 2018

Right now, the only solution is like this:

docker run --rm -it node:9.2.0-alpine sh
/ # npm login --registry https://npm.company.com
Username: admin
Password:
Email: (this IS public) admin@company.com
Logged in as admin on https://npm.company.com/.
/ # cat ~/.npmrc
//npm.company.com/:_authToken=Rwl9t+GHjlgP+brFJ6WycIe1y6r3Z+ShUEqsLusmFC11w3n6ex8JdmkMoKv/0U/D
/ #
@p3x-robot

This comment has been minimized.

p3x-robot commented Feb 16, 2018

Another solution is like this:

# project .npmrc
registry = "https://registry.acmeco.com"
ca = null
always-auth = true
@juanpicado

This comment has been minimized.

Member

juanpicado commented Feb 16, 2018

Related or possible duplicated #509

@juanpicado

This comment has been minimized.

Member

juanpicado commented Feb 16, 2018

@p3x-robot please check whether is a dupe and close this one and let's follow up #509

btw. amazing ;-) detailed bug description.

@p3x-robot p3x-robot closed this Mar 1, 2018

@PhilThurston

This comment has been minimized.

PhilThurston commented Jun 29, 2018

We still cannot unpublish packages. and think that this issue should be repopened since #509 is solved

Even though tokens are properly generated now it looks like we still cannot unpublish packages

ubuntu@npm:~$ verdaccio --version
3.2.0
ubuntu@npm:~$ npm -v
6.1.0
@PhilThurston

This comment has been minimized.

PhilThurston commented Jun 29, 2018

I'm so sorry. I spoke before double checking my work. It turns out there was an HTTP authentication issue happening after checking stdout. Thanks for the help we were able to upublish.

@juanpicado

This comment has been minimized.

Member

juanpicado commented Jun 29, 2018

No problem @PhilThurston thanks for reporting! 👍

@juanpicado juanpicado closed this Jun 29, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment