Registered user can't login

[bodz1lla]

Log-in Bug
Hi Guys,

Maybe you can assist me regarding the following issue.
I tried to find the solution but found nothing.
Please review.

Verdaccio - 3.5.1.

1. When the existing user is trying to log in via npm, it gets an error "username is already registered".

2. If I disable registration with option "max_users: -1" in config.yaml, then I get an error "maximum amount of users reached".

Terminal output

$ npm login --registry=https://registry-npm.example.com
Username: test.user
Password:
Email: (this IS public) test@example.com
npm ERR! code E409
npm ERR! Registry returned 409 for PUT on https://registry-npm.example.com/-/user/org.couchdb.user:test.user: username is already registered

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/test.user/.npm/_logs/2018-08-23T12_45_12_403Z-debug.log

$ npm login --registry=https://registry-npm.example.com
Username: test.user
Password:
Email: (this IS public)
Email: (this IS public) test@example.com
npm ERR! code E403
npm ERR! Registry returned 403 for PUT on https://registry-npm.example.com/-/user/org.couchdb.user:test.user: maximum amount of users reached

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/test.user/.npm/_logs/2018-08-23T12_43_19_284Z-debug.log

Expected behavior

Log-in to Verdaccio server with a registered user.

Configuration File

web:
  # WebUI is enabled as default, if you want to disable it, just uncomment this line
  enable: true
  title: Verdaccio NPM
  logo: logo.png

auth:
  htpasswd:
    file: ./htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    max_users: -1

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    # scoped packages
    access: $authenticated
    publish: $authenticated
    proxy: npmjs

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: $authenticated

    # allow all known users to publish packages
    # (anyone can register by default, remember?)
    publish: $authenticated

    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs

# To use `npm audit` uncomment the following section
middlewares:
  audit:
    enabled: true

# log settings
logs:
  - {type: stdout, format: pretty, level: http}
  #- {type: file, path: verdaccio.log, level: info}

Debugging output

$ npm login --registry=https://registry-npm.example.com -ddd
npm info it worked if it ends with ok
npm verb cli [ '/usr/local/Cellar/node/10.9.0/bin/node',
npm verb cli   '/usr/local/bin/npm',
npm verb cli   'login',
npm verb cli   '--registry=https://registry-npm.example.com',
npm verb cli   '-ddd' ]
npm info using npm@6.2.0
npm info using node@v10.9.0
npm verb config Skipping project config: /Users/test.user/.npmrc. (matches userconfig)
npm verb npm-session 821b0c437be02ea2
npm verb web login before first POST
npm http request → POST https://registry-npm.example.com/-/v1/login
npm http 404 ← Not Found (https://registry-npm.example.com/-/v1/login)
npm verb web login not supported, trying couch
Username: test.user
Password:
Email: (this IS public) test@example.com
npm verb login before first PUT { _id: 'org.couchdb.user:test.user',
npm verb login   name: 'test.user',
npm verb login   password: 'XXXXX',
npm verb login   type: 'user',
npm verb login   roles: [],
npm verb login   date: '2018-08-23T13:02:26.562Z' }
npm http request → PUT https://registry-npm.example.com/-/user/org.couchdb.user:test.user
npm http 409 ← Conflict (https://registry-npm.example.com/-/user/org.couchdb.user:test.user)
npm http request → GET https://registry-npm.example.com/-/user/org.couchdb.user:test.user?write=true
npm http 200 ← OK (https://registry-npm.example.com/-/user/org.couchdb.user:test.user?write=true)
npm http request → PUT https://registry-npm.example.com/-/user/org.couchdb.user:test.user/-rev/undefined
npm http 409 ← Conflict (https://registry-npm.example.com/-/user/org.couchdb.user:test.user/-rev/undefined)
npm verb adduser before first PUT { _id: 'org.couchdb.user:test.user',
npm verb adduser   name: 'test.user',
npm verb adduser   password: 'XXXXX',
npm verb adduser   email: '',
npm verb adduser   type: 'user',
npm verb adduser   roles: [],
npm verb adduser   date: '2018-08-23T13:02:26.622Z' }
npm http request → PUT https://registry-npm.example.com/-/user/org.couchdb.user:test.user
npm http 409 ← Conflict (https://registry-npm.example.com/-/user/org.couchdb.user:test.user)
npm verb stack Error: Registry returned 409 for PUT on https://registry-npm.example.com/-/user/org.couchdb.user:test.user: username is already registered
npm verb stack     at fetch.defaults.catch.then.then.result (/usr/local/lib/node_modules/npm/node_modules/npm-profile/index.js:376:13)
npm verb stack     at process._tickCallback (internal/process/next_tick.js:68:7)
npm verb statusCode 409
npm verb cwd /Users/test.user
npm verb Darwin 17.6.0
npm verb argv "/usr/local/Cellar/node/10.9.0/bin/node" "/usr/local/bin/npm" "login" "--registry=https://registry-npm.example.com" "-ddd"
npm verb node v10.9.0
npm verb npm  v6.2.0
npm ERR! code E409
npm ERR! Registry returned 409 for PUT on https://registry-npm.example.com/-/user/org.couchdb.user:test.user: username is already registered
npm verb exit [ 1, true ]
npm timing npm Completed in 17112ms

Temporary solution

Only possible to log-in with the registered user is allowed in config.yaml access and publish to all, anonymous.

access: $all, $anonymous
publish: $all

But it's not secure.

[juanpicado]

@bodz1lla please provide version

[bodz1lla]

@juanpicado yes, please.

$ verdaccio -V
3.5.1

Also, added to an issue.

[ayusharma]

I am not able to replicate it.

[bodz1lla]

@ayusharma
That's strange. Did you try with the same version?
I also use Apache proxy on the front and pm2 as service runner.
Please review the configuration file.
Thanks.

<VirtualHost *:80>
  ServerName registry-npm.example.com

  ## Vhost docroot
  DocumentRoot "/var/www"

  ## Directories, there should at least be a declaration for /var/www

  <Directory "/var/www">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>

  ## Load additional static includes
  Include "includes/general_settings"

  ## Load additional static includes
  Include "includes/ssl"

  ## Logging
  ErrorLog "/var/log/httpd/registry-npm.example.com-80_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/registry-npm.example.com-80_access_ssl.log" combined

  ## Custom fragment

        <Location />
        Require all granted
        ProxyPassReverse http://127.0.0.1:4873/
        ProxyPassReverse http://registry-npm.example.com/
        </Location>
        RequestHeader unset Authorization
        ProxyRequests     Off
        ProxyPreserveHost On
        RewriteEngine On
        AllowEncodedSlashes NoDecode
        <Proxy>
        Order deny,allow
        Allow from all
        </Proxy>

        ProxyPass         /  http://127.0.0.1:4873/ nocanon
        ProxyPassReverse  /  http://127.0.0.1:4873/
</VirtualHost>

[cara]

I'm getting the same error with verdaccio version 3.7.1 in docker with a nginx proxy
config.yaml:

 storage: ./storage
 auth:
   htpasswd:
     file: ./htpasswd
     max_users:  10 // later: -1 
 uplinks:
   npmjs:
     url: https://registry.npmjs.org/
 packages:
   '@*/*':
     access: $authenticated
     publish: $authenticated
     proxy: npmjs
   '**':
     access: $authenticated
     publish: $authenticated    
     proxy: npmjs
 logs:
   - {type: stdout, format: pretty, level: http}

npm -v: 6.2.0

I start with 10 max_users:

npm adduser --registry reg.url
Username: severin
Password:
Email: (this IS public) mail@mail.de`

Now I change config to -1 max_users and restart the docker container

`npm logout --registry reg.url
pm adduser --registry reg.url
Username: severin
Password:
Email: (this IS public) mail@mail.de

Response:

npm ERR! code E403
npm ERR! Registry returned 403 for PUT on reg.url/-/user/org.couchdb.user:severin: maximum amount of users reached

Long Version:

npm adduser --registry reg.url/ -ddd
npm info it worked if it ends with ok
npm verb cli [ '/Users/severin/.nvm/versions/node/v8.9.4/bin/node',
npm verb cli '/Users/severin/.nvm/versions/node/v8.9.4/bin/npm',
npm verb cli 'adduser',
npm verb cli '--registry',
npm verb cli 'reg.url/',
npm verb cli '-ddd' ]
npm info using npm@6.2.0
npm info using node@v8.9.4
npm verb npm-session c6426685ef223b0b
npm verb web login before first POST
npm http request → POST reg.url/-/v1/login
npm http 404 ← Not Found (reg.url/-/v1/login)
npm verb web login not supported, trying couch
Username: severin
Password:
Email: (this IS public) mail@mail.de
npm verb login before first PUT { _id: 'org.couchdb.user:severin',
npm verb login name: 'severin',
npm verb login password: 'XXXXX',
npm verb login type: 'user',
npm verb login roles: [],
npm verb login date: '2018-08-29T18:01:31.992Z' }
npm http request → PUT reg.url/-/user/org.couchdb.user:severin
npm http 403 ← Forbidden (reg.url/-/user/org.couchdb.user:severin)
npm verb adduser before first PUT { _id: 'org.couchdb.user:severin',
npm verb adduser name: 'severin',
npm verb adduser password: 'XXXXX',
npm verb adduser email: 'mail@mail.de',
npm verb adduser type: 'user',
npm verb adduser roles: [],
npm verb adduser date: '2018-08-29T18:01:32.141Z' }
npm http request → PUT reg.url/-/user/org.couchdb.user:severin
npm http 403 ← Forbidden (reg.url/-/user/org.couchdb.user:severin)
npm verb stack Error: Registry returned 403 for PUT on reg.url/-/user/org.couchdb.user:severin: maximum amount of users reached
npm verb stack at fetch.defaults.catch.then.then.result (/Users/severin/.nvm/versions/node/v8.9.4/lib/node_modules/npm/node_modules/npm-profile/index.js:376:13)
npm verb stack at
npm verb stack at process._tickCallback (internal/process/next_tick.js:188:7)
npm verb statusCode 403
npm verb cwd /Users/severin/Server/test
npm verb Darwin 17.7.0
npm verb argv "/Users/severin/.nvm/versions/node/v8.9.4/bin/node" "/Users/severin/.nvm/versions/node/v8.9.4/bin/npm" "adduser" "--registry" "reg.url/" "-ddd"
npm verb node v8.9.4
npm verb npm v6.2.0
npm ERR! code E403
npm ERR! Registry returned 403 for PUT on reg.url/-/user/org.couchdb.user:severin: maximum amount of users reached
npm verb exit [ 1, true ]
npm timing npm Completed in 19846ms

Server Log:

http <-- 201, user: severin(11.111.111.11 via 172.17.0.4), req: 'PUT /-/user/org.couchdb.user:severin/-rev/undefined', bytes: 182/108
warn --- config file - /verdaccio/conf/config.yaml
warn --- Plugin successfully loaded: htpasswd
warn --- http address - http://0.0.0.0:4873/ - verdaccio/3.7.1
(node:5) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
http <-- 200, user: severin(11.111.111.11 via 172.17.0.4), req: 'DELETE /-/user/token/4h0bpV6K0tTBinz3KiJqqjtwu3LI/8lSy6JnCzY7nwc=', bytes: 0/25
http <-- 200, user: severin(11.111.111.11 via 172.17.0.4), req: 'DELETE /-/user/token/4h0bpV6K0tTBinz3KiJqqjtwu3LI/8lSy6JnCzY7nwc=', bytes: 0/25
warn --- config file - /verdaccio/conf/config.yaml
warn --- Plugin successfully loaded: htpasswd
warn --- http address - http://0.0.0.0:4873/ - verdaccio/3.7.1
http <-- 404, user: null(11.111.111.11 via 172.17.0.4), req: 'POST /-/v1/login', bytes: 22/150
http <-- 404, user: null(11.111.111.11 via 172.17.0.4), req: 'POST /-/v1/login', bytes: 22/150
http <-- 403, user: null(11.111.111.11 via 172.17.0.4), req: 'PUT /-/user/org.couchdb.user:severin', error: maximum amount of users reached
(node:5) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
http <-- 403, user: null(11.111.111.11 via 172.17.0.4), req: 'PUT /-/user/org.couchdb.user:severin', error: maximum amount of users reached

[ayusharma]

@bodz1lla @cara Please reopen the issue if you are still facing the problem. I am not able to reproduce it.

[michaelfig]

I can reproduce by setting max_users to 10, running "npm login" successfully, then setting max_users back to -1 and running "npm login" again, which fails due to the "error:maximum amount of users reached" even though I used identical credentials and e-mail.

[juanpicado]

@michaelfig please provide your env info, version, etc.

[michaelfig]

I'll try to get you exact steps to reproduce, but for now:

Kubernetes Helm chart 0.5.0, verdaccio docker image 3.8.1

I first set up verdaccio with a custom config map and mounted a read-only /etc/verdaccio/htpasswd, and set max_users to -1.

Then when that didn't work (npm adduser failed even though I verified that the password was correct... Maybe an issue with @verdaccio/file-locker not working on a read-only filesystem), I updated the config to use /verdaccio/storage/htpasswd. Then I got the above behavior.

Everything works fine when running npm adduser and max_users is 10. Then I can set max_users to -1 and everything works except for npm adduser (even with identical credentials).

Lmk if you need anything further.

[juanpicado]

Thanks @michaelfig I'll dig into it.

[cojack]

@bodz1lla or @cara please reopen this issue, because I'm still facing this problem, the same behaviour as guys above.

Steps to reproduce:

• comment out max_users
• restart docker
• npm adduser --registry url
• uncomment max_users, set value -1
• restart docker
• npm adduser --registry url

npm ERR! code E403
npm ERR! Registry returned 403 for PUT on https://npm.cojack.pl/-/user/org.couchdb.user:cojack: maximum amount of users reached

Oct  7 15:16:52 npm 90aa5424705a[764]:  http <-- 403, user: null(104.28.2.67 via 172.20.0.3), req: 'PUT /-/user/org.couchdb.user:cojack', error: maximum amount of users reached

version: 4.x-next

[cojack]

Okey, so we have some misleading information, because config.yaml saying:

    # Maximum amount of users allowed to register, defaults to "+infinity".
    # You can set this to -1 to disable registration.

But documentation saying:

In case to decide do not allow user to login, you can set max_users: -1.

And by this behaviour I guess, documentation is right. Because when I change it to max_users: 1, Im able to login by user I've created.

So yeah...

[juanpicado]

Thanks for point it out, we are moving all documentation to a single place so in the future we avoid this kind of inconsistency.

[michaelfig]

Now I can do exactly what I need... create htpasswd manually and deploy verdaccio via Helm. My steps are:

Create a secret to contain the verdaccio.htpasswd identifying valid users.

$ htpasswd -c verdaccio.htpasswd <USER>
$ htpasswd verdaccio.htpasswd <OTHER-USER>
[Repeat as necessary]
$ kubectl create secret generic etc-verdaccio --from-file verdaccio.htpasswd

I use the following stanzas in my Helm config file, verdaccio.yaml:

persistence:
  volumes:
    - name: etc-verdaccio
      secret:
        secretName: etc-verdaccio
  mounts:
    - mountPath: /etc/verdaccio/secrets
      name: etc-verdaccio
      readOnly: true

configMap: |
  # ... many lines skipped.
  auth:
    htpasswd:
      # Mount from our etc-verdaccio secret.
      file: /etc/verdaccio/secrets/verdaccio.htpasswd
      # Allow all existing logins, but don't allow registration (since we already have at least one user in htpasswd).
      max_users: 1

Then install verdaccio.

$ helm install -f verdaccio.yaml stable/verdaccio

Please document this case in the sample configs, or maybe just link to this comment for the people installing via Helm?

Thanks,
Michael.

[korob93]

I'm facing this issue too. However I managed to find out that npm client (mine is 5.6.0) won't send Authorization header and that's why login process is impossible.

Here is what we have now from npm

{
  body:
  {
    _id: 'org.couchdb.user:user',
    name: 'user',
    password: 'password',
    email: 'user@domain.local',
    type: 'user',
    roles: [],
    date: '2018-10-25T09:41:12.223Z'
  },
  headers:
  {
    connection: 'keep-alive',
    'user-agent': 'make-fetch-happen/2.5.0 (+https://npm.im/make-fetch-happen)',
    'content-type': 'application/json',
    accept: '*/*',
    'content-length': '159',
    'accept-encoding': 'gzip,deflate',
    host: 'localhost:4873'
  }
}

And here is the curl command that ends up successfully

curl -s -i  -H "Accept: */*"  -H "Content-Type:application/json"  -X PUT --data '{"_id":"org.couchdb.user:user","name":"user","password":"password","email":"user@domain.local","type":"user","roles":[],"date":"2018-10-25T09:24:58.053Z"}' --user 'user:password' http://localhost:4873/-/user/org.couchdb.user:user

[ayusharma]

@korob93 I'll check this issue again.

[korob93]

@ayusharma thank you for quick reply =)
In addition to my post, if in .npmrc I set registry=http://user:password@localhost:4873 then npm login works like a charm.
BTW, have to admit that the error 409 is quite confusing, it'd rather be 401 since this is authorization problem

PS using verdaccio version 3.8.5

[juanpicado]

@korob93 why basic auth over tokens ? I am curious

[korob93]

Hi, @juanpicado. Here is my flow
I run verdaccio with docker-compose, mounting /verdaccio/conf to my ~/verdaccio/conf directory. Then, in config.yaml I set max_users to -1 and add a single entry into htpasswd file. Then I start my container and try to run npm login supplying credentials I specified in htpasswd file. It fails unless I provide my credentials via basic authorization.

So, the question here is how do I get token without npm login? Maybe I miss something from docs?

My workaround for now is to create 2 users: one for basic auth, which cannot access or publish packages at all, and one for actually doing registry stuff. So my login process looks quite ridiculous =)

npm login --registry=http://user1:password1@localhost:4873
Username: user2
Password: password2
Email: (this IS public) user@domain.local

Then I pass login and can act as user2

If I miss something and there is a better way to deal with this situation I'd be happy to know the correct solution

UPDATE
In fact, 1 user is enough since I can remove basic auth credentials from my repo's .npmrc file but I'll still have to provide these credentials on npm logn via registry option

[lmeunierRakuten]

I can't register with npm adduser or npm login but npm not send CONTENT-TYPE : application/json

I have use postman to test and this request not work
curl -X POST
http://35.241.197.51/npm/-/verdaccio/login
-H 'cache-control: no-cache'
-H 'postman-token: ea91a699-da3d-e746-e409-5212fa3cc3c0'
-d '{"username":"lionel.meunier","password":"myPass"}'

but this work
curl -X POST
http://35.241.197.51/npm/-/verdaccio/login
-H 'cache-control: no-cache'
-H 'content-type: application/json'
-H 'postman-token: f3783b6c-8420-354e-e091-81253a185964'
-d '{"username":"lionel.meunier","password":"myPass"}'

[JayaKrishnaNamburu]

Hey, is the issue solved? I cloned the latest verdaccio/ui master and trying to add a user. It is throwing the same error.

npm ERR! code E404
npm ERR! 404 Registry returned 404 for PUT on http://localhost:4872/-/user/org.couchdb.user:testuser

[DanielRuf]

Hi @JayaKrishnaNamburu,

The ui part is only the frontend, not the backend / server.

Please provide the exact steps that you have done. The 404 is a different error.

[JayaKrishnaNamburu]

Steps that I have followed.

1. Cloned the repo.
2. Yarn
3. Yarn dev

The dev server is running and at the port 4872

Ran npm add user as specified in the UI, then the terminal is throwing the above error. I have another version of verdaccio which is a docker one. When it runs at 4873, I am not facing this issue.

[juanpicado]

@JayaKrishnaNamburu @DanielRuf I think we should handle it either via Discord chat or UI repo, here we are creating noise in a not related issue. I'm sure it is an easy fix.

[DanielRuf]

The devserver uses the memory.
The command is npm adduser or npm add-user, see https://docs.npmjs.com/cli/adduser.html

The devserver backed runs on port 8080 by default.

[juanpicado]

This is too old, if someone still has this issue, please:

• update the latest major version that is being in use
• create a new ticket if the issue persist

💯

[kopax]

Deleted Sorry I was testing an old version, with v4 issues are fixed.

[DanielRuf]

Hi @kopax,

I am using verdaccio:3, I have tried to use verdaccio 4 but the current image doesn't work with npm properly.

Please open a new issue and provide all / more relevant details.

[lhf552004]

Hi, I'm using verdaccio as a windows service, following the guide https://verdaccio.org/docs/en/windows
And I encountered the same error:

verdaccio -V
4.2.2

[DanielRuf]

Hi @lhf552004,

Please open a new issue with all relevant details.

[orefalo]

Same issue here. This is so frustrating. Actually.. it's not that I can't login in. npm login works.

The problem is scripting from a docker build. Since I don't have access to the docker build launcher, I am stuck with solutions such as npm-cli-login or curl. none of them worked so far.

[DanielRuf]

Hi @orefalo,

please check my last comment and the other previous comments so we can help you.