pfdgithub / verdaccio-auth-gitlab Goto Github PK

Issue

Plugin returns 500 HTTP status for invalid Personal Access Tokens when trying to obtain the npm access token via CLI

Background

I'm trying to obtain the npm access token via the below curl request and it works as expected without any issue if the personal access token is valid. But when it is invalid, unexpected error occurs.

TOKEN=$(curl -s \
  -H "Accept: application/json" \
  -H "Content-Type:application/json" \
  -X PUT --data '{"name": "username_here", "password": "password_here"}' \
  http://your_registry/-/user/org.couchdb.user:username_here 2>&1 | grep -Po \
  '(?<="token": ")[^"]*')

Expected Output

When the password is invalid, response should return 401 Unauthorised.

Actual Output

When the password is invalid, response returns 500 internal server error.

I checked the jwt token after a gitlab user successly logged in and found the following claims:

{
...
  "real_groups": [
    "$gitlab:user",
    "$gitlab:user:XXX",
    "$gitlab:group:YYY:member",
    "$all",
    "$authenticated",
    "@all",
    "@authenticated",
    "all"
  ],
  "name": "XXX",
  "groups": [
    "$gitlab:user",
    "$gitlab:user:XXX",
    "$gitlab:group:YYY:member",
    "$all",
    "$authenticated",
    "@all",
    "@authenticated",
    "all"
  ],
...
}

Which means that every gitlab user belongs to $authenticated. Therefore every gitlab user can login in to npm registry which is using the plugin. Of course by setting the roles correctly in verdaccios config.yaml you can make sure that $authenticated doesn't give you any rights at all.

Is it possible to extend the plugin to deny a login at all to users which do not fullfill e.g. a config like $gitlab:group:YYY:member?

Would be great if we make this plugin available for Verdaccio 4 because Verdaccio 3 is EOL in about 6 months.

If I have time next month I look into it but no guarantees.

Kind regards,
Lennard

Verdaccio Version: 5.18
verdaccio-auth-gitlab Plugin Version: latest
Environment: Docker

Scenario:
User tries to login with username and the personal access token. Once user successfully authenticated, user details will be cached by the plugin as I understood. Now, user logout and tries to login again. But this time, user provides correct username but incorrect personal access token (i.e. Remove several characters of the token and try to sign in)

Expected Outcome:
Verdaccio should decline login.

Actual Outcome:
User can successfully login even though the personal token is invalid.

Reproducing steps:

1. Fresh verdaccio installation with the plugin
2. Copy and paste the configuration from Readme file.
3. Run verdaccio
4. Login with correct username and personal access token
5. Logout once successfully login
6. Login again with correct username but now incorrect personal access token

It will cause HTTP Error 431 Request Header Fields Too Large after you log in if you have tons of projects and groups. I suggest we can add a project/group filter to reduce the redundant roles. Sorry for my poor English.

In gitlab ci you get a token for the runner to use to pull dependend repositories etc. It's being used with the user gitlab-ci-token as far as i know. It would be great if this could be somehow used to pull and push packages.

Hi,

could you add a version range for the verdaccio peer dependency? Like from >=4.8 <=5.x or something like that. It works well with verdaccio 5. But this plugin installs verdaccio 4.8 as well and deprecation warnings pop up. It's not a big problem but would be nice.

I could open a pull request, but that would be a little over the top for this.

Thanks in advance

I'm trying to authenticate using access: $gitlab:group:impakt-dev:member, where impakt-dev is my group name. I'm 100% sure I am a member (and owner) of the group, yet I get unauthorized. It works fine if using $gitlab:user. I've also tried with fullGroupPath: true. If I call https://gitlab.com/api/v4/groups and use my token (same one I use to login on the verdaccio front-end), I also see my group within the array.

Using verdaccio/verdaccio:5.15.4 on localhost

Is there anything I am missing? Would appreciate any help.

Thanks!

Background

Managing verdaccio authentication using verdaccio-auth-gitlab is convenient and secure. So when accessing the verdaccio via the Web or using npm/yarn cli is also convenient because all the time user have their own personal access token with them. But, if we want to use the same private npm registry for a CI job, we should be able to do that via a Job token rather than exposing a personal access token.

Issue

Currently, verdaccio-auth-gitlab only support one token type. This issue is reported in #11.

According to the discussion comment, CI_JOB_TOKEN can be used even with tokenType: personal configuration?

Hi !
It seems like the project and group paths that must be passed as parameters can lead to errors when a user is member of multiple groups or projects with the same path (ignoring namespace).
It seems that either using the ids or the full path (path_with_namespace) could resolve this

@pfdgithub ++

It would be helpful if the plugin uses the job token type when the username is gitlab-ci-token. This would make it possible to use this plugin for CI login and user login simultaneously.

Hi,

I tried to log in to several accounts with the same machine, but one account failed to log in (the git clone can be used by token, but I cannot log in). It shows error log: Response code 403 (Forbidden)
How did this happen?

Background

When naming a repository in GitLab, generally we use CamelCase/Pascal Case style. But npm does not allow upper case letters anymore. Thus, we are facing an issue when this is used in config file.

publish: $gitlab:project:[pkgName]:owner

Issue

As an example, if the GitLab repo name is SampleNameRepo, we will not be able to make a npm pacakge which contains the same repo name because of npm naming scheme restrictions. Thus, we may have to name the pacakge assample-name-repo.

This means, even the owner will not be able to publish the package.

Suggestion

Adding a new property in the config file which will automatically convert the name of the package to predefined case. In the above example, CamelCase/Pascal Case will be converted to kebab-case.

I'd like to hear some suggestions from you too. Also I can support to implement this feature as well.