Skip to content

Commit 3ca548e

Browse files
committed
chore: wip
1 parent aa98fb2 commit 3ca548e

File tree

3 files changed

+24
-3
lines changed

3 files changed

+24
-3
lines changed

examples/consumer-app/.npmrc

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
ignore-scripts=true
22
registry=http://localhost:4873/
33
@*:registry=http://localhost:4873/
4-
//localhost:4873/:_authToken=npm-e4bbfe4f3db6a7b1ffe2cd2cf2c5dc00eddc8d07994ca95f
4+
//localhost:4873/:username=token
5+
//localhost:4873/:_password=bnBtLWU0YmJmZTRmM2RiNmE3YjFmZmUyY2QyY2YyYzVkYzAwZWRkYzhkMDc5OTRjYTk1Zg==

secure-registry/plugins/verdaccio-security-token-auth/src/index.ts

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,14 +57,30 @@ class SecurityTokenAuth implements AuthPlugin {
5757
password: string,
5858
cb: Callback
5959
): Promise<void> {
60-
const token = password;
60+
let token = password;
6161

6262
if (!token || typeof token !== 'string' || token.length === 0) {
6363
this.logger.warn('security-token-auth: empty token');
6464
cb(new Error('token required'), false);
6565
return;
6666
}
6767

68+
// npm sends `_authToken` as an `Authorization: Bearer <token>` header.
69+
// Verdaccio forwards this as the `password` parameter, including the
70+
// `Bearer ` prefix. The unified API stores only the raw token value, so we
71+
// need to normalize here to accept both raw tokens and `Bearer`-prefixed
72+
// forms transparently.
73+
const lower = token.toLowerCase();
74+
if (lower.startsWith('bearer ')) {
75+
token = token.slice(7).trim();
76+
}
77+
78+
if (token.length === 0) {
79+
this.logger.warn('security-token-auth: empty token after Bearer strip');
80+
cb(new Error('token required'), false);
81+
return;
82+
}
83+
6884
const controller = new AbortController();
6985
const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
7086

services/api/src/mongoClient.ts

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
import { MongoClient, Db } from 'mongodb';
22

3-
const DEFAULT_URI = process.env.SECURITY_DB_URI || 'mongodb://127.0.0.1:27017';
3+
// In local dev, `pnpm infra:up` exposes MongoDB on host port 27018 by default
4+
// (see secure-registry/infra/docker-compose.yml). Using the same port here as
5+
// a fallback ensures that when SECURITY_DB_URI is unset, the unified API and
6+
// Verdaccio dev instances talk to the same database as the dev infra.
7+
const DEFAULT_URI = process.env.SECURITY_DB_URI || 'mongodb://127.0.0.1:27018';
48
const DEFAULT_DB_NAME = process.env.SECURITY_DB_NAME || 'secure_registry';
59

610
let clientPromise: Promise<MongoClient> | null = null;

0 commit comments

Comments
 (0)