File tree Expand file tree Collapse file tree 3 files changed +24
-3
lines changed
secure-registry/plugins/verdaccio-security-token-auth/src Expand file tree Collapse file tree 3 files changed +24
-3
lines changed Original file line number Diff line number Diff line change 11ignore-scripts = true
22registry = http://localhost:4873/
33@*:registry = http://localhost:4873 /
4- //localhost:4873/:_authToken = npm-e4 bbfe4 f3 db6 a7 b1 ffe2 cd2 cf2 c5 dc00 eddc8 d07994 ca95 f
4+ //localhost:4873/:username = token
5+ //localhost:4873/:_password = bnBtLWU0 YmJmZTRmM2 RiNmE3 YjFmZmUyY2 QyY2 YyYzVkYzAwZWRkYzhkMDc5 OTRjYTk1 Zg==
Original file line number Diff line number Diff line change @@ -57,14 +57,30 @@ class SecurityTokenAuth implements AuthPlugin {
5757 password : string ,
5858 cb : Callback
5959 ) : Promise < void > {
60- const token = password ;
60+ let token = password ;
6161
6262 if ( ! token || typeof token !== 'string' || token . length === 0 ) {
6363 this . logger . warn ( 'security-token-auth: empty token' ) ;
6464 cb ( new Error ( 'token required' ) , false ) ;
6565 return ;
6666 }
6767
68+ // npm sends `_authToken` as an `Authorization: Bearer <token>` header.
69+ // Verdaccio forwards this as the `password` parameter, including the
70+ // `Bearer ` prefix. The unified API stores only the raw token value, so we
71+ // need to normalize here to accept both raw tokens and `Bearer`-prefixed
72+ // forms transparently.
73+ const lower = token . toLowerCase ( ) ;
74+ if ( lower . startsWith ( 'bearer ' ) ) {
75+ token = token . slice ( 7 ) . trim ( ) ;
76+ }
77+
78+ if ( token . length === 0 ) {
79+ this . logger . warn ( 'security-token-auth: empty token after Bearer strip' ) ;
80+ cb ( new Error ( 'token required' ) , false ) ;
81+ return ;
82+ }
83+
6884 const controller = new AbortController ( ) ;
6985 const timeout = setTimeout ( ( ) => controller . abort ( ) , this . timeoutMs ) ;
7086
Original file line number Diff line number Diff line change 11import { MongoClient , Db } from 'mongodb' ;
22
3- const DEFAULT_URI = process . env . SECURITY_DB_URI || 'mongodb://127.0.0.1:27017' ;
3+ // In local dev, `pnpm infra:up` exposes MongoDB on host port 27018 by default
4+ // (see secure-registry/infra/docker-compose.yml). Using the same port here as
5+ // a fallback ensures that when SECURITY_DB_URI is unset, the unified API and
6+ // Verdaccio dev instances talk to the same database as the dev infra.
7+ const DEFAULT_URI = process . env . SECURITY_DB_URI || 'mongodb://127.0.0.1:27018' ;
48const DEFAULT_DB_NAME = process . env . SECURITY_DB_NAME || 'secure_registry' ;
59
610let clientPromise : Promise < MongoClient > | null = null ;
You can’t perform that action at this time.
0 commit comments