nbverboven-medallia
commented
1 year ago The idea of this issue was to discuss the feasability of this feature and possible implementations. After that, I can open a PR and start working on it.
Open nbverboven-medallia opened 1 year ago
nbverboven-medallia
commented
1 year ago The idea of this issue was to discuss the feasability of this feature and possible implementations. After that, I can open a PR and start working on it.
imolorhe
commented
1 year ago Hey, so just to check, the url plugin source will not work for your use case?
imolorhe
commented
1 year ago Thinking about it, one thing that will need to be addressed is the CSP for this. The CSP will block any scripts from any other domain that is not specified. One way around this will be to add a new option for the private registry when initializing Altair -- when it is hosted e.g. via the express middleware, and add the domain to the CSP.
nbverboven-medallia
commented
1 year ago The issues I see with using the url approach are that
url:altair-graphql-plugin-my-plugin::[url]->[https://my-private-registry.company.com/api/npm/virtual-npm/altair-graphql-plugin-my-plugin@latest]In my view, those are mainly UX things, but I'd rather tackle them if it was possible to increase the chances of people wanting to use this feature.
Apart from that, there's also what you mentioned about the CSP. From your comment, it seems that this feature would only work for a hosted version of Altair, right? It doesn't seem reasonable (or possible) to dynamically modify the CSP otherwise.
imolorhe
commented
1 year ago Yes. It is only possible for hosted versions of Altair, or the desktop applications. It's not possible with the browser extensions
imolorhe
commented
1 year ago Yours is the first request for the private registry. I'm happy to look into this more, but this is not priority for me at the moment.
If I understand what you're saying, we should define (or adopt, if there's already a standard for authentication with private registries) a proper authentication process for the private registry.
nbverboven-medallia
commented
1 year ago If I understand what you're saying, we should define (or adopt, if there's already a standard for authentication with private registries) a proper authentication process for the private registry.
Yes, that was what I had in mind.
Yours is the first request for the private registry. I'm happy to look into this more, but this is not priority for me at the moment.
No worries. There's still the chance that we can make the plugins public but, if we end up needing this feature, it's likely that we open a pull request and start working on it (provided there's a chance of it being merged eventually).
imolorhe
commented
1 year ago Before creating the PR, it would be better to discuss exactly what the authentication part will look like.
nbverboven-medallia
commented
1 year ago Agreed. Will keep you posted.
imolorhe
commented
4 months ago Is this still a relevant issue?
Is your feature request related to a problem? Please describe. At the company I work for, we were thinking about extending Altair's functionality with some plugins for internal use. With the current implementation, they would have to be publicly accesible to be installed but, for security reasons, we may only be able to publish them to a private registry.
Describe the solution you'd like Lets say we have a package called
altair-graphql-plugin-test. We could add a fourth way of sourcing plugins calledcustomorcustom-registry(the name is tentative) which would be used likeI'm not really sure on how authentication would work but I'm guessing extra options may be necessary, such as
token,userandpassword.Describe alternatives you've considered The authentication options could also be added to the
urlsource but I'm not familiar enough with the inner workings of fetching a package from a private registry to know if this would give us the expected result.Additional context N/A