Internal Server Error even with url_prefix: ""

[hybridherbst]

Bug Report

Versions

	Version
verdaccio	4.6.2
verdaccio-github-oauth-ui	2.2.3

Expected behavior

Login with GitHub works

Observed behaviour

Login flow seems to be correct, can authorize with GitHub, however on return to verdaccio I get:

URL looks like this: https://packages.XXXXX.tools/-/oauth/callback?code=XXXXXe4043aafc24bc4

Additional context

I'm sure there must be some additional configuration step I'm missing. Both the GitHub app (created through an org - does that make a difference?) and Verdaccio seem to be set up correctly, double-checked all entries.

Any help is appreciated!

EDIT: if I understand https://github.com/n4bb12/verdaccio-github-oauth-ui/issues/43 right, it seems Verdaccio just thinks this is a package. I'm using nginx as reverse proxy; do I need to forward traffic differently to this plugin? I thought it would be handled internally in Verdaccio.

[n4bb12]

Thanks for your report. Is this potentially a duplicate of https://github.com/n4bb12/verdaccio-github-oauth-ui/issues/43?

[n4bb12]

Ouff sorry, didn't read the EDIT.

[n4bb12]

Could you share your configuration?

[hybridherbst]

Sure:

Note: I tried

• without url_prefix
• with url_prefix :""
• with url_prefix: "/" but that doesn't make a difference.

#
# This is the default config file. It allows all users to do anything,
# so don't use it on production systems.
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#

# path to a directory with all packages
storage: ./storage
# path to a directory with plugins to include
plugins: ./plugins

web:
  title: "package registry"
  # comment out to disable gravatar support
  # gravatar: false
  # by default packages are ordercer ascendant (asc|desc)
  # sort_packages: asc
  # convert your UI to the dark side
  darkMode: true
  primary_color: "#203540"
  logo: verdaccio/logo.png

# translate your registry, api i18n not available yet
# i18n:
# list of the available translations https://github.com/verdaccio/ui/tree/master/i18n/translations
#   web: en-US

middlewares:
  audit:
    enabled: true
  github-oauth-ui:
    enabled: true

url_prefix: "/"

auth:
  htpasswd:
    file: ./htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    # max_users: 1000
    max_users: -1
  github-oauth-ui:
    org: needle-tools
    client-id: xxx
    client-secret: xxx

# configure max package size
max_body_size: 100mb

# a list of other known repositories we can talk to
# uplinks:
#  npmjs:
#    url: https://registry.npmjs.org/

packages:
  '@*/*':
    # scoped packages
    access: $all
    publish: $authenticated
    unpublish: $authenticated
    # proxy: npmjs

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: $all

    # allow all known users to publish/publish packages
    # (anyone can register by default, remember?)
    publish: $authenticated
    unpublish: $authenticated

    # if package is not available locally, proxy requests to 'npmjs' registry
    # proxy: npmjs

# You can specify HTTP/1.1 server keep alive timeout in seconds for incoming connections.
# A value of 0 makes the http server behave similarly to Node.js versions prior to 8.0.0, which did not have a keep-alive timeout.
# WORKAROUND: Through given configuration you can workaround following issue https://github.com/verdaccio/verdaccio/issues/301. Set to 0 in case 60 is not enough.
server:
  keepAliveTimeout: 60

# log settings
logs:
  - { type: stdout, format: pretty, level: http }
  - { type: file, path: verdaccio.log, level: info }
#experiments:
#  # support for npm token command
#  token: false

# This affect the web and api (not developed yet)
#i18n:
#web: en-US

[n4bb12]

What makes you think that url_prefix is the problem?

[hybridherbst]

I don't. I just mentioned it because you wrote in #43 that it might not properly work with url_prefix so I wanted to point out that I tried a couple options with that. I don't know that the problem is, thus the Issue opening here :)

[n4bb12]

So far everything I tried worked, including testing with your config and versions (different org). The error happens during UI login, right? And you get stuck after the redirect back from GitHub with the code in the URL, right?

The code returned by GitHub is only valid once. Accessing this URL directly https://packages.XXXXX.tools/-/oauth/callback?code=XXXXXe4043aafc24bc4, e.g. if you're trying to share the URL with someone, will not work.

The only thing that's happening between GitHub and successful login is calling the GitHub API to get a token + user info + org info. It's likely that one of those requests is rejected by GitHub.

Could you share the terminal output that's produced during login?

[n4bb12]

Thanks for the logs. There's this error when making a request to the GitHub API:

{
  "message": "Response code 401 (Unauthorized)",
  "name": "HTTPError",
  "stack": "HTTPError: Response code 401 (Unauthorized)\n    at EventEmitter.<anonymous> (/usr/local/lib/node_modules/verdaccio/node_modules/got/dist/source/as-promise.js:118:31)\n    at processTicksAndRejections (internal/process/task_queues.js:97:5)"
}

Could you check if this might be the case? https://github.com/n4bb12/verdaccio-github-oauth-ui#important

[hybridherbst]

Hm, I did that step already, and it looks like this:

(unrelated, but shouldn't the auth fallback if Github doesn't work (for any reason) be that it tries other configured auth plugins, in this case htaccess, next?)

[n4bb12]

Okay that's the right place in the GitHub settings, but it doesn't tell me which user you are logging in to Verdaccio with, or whether that user was granted access. Every individual needs the read:org permission to determine whether the user is an org member. Is this permission granted for the account you're using with Verdaccio?

(Now that I'm thinking about it, it might make more sense to add a plugin configuration value that contains a GitHub access token with this permission, instead of using each individual user's account permission, because it might save some headache.)

To recap: We know that we get redirected back to Verdaccio with the GitHub code. Then follows the Token request and we fetch User and User Orgs info. This is to make a decision about whether the user is an org member and thus has $authenticated access to Verdaccio. One of these three requests fails.

I improved the error logging and user feedback when this occurs. Maybe you could try out the new version and it should tell you right on the UI which of the three request failed.

Not really sure what to look for at this point. I still think it might be the read:org permission.

[hybridherbst]

Thanks @n4bb12 for the debugging session!

I'm gonna close this issue; for future reference, the problem was with nginx: Verdaccio's documentation sets up the reverse proxy location as

proxy_pass http://127.0.0.1:4873/$1;

but verdaccio-github-oauth-ui needs

proxy_pass http://127.0.0.1:4873/$1$is_args$args;

since there are arguments passed along from GitHub.