search

n4bb12 / verdaccio-github-oauth-ui

📦🔐 GitHub OAuth plugin for Verdaccio
https://verdaccio.org
MIT License
74 stars 45 forks source link

Does not work if you enable security.api.jwt tokens #48

Closed dantman closed 4 years ago

dantman commented 4 years ago

Bug Report

When using the verdaccio-github-oauth-ui plugin auth is broken if you enable the jwt setting but do not set legacy: true (i.e. you move to JWT instead of using the deprecated legacy signature).

Versions

Version
verdaccio 4.7.2
verdaccio-github-oauth-ui 2.2.4

Expected behavior

If JWT is enabled in the API then the npm tokens gh-oauth-ui generates should be JWT tokens, not legacy tokens.

Observed behaviour

I tried enabling the htaccess plugin alongside gh-oauth-ui and logging in with npm login. htaccess generates proper JWTs, so this is a gh-oauth-ui issue.

This appears to be the code generating the npm token (I searched around the codebase and followed the code to confirm this was the specific function called).

https://github.com/n4bb12/verdaccio-github-oauth-ui/blob/9740bc5f0d3812432cffb9bc3598ff49acdb9e83/src/server/verdaccio/Verdaccio.ts#L36-L38

Steps to reproduce

  1. Use the following security settings: 
    security:
api:
  jwt:
    sign:
      expiresIn: 90d
web:
  sign:
    expiresIn: 7d
  2. Sign in with GitHub
  3. Follow the npm set token commands
  4. Try publishing a package, it will fail because the token is a legacy token
n4bb12 commented 4 years ago

Thank you for the great description.

n4bb12 commented 4 years ago

API JWT is supported with https://github.com/n4bb12/verdaccio-github-oauth-ui/releases/tag/2.3.0

Thanks for reporting this 🤝

dantman commented 4 years ago

Thanks. However there may be a bug.

I am getting the error user dantman is not allowed to publish package @company/package when I use JWT but when I disable JWT and use a legacy token I can successfully publish a package.

Publishing this package only requires basic authentication.

packages:
  '@company/*':
    access: $authenticated
    publish: $authenticated
    unpublish: $authenticated
dantman commented 4 years ago

Ok, I examined the JWTs and I think this is because the groups are different.

htpasswd plugin returns the groups ci $all $authenticated @all @authenticated all for the user ci.

But the github-oauth-ui plugin just returns the organizations that the user belongs to as groups. The username is missing and the various forms of the all/authenticated groups are missing.

I also question using GitHub orgs as groups (rather than finding a way to use the org's GitHub teams), but that's a separate topic.

n4bb12 commented 4 years ago

I think the groups are now handled correctly. Thanks for all the input.

https://github.com/n4bb12/verdaccio-github-oauth-ui/releases/tag/2.3.1

n4bb12 commented 4 years ago

I'd love to discuss GitHub teams. If you're interested, maybe you could create a feature proposal describing how that would work: How would you like to be able to configure this? If you have used other plugins that do something similar, how do they configure it? Would that affect existing users of the org mechanism, or could we do this as an optional add-on? Thanks in advance.