jsonp is not working for registry.npmjs.org

[anvaka]

Hello,

I'm trying to use npm from a browser.

This returns valid jsonp response: http://isaacs.iriscouch.com/registry/_design/scratch/_view/byField?callback=foo&limit=10

However isaacs.iriscouch.com was not stable recently, and I'm trying to change endpoint to registry.npmjs.org:

http://registry.npmjs.org/-/_view/byField?callback=foo&limit=10

This returns data, but completely ignores callback argument (which makes it unusable for jsonp scenario).

Neither does skimdb respects it:

https://skimdb.npmjs.com/registry/_design/scratch/_view/byField?callback=foo&limit=10

Would really appreciate your help.

Cheers, Andrei

[isaacs]

Indeed. This is actually a security problem if we enable it at the moment. Here's why:

If you go to https://skimdb.npmjs.com/_users/_design/_auth/_view/listAll?startkey=%22org.couchdb.user:isaacs%22&limit=1, you will get an error that you're not allowed to perform views on that database, because you're not a server admin.

However, if you ran the same view, but via a script tag with &callback=steal_all_teh_secrets, then your evil code could steal private user credentials if you can get any npm server admin to visit your page. Since you can't (afaik?) configure couchdb to allow jsonp on ONE database, and not another.

We are currently working on making some slight modifications to the setup so that we can have a skimdb couch exposed in every which way as a downstream, so there's no chance of user credentials being leaked.

[anvaka]

Interesting. In that case can you enable CORS? It's just one header in the response Access-Control-Allow-Origin: *

This would really help

[anvaka]

This is what needs to be changed in CouchDB config:

[httpd]
enable_cors = true

[cors]
origins = *

[isaacs]

Cors will be allowed eventually, but not until we do some more security fixes and enhancements to prevent bad behavior from potentially causing trouble in the production registry. We'll announce on our blog when this is live.

[isaacs]

jsonp will be enabled as well. But again, not until it can be done safely.

[anvaka]

Hi @isaacs

I was working on npm visualization from a browser, and isaacs.iriscouch.com is down again. Is there any timeline of getting CORS enabled?

[anvaka]

Hi @isaacs, sorry for bugging you again. Is it safe to enable CORS now :)?

[ericfong]

I am also working on jsonp or cors ajax to npm.

Listing and searching related npm modules.

Any work around for this?

[zeke]

I want this too, but there is apparently a security issue in the version of CouchDB we're running that makes it unsafe to enable CORS. I think @isaacs said something about the CouchDB CORS configuration being all-or-nothing, rather than granular, i.e. GET-only.

We are currently building a relational follower of the registry that will enable this. In the mean time, you'll have to use a proxy. If you're not doing tons of traffic with it, you can use mine or stand up your own version of it: https://github.com/zeke/npm-registry-cors-proxy

[smikes]

I believe @maxogden said that there is a dat stream for npm registry -- see https://github.com/maxogden/dat

[max-mapper]

oh yea we have http://npm.dathub.org/, it's experimental though so don't build anything production off of it

[anvaka]

@maxogden I was hoping to use CORS or JSONP enabled endpoint to render dependencies graph here: https://github.com/anvaka/npmgraph.an

http://npm.dathub.org/api/rows?limit=10 - looks promising, thought it seems CORS/JSONP are not available here either?

[max-mapper]

It supports CORS GET, but not JSONP

On Wed, Jan 28, 2015 at 8:53 PM, Andrei Kashcha notifications@github.com wrote:

@maxogden https://github.com/maxogden I was hoping to use CORS or JSONP enabled endpoint to render dependencies graph here: https://github.com/anvaka/npmgraph.an

http://npm.dathub.org/api/rows?limit=10 - looks promising, thought it seems CORS/JSONP are not available here either?

— Reply to this email directly or view it on GitHub https://github.com/npm/npm-registry-couchapp/issues/157#issuecomment-71969130 .

[vadzim]

For visitors: You can use unpkg (https://unpkg.com/) instead of https://npmjs.com/ Unpkg is a CDN and sets CORS