Bug found in Login flow

[samitha9125]

Verdaccio Version: 5.18 verdaccio-auth-gitlab Plugin Version: latest Environment: Docker

Scenario: User tries to login with username and the personal access token. Once user successfully authenticated, user details will be cached by the plugin as I understood. Now, user logout and tries to login again. But this time, user provides correct username but incorrect personal access token (i.e. Remove several characters of the token and try to sign in)

Expected Outcome: Verdaccio should decline login.

Actual Outcome: User can successfully login even though the personal token is invalid.

Reproducing steps:

1. Fresh verdaccio installation with the plugin
2. Copy and paste the configuration from Readme file.
3. Run verdaccio
4. Login with correct username and personal access token
5. Logout once successfully login
6. Login again with correct username but now incorrect personal access token

[pfdgithub]

Verdaccio's cli and web authentication processes are inconsistent.

In cli, the token are stored in .npmrc file, which doesn't contain information such as groups. In web, the token are stored in localstorage, which contain information such as groups.

In cli, the adduser and authenticate methods called on login, the authenticate and allow_access methods called on install. In web, the authenticate method called on login, the allow_access method called on browse.

So in web, instead of directly checking for the existence of the user, it first tries to check the cache. Added token hash check in verdaccio-auth-gitlab@2.0.0-beta.11, fixed this issue.