search

rlidwka / sinopia

Private npm repository server
5.51k stars 656 forks source link

Cannot login - this user already exists #329

Open henkosch opened 9 years ago

henkosch commented 9 years ago

Sinopia crashes when I try to login.

This is the output:

 warn  --- config file  - /home/henko/.config/sinopia/config.yaml
 warn  --- http address - http://localhost:4873/
 http  <-- 409, user: undefined, req: 'PUT /-/user/org.couchdb.user:henko', error: this user already exists
 http  <-- 200, user: undefined, req: 'GET /-/user/org.couchdb.user:henko?write=true', bytes: 0/106
 fatal --- uncaught exception, please report this
Error: Module did not self-register.
    at Error (native)
    at Object.Module._extensions..node (module.js:460:18)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:311:12)
    at Module.require (module.js:366:17)
    at require (module.js:385:17)
    at module.exports (/usr/local/lib/node_modules/sinopia/node_modules/crypt3/index.js:24:9)
    at Object.verify_password (/usr/local/lib/node_modules/sinopia/node_modules/sinopia-htpasswd/utils.js:93:12)
    at /usr/local/lib/node_modules/sinopia/node_modules/sinopia-htpasswd/index.js:39:16
    at /usr/local/lib/node_modules/sinopia/node_modules/sinopia-htpasswd/index.js:113:9

Node and npm versions used: server: Ubuntu 14.04 server npm: 2.14.7 server node: 4.2.1 client npm: 2.14.7 client node: 4.2.1

Update: I have solved the uncaught exception problem, but I still cannot login. See below.

henkosch commented 9 years ago

It was something to do with node-crypt3 not building for some reason. I reinstalled sinopia, node-crypt3 still does not build, but sinopia seems to install without it.

https://github.com/sendanor/node-crypt3/issues/9

Now the uncaught exception is gone, but I still cannot login with an existing user:

 http  <-- 409, user: undefined, req: 'PUT /-/user/org.couchdb.user:henko', error: this user already exists
 http  <-- 200, user: undefined, req: 'GET /-/user/org.couchdb.user:henko?write=true', bytes: 0/106
 http  <-- 409, user: undefined, req: 'PUT /-/user/org.couchdb.user:henko/-rev/undefined', error: this user already exists

Well of course it exists, that's why I want to login with it...

I used npm login

Which is the same as npm adduser

And according to the docs, adduser is the way to authenticate, too: https://docs.npmjs.com/cli/adduser

You may use this command multiple times with the same user account to authorize on a new machine. When authenticating on a new machine, the username, password and email address must all match with your existing record.

So how can I login with an existing user?

henkosch commented 9 years ago

I have fixed this issue by adding an extra authenticate call before add_user in the PUT request handler. This way if the user can authenticate itself with the current plugin, then it will be instantly logged in instead of sending back a HTTP 409.

Of course when the password is invalid, the add_user will be called and it will failed because the user already exists. But currently using the auth plugin authenticate interface there is no way to tell if the user exists or the password did not match, so we can just return the user already exists message when the password is wrong.

Please review my changes.

nagliyvred commented 9 years ago

This is a real blocker for anyone who is using sinopia for their private packages. Any chance this could be prioritised? Thanks. P.S. Using a forked version works, but it would be nice to see it fixed in the master too.

roykolak commented 8 years ago

bump on this...

roykolak commented 8 years ago

epp... it was the wrong password for me... embarrassed

eatrocks commented 8 years ago

I also get the error of "this user already exists : -/user/org.couchdb.user:xxxxxxxx/-rev/undefined" when doing npm adduser --registry... I manually applied the fix in the attached pull request from henkosch but it does not resolve the issue for me. I'm using Sinopia v 1.3.1, npm v 2.11.3

mcansky commented 8 years ago

same problem here; very annoying

mcansky commented 8 years ago

I can confirm @henkosch patch fixes the issue

AdrieanKhisbe commented 8 years ago

:+1:

eatrocks commented 8 years ago

We found that deleting the appropriate user entry from the htpasswd file allowed the user to adduser successfully. See your config.yaml file for the location of the htpasswd file, ours was ./htpasswd We are v1.3.1.

konradjurk commented 8 years ago

So whats the status on this? I'd like to login with my existing user, and found that login and user creation is the same thing.

When I do curl -s -H "Accept: application/json" -H "Content-Type:application/json" -X PUT --data '{"name": "user", "password": "pw"}' http://registry/-/user/org.couchdb.user:user

... I get this beautiful answer:

{
  "error": "this user already exists"
}

Why is this a PUT and not a POST anyways and why is login and user creation the same thing?

remie commented 8 years ago

You can get this working by doing an authenticated request:

Creating a user curl -s \ -H "Accept: application/json" \ -H "Content-Type:application/json" \ -X PUT --data '{"name": "username", "password": "password"}' \ http://registry/-/user/org.couchdb.user:username

Login existing user curl -s \ -H "Accept: application/json" \ -H "Content-Type:application/json" \ -X PUT --data '{"name": "username", "password": "password"}' \ --user username:password \ http://registry/-/user/org.couchdb.user:username

This is actually also what NPM does, see https://github.com/npm/npm-registry-client/blob/856eefea40a2a88618835978e281300e3406924b/lib/adduser.js#L62-L90

grimborg commented 8 years ago

Any way around this? It's still broken on the latest version of sinopia.

I add the users to htpasswd and they cannot login. (Allowing them to register is not an option: anyone could register, which is not what I want).

Update: I found a workaround: adding the users in the config file, and generating their passwords using require('crypto').createHash('sha1').update(pass).digest('hex').

It looks like it should also be possible to add the passwords to the htpasswd file, but I found two different in various documentations (including sinopia-htpasswd) (using the htpasswd tool from apache-tools, or mkpasswd from whois), but neither work generate a password that sinopia recognizes.

ijsf commented 8 years ago

Also confirmed broken here. Quite inconvenient.

skozin commented 7 years ago

The format of htpasswd has seemingly changed, now it looks like this:

username1:{SHA}XYZXYZXYZXYZXYZXYZXYZXYZXYZ=:autocreated 2016-01-01T00:00:00.000Z
username2:{SHA}XYZXYZXYZXYZXYZXYZXYZXYZXYF=:autocreated 2016-01-01T00:00:00.000Z

So that's why previously-generated files don't work.

If you wish to use htpasswd, the workaround is to allow sinopia to create htpasswd file by temporarily launching it in the mode that allows adding new users:

  1. Launch sinopia with config.yaml containing auth.htpasswd.file set to some path, and auth.htpasswd.max_users set to e.g. 1000.
  2. Make sure the file that auth.htpasswd.file points to does not exist.
  3. Use npm CLI to login all your users.
  4. Save the contents of auth.htpasswd.file.

Now you can re-launch sinopia with auth.htpasswd.max_users set to -1 to avoid adding new users. Or you can launch it on a new host, it doesn't matter as long as htpasswd and config.yaml are copied there.

Also, this htpasswd file re-generation does not invalidate NPM client tokens, as long as usernames and passwords remain the same and value in the secret field in <storage-path>/.sinopia-db.json file is not changed (where <storage-path> is set by the storage field in config.yaml).