Signed and expiring URL-s from Envato API get into composer.lock

[szepeviktor]

    "packages": [
        {
            "name": "envato/layerslider-plugin",
            "version": "6.9.2",
            "dist": {
                "type": "zip",
                "url": "https://marketplace-downloads.customer.envatousercontent.com/files/270888641/layersliderwp-6.9.2.installable.zip?response-content-dispositio....."
            },
            "type": "wordpress-plugin"
        }
    ],

If Composer cache is cleared the download from this URL will fail.

$ composer install --prefer-dist --no-suggest
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
    Finished: success: 0, skipped: 0, failure: 1, total: 1
Package operations: 1 install, 0 updates, 0 removals
  - Installing envato/layerslider-plugin (6.9.2): Downloading (0%)    Authentication required (marketplace-downloads.customer.envatousercontent.com):
      Username:

[dlecan]

Is there a workaround for this?

[szepeviktor]

There are 2 things.

1. if you keep local cache it works
2. we may develop a CustomInstaller that does the download with a fresh URL

[szepeviktor]

@dlecan There is a solution, almost 100% implemented in https://github.com/ffraenz/private-composer-installer

1. Put placeholder/s in distUrl
2. Replace them on-the-fly

What do you think?

[dlecan]

:+1: Using environment variables is a good way to handle secrets. Do you need to update this plugin to use private-composer-installer? How to combine them together?

[szepeviktor]

I think we have to copy&develop as we shouldn't simply replace a placeholder but query Envato API for a fresh signed URL.

[mcaskill]

I might work on this issue this week since I need consistent installation across our team and environments.

[szepeviktor]

All right. This started to be a simple plugin.

[mcaskill]

I also expected this to be a simple endeavor 😆🤦‍♂️