Unable to install packages if access is limited to authenticated #2152

MiK546 · 2021-03-30T14:54:27Z

MiK546
Mar 30, 2021

Describe the bug
Until recently and for a long time Verdaccio has worked excellently on our server. But recently I experimented with the security options in the config file and something broke. Now I cant get Verdaccio to work as expected anymore even if I do a clean install. For some reason, when I try to install any packages published to the Verdaccio instance, Verdaccio returns a 401 unauthorized response. I can still publish packages even though that is also restricted, but installation fails every time. If I change the access permissions in the config packages section to be $all everything seems to work (but of course this means anybody could access the data).

I have attempted to rename my Verdaccio configuration files and tried this with a clean install. I just edited the config file to require authentication for package access and added one user to the htpasswd file. This made no difference, npm still throws a E401 error every time.

I run Verdaccio in a virtual Ubuntu 18.04 server behind a Nginx reverse proxy. The Nginx config is

server {
  listen 0.0.0.0:80;
  listen [::]:80;
  server_name npm.domain.com;
  server_tokens off;
  return 301 https://$http_host$request_uri;
  access_log  /var/log/nginx/verdaccio_access.log;
  error_log   /var/log/nginx/verdaccio_error.log;
}

server {
  listen 0.0.0.0:443 ssl;
  listen [::]:443 ssl;
  server_name npm.domain.com;
  server_tokens off;

  ssl on;
  ssl_certificate /path;
  ssl_certificate_key /path;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

  access_log  /var/log/nginx/verdaccio_access.log;
  error_log   /var/log/nginx/verdaccio_error.log;

  location / {
    proxy_pass              http://127.0.0.1:4873/;
    proxy_set_header Host            $host:$server_port;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
}

Verdaccio is started using Systemd, the unit file is:

[Unit]
Description=Verdaccio lightweight npm proxy registry

[Service]
Type=simple
Restart=on-failure
User=verdaccio
WorkingDirectory=/home/verdaccio
ExecStart=/usr/bin/verdaccio

[Install]
WantedBy=multi-user.target

To Reproduce

On the server, install Verdaccio sudo npm install -g verdaccio.
Start the verdaccio service with Systemd and let it generate the default configuration in /home/verdaccio/verdaccio/.
Edit the default config packages object so access has the value $authenticated in both instances.
Restart Verdaccio.
At your computer, add Verdaccio as the package source npm set registry https://npm.domain.com and npm adduser --registry https://npm.domain.com
Publish any package npm publish --registry https://npm.domain.com
Try to install that package npm install @somescope/somepackage

Expected behavior
Package @somescope/somepackage is installed successfully from the Verdaccio instance.

Actual behaviour
npm returns

npm ERR! code E401
npm ERR! Unable to authenticate, your authentication token seems to be invalid.
npm ERR! To correct this please trying logging in again with:
npm ERR!     npm login

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/user/.npm/_logs/2021-03-30T14_29_19_798Z-debug.log

The contents of the mentioned logfile are:

0 info it worked if it ends with ok
1 verbose cli [
1 verbose cli   '/usr/bin/node',
1 verbose cli   '/usr/bin/npm',
1 verbose cli   'install',
1 verbose cli   '@somescope/somepackage'
1 verbose cli ]
2 info using [email protected]
3 info using [email protected]
4 verbose npm-session 7169a6db97a1df16
5 silly install loadCurrentTree
6 silly install readLocalPackageData
7 http fetch GET 200 https://npm.domain.com/@somescope%2fsomepackage 414ms
8 http fetch GET 401 https://npm.domain.com/@somescope%2fsomepackage/-/somepackage-2.1.4.tgz 61ms
9 silly fetchPackageMetaData error for @somescope/somepackage@latest Unable to authenticate, need: Basic, Bearer
10 timing stage:rollbackFailedOptional Completed in 0ms
11 timing stage:runTopLevelLifecycles Completed in 495ms
12 verbose stack Error: Unable to authenticate, need: Basic, Bearer
12 verbose stack     at /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:107:17
12 verbose stack     at processTicksAndRejections (internal/process/task_queues.js:97:5)
13 verbose statusCode 401
14 verbose pkgid @somescope/somepackage@latest
15 verbose cwd /home/user/project_folder
16 verbose Linux 5.4.0-70-generic
17 verbose argv "/usr/bin/node" "/usr/bin/npm" "install" "@somescope/somepackage"
18 verbose node v12.21.0
19 verbose npm  v6.14.11
20 error code E401
21 error Unable to authenticate, your authentication token seems to be invalid.
22 error To correct this please trying logging in again with:
22 error     npm login
23 verbose exit [ 1, true ]

Configuration File (cat ~/.config/verdaccio/config.yaml)

After editing the default config, it is

#
# This is the default config file. It allows all users to do anything,
# so don't use it on production systems.
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#

# path to a directory with all packages
storage: ./storage
# path to a directory with plugins to include
plugins: ./plugins

web:
  title: Verdaccio
  # comment out to disable gravatar support
  # gravatar: false
  # by default packages are ordercer ascendant (asc|desc)
  # sort_packages: asc
  # convert your UI to the dark side
  # darkMode: true

# translate your registry, api i18n not available yet
# i18n:
# list of the available translations https://github.com/verdaccio/ui/tree/master/i18n/translations
#   web: en-US

auth:
  htpasswd:
    file: ./htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    # max_users: 1000

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    # scoped packages
    access: $authenticated
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: $authenticated

    # allow all known users to publish/publish packages
    # (anyone can register by default, remember?)
    publish: $authenticated
    unpublish: $authenticated

    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs

# You can specify HTTP/1.1 server keep alive timeout in seconds for incoming connections.
# A value of 0 makes the http server behave similarly to Node.js versions prior to 8.0.0, which did not have a keep-alive timeout.
# WORKAROUND: Through given configuration you can workaround following issue https://github.com/verdaccio/verdaccio/issues/301. Set to 0 in case 60 is not enough.
server:
  keepAliveTimeout: 60

middlewares:
  audit:
    enabled: true

# log settings
logs:
  - { type: stdout, format: pretty, level: http }
  - {type: file, path: /home/verdaccio/verdaccio1.log, level: debug}

The htpasswd file is just one line generated using https://hostingcanada.org/htpasswd-generator/.

Environment information

Environment Info:

  System:
    OS: Linux 5.4 Ubuntu 18.04.5 LTS (Bionic Beaver)
    CPU: (2) x64 Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz
  Binaries:
    Node: 12.21.0 - /usr/bin/node
    npm: 6.14.11 - /usr/bin/npm
  Virtualization:
    Docker: 20.10.5 - /usr/bin/docker
  npmGlobalPackages:
    verdaccio: 4.12.0

(Verdaccio does not run in Docker even though Docker is installed.)

Debugging output

$ NODE_DEBUG=request verdaccio display request calls (verdaccio <--> uplinks)
$ DEBUG=express:* verdaccio enable extreme verdaccio debug mode (verdaccio api)
$ npm -ddd prints:
Not a valid command?
$ npm config get registry prints:
https://npm.domain.com/

I hope this debug file log is sufficient, I can find more if needed:

{"name":"verdaccio","hostname":"hostname","pid":15095,"level":40,"msg":"Verdaccio started","time":"2021-03-30T14:22:23.636Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"msg":"[local-storage/_sync]: init sync database","time":"2021-03-30T14:22:23.642Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"folderName":"/home/verdaccio/verdaccio/storage","msg":"[local-storage/_sync]: folder /home/verdaccio/verdaccio/storage created succeed","time":"2021-03-30T14:22:23.642Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"msg":"[local-storage/_sync/writeFileSync]: sync write succeed","time":"2021-03-30T14:22:23.643Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"msg":"[local-storage/_sync]: init sync database","time":"2021-03-30T14:22:23.646Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"folderName":"/home/verdaccio/verdaccio/storage","msg":"[local-storage/_sync]: folder /home/verdaccio/verdaccio/storage created succeed","time":"2021-03-30T14:22:23.647Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"msg":"[local-storage/_sync/writeFileSync]: sync write succeed","time":"2021-03-30T14:22:23.647Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":40,"content":"htpasswd","prefix":"verdaccio","msg":"Plugin successfully loaded: verdaccio-htpasswd","time":"2021-03-30T14:22:23.657Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":40,"content":"audit","prefix":"verdaccio","msg":"Plugin successfully loaded: verdaccio-audit","time":"2021-03-30T14:22:23.672Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":40,"addr":"http://localhost:4873/","version":"verdaccio/4.11.0","msg":"http address - http://localhost:4873/ - verdaccio/4.11.0","time":"2021-03-30T14:22:23.680Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":30,"req":{"method":"POST","url":"/-/v1/login","headers":{"host":"npm.domain.com:443","x-forwarded-for":"<my-ip-address>","x-forwarded-proto":"https","connection":"close","content-length":"25","user-agent":"npm/6.14.11 node/v12.21.0 linux x64","npm-in-ci":"false","npm-scope":"","npm-session":"c179fad4b414489e","referer":"adduser","content-type":"application/json","accept":"*/*","accept-encoding":"gzip,deflate"},"remoteAddress":"127.0.0.1","remotePort":58690},"ip":"127.0.0.1","msg":"127.0.0.1 requested 'POST /-/v1/login'","time":"2021-03-30T14:26:47.044Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":35,"request":{"method":"POST","url":"/-/v1/login"},"user":null,"remoteIP":"<my-ip-address> via 127.0.0.1","status":404,"bytes":{"in":25,"out":150},"msg":"404, user: null(<my-ip-address> via 127.0.0.1), req: 'POST /-/v1/login', bytes: 25/150","time":"2021-03-30T14:26:47.058Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":30,"req":{"method":"PUT","url":"/-/user/org.couchdb.user:myusername","headers":{"host":"npm.domain.com:443","x-forwarded-for":"<my-ip-address>","x-forwarded-proto":"https","connection":"close","content-length":"128","user-agent":"npm/6.14.11 node/v12.21.0 linux x64","npm-in-ci":"false","npm-scope":"","npm-session":"c179fad4b414489e","referer":"adduser","content-type":"application/json","accept":"*/*","accept-encoding":"gzip,deflate"},"remoteAddress":"127.0.0.1","remotePort":58710},"ip":"127.0.0.1","msg":"127.0.0.1 requested 'PUT /-/user/org.couchdb.user:myusername'","time":"2021-03-30T14:26:58.929Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":35,"request":{"method":"PUT","url":"/-/user/org.couchdb.user:myusername"},"user":null,"remoteIP":"<my-ip-address> via 127.0.0.1","status":409,"error":"username is already registered","bytes":{"in":128,"out":48},"msg":"409, user: null(<my-ip-address> via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:myusername', error: username is already registered","time":"2021-03-30T14:26:59.076Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":30,"req":{"method":"GET","url":"/-/user/org.couchdb.user:myusername?write=true","headers":{"host":"npm.domain.com:443","x-forwarded-for":"<my-ip-address>","x-forwarded-proto":"https","connection":"close","user-agent":"npm/6.14.11 node/v12.21.0 linux x64","npm-in-ci":"false","npm-scope":"","npm-session":"c179fad4b414489e","referer":"adduser","accept":"*/*","accept-encoding":"gzip,deflate"},"remoteAddress":"127.0.0.1","remotePort":58712},"ip":"127.0.0.1","msg":"127.0.0.1 requested 'GET /-/user/org.couchdb.user:myusername?write=true'","time":"2021-03-30T14:26:59.139Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":35,"request":{"method":"GET","url":"/-/user/org.couchdb.user:myusername?write=true"},"user":null,"remoteIP":"<my-ip-address> via 127.0.0.1","status":200,"bytes":{"in":0,"out":51},"msg":"200, user: null(<my-ip-address> via 127.0.0.1), req: 'GET /-/user/org.couchdb.user:myusername?write=true', bytes: 0/51","time":"2021-03-30T14:26:59.140Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":30,"req":{"method":"PUT","url":"/-/user/org.couchdb.user:myusername/-rev/undefined","headers":{"host":"npm.domain.com:443","x-forwarded-for":"<my-ip-address>","x-forwarded-proto":"https","connection":"close","content-length":"172","user-agent":"npm/6.14.11 node/v12.21.0 linux x64","npm-in-ci":"false","npm-scope":"","npm-session":"c179fad4b414489e","referer":"adduser","authorization":"<Classified>","content-type":"application/json","accept":"*/*","accept-encoding":"gzip,deflate"},"remoteAddress":"127.0.0.1","remotePort":58714},"ip":"127.0.0.1","msg":"127.0.0.1 requested 'PUT /-/user/org.couchdb.user:myusername/-rev/undefined'","time":"2021-03-30T14:26:59.210Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":35,"request":{"method":"PUT","url":"/-/user/org.couchdb.user:myusername/-rev/undefined"},"user":"myusername","remoteIP":"<my-ip-address> via 127.0.0.1","status":201,"bytes":{"in":172,"out":86},"msg":"201, user: myusername(<my-ip-address> via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:myusername/-rev/undefined', bytes: 172/86","time":"2021-03-30T14:26:59.445Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":30,"req":{"method":"PUT","url":"/@somescope/somepackage","headers":{"host":"npm.domain.com:443","x-forwarded-for":"<my-ip-address>","x-forwarded-proto":"https","connection":"close","content-length":"8267","user-agent":"npm/6.14.11 node/v12.21.0 linux x64","npm-in-ci":"false","npm-scope":"@somescope","npm-session":"9798c1aa1c088099","referer":"publish","authorization":"<Classified>","content-type":"application/json","accept":"*/*","accept-encoding":"gzip,deflate"},"remoteAddress":"127.0.0.1","remotePort":58936},"ip":"127.0.0.1","msg":"127.0.0.1 requested 'PUT /@somescope/somepackage'","time":"2021-03-30T14:29:07.700Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"packageName":"@somescope/somepackage","msg":"publishing or updating a new version for @somescope/somepackage","time":"2021-03-30T14:29:07.813Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"packageName":"@somescope/somepackage","msg":"adding a new version for @somescope/somepackage","time":"2021-03-30T14:29:07.813Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"packageName":"@somescope/somepackage","msg":"[local-storage/readPackage] read a package: @somescope/somepackage","time":"2021-03-30T14:29:07.814Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"out","level":30,"method":"GET","headers":{"Accept":"application/json;","Accept-Encoding":"gzip","User-Agent":"npm (verdaccio/4.11.0)","Via":"1.1 9d34477f59b5 (Verdaccio)"},"uri":"https://registry.npmjs.org/@somescope%2somepackage","msg":"making request: 'GET https://registry.npmjs.org/@somescope%2somepackage'","time":"2021-03-30T14:29:07.816Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"out","level":35,"request":{"method":"GET","url":"https://registry.npmjs.org/@somescope%2somepackage"},"status":404,"msg":"404, req: 'GET https://registry.npmjs.org/@somescope%2somepackage' (streaming)","time":"2021-03-30T14:29:08.880Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"out","level":35,"request":{"method":"GET","url":"https://registry.npmjs.org/@somescope%2somepackage"},"status":404,"bytes":{"in":0,"out":21},"msg":"404, req: 'GET https://registry.npmjs.org/@somescope%2somepackage', bytes: 0/21","time":"2021-03-30T14:29:08.881Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"packageName":"@somescope/somepackage","msg":"[local-storage/createPackage] create a package: @somescope/somepackage","time":"2021-03-30T14:29:08.882Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"packageName":"eslint-config-base-2.1.4.tgz","msg":"[local-storage/writeTarball] write a tarball for package: eslint-config-base-2.1.4.tgz","time":"2021-03-30T14:29:08.890Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"packageName":"@somescope/somepackage","msg":"[local-storage/savePackage] save a package: @somescope/somepackage","time":"2021-03-30T14:29:08.896Z","v":0}
{"name":"@somescope/somepackage","hostname":"hostname","pid":15095,"level":20,"msg":"[local-storage]: the private package @somescope/somepackage has been added","time":"2021-03-30T14:29:08.897Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"msg":"[local-storage/_sync]: init sync database","time":"2021-03-30T14:29:08.898Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"folderName":"/home/verdaccio/verdaccio/storage","msg":"[local-storage/_sync]: folder /home/verdaccio/verdaccio/storage created succeed","time":"2021-03-30T14:29:08.898Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"msg":"[local-storage/_sync/writeFileSync]: sync write succeed","time":"2021-03-30T14:29:08.898Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"packageName":"@somescope/somepackage","msg":"[local-storage/savePackage] save a package: @somescope/somepackage","time":"2021-03-30T14:29:08.898Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"packageName":"@somescope/somepackage","msg":"[local-storage/savePackage] save a package: @somescope/somepackage","time":"2021-03-30T14:29:08.900Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":35,"request":{"method":"PUT","url":"/@somescope/somepackage"},"user":"myusername","remoteIP":"<my-ip-address> via 127.0.0.1","status":201,"bytes":{"in":8267,"out":53},"msg":"201, user: myusername(<my-ip-address> via 127.0.0.1), req: 'PUT /@somescope/somepackage', bytes: 8267/53","time":"2021-03-30T14:29:08.901Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":30,"req":{"method":"GET","url":"/@somescope/somepackage","headers":{"host":"npm.domain.com:443","x-forwarded-for":"<my-ip-address>","x-forwarded-proto":"https","connection":"close","user-agent":"npm/6.14.11 node/v12.21.0 linux x64","npm-in-ci":"false","npm-scope":"","npm-session":"7169a6db97a1df16","referer":"install [REDACTED]","pacote-req-type":"packument","pacote-pkg-id":"registry:@somescope/somepackage","accept":"application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*","authorization":"<Classified>","accept-encoding":"gzip,deflate"},"remoteAddress":"127.0.0.1","remotePort":58958},"ip":"127.0.0.1","msg":"127.0.0.1 requested 'GET /@somescope/somepackage'","time":"2021-03-30T14:29:19.489Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"packageName":"@somescope/somepackage","msg":"[local-storage/readPackage] read a package: @somescope/somepackage","time":"2021-03-30T14:29:19.602Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"out","level":30,"method":"GET","headers":{"Accept":"application/json;","Accept-Encoding":"gzip","User-Agent":"npm (verdaccio/4.11.0)","X-Forwarded-For":"<my-ip-address>, 127.0.0.1","Via":"1.1 9d34477f59b5 (Verdaccio)"},"uri":"https://registry.npmjs.org/@somescope%2somepackage","msg":"making request: 'GET https://registry.npmjs.org/@somescope%2somepackage'","time":"2021-03-30T14:29:19.602Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"out","level":35,"request":{"method":"GET","url":"https://registry.npmjs.org/@somescope%2somepackage"},"status":404,"msg":"404, req: 'GET https://registry.npmjs.org/@somescope%2somepackage' (streaming)","time":"2021-03-30T14:29:19.627Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"out","level":35,"request":{"method":"GET","url":"https://registry.npmjs.org/@somescope%2somepackage"},"status":404,"bytes":{"in":0,"out":21},"msg":"404, req: 'GET https://registry.npmjs.org/@somescope%2somepackage', bytes: 0/21","time":"2021-03-30T14:29:19.627Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"level":20,"packageName":"@somescope/somepackage","msg":"[local-storage/readPackage] read a package: @somescope/somepackage","time":"2021-03-30T14:29:19.628Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":35,"request":{"method":"GET","url":"/@somescope/somepackage"},"user":"myusername","remoteIP":"<my-ip-address> via 127.0.0.1","status":200,"bytes":{"in":0,"out":1215},"msg":"200, user: myusername(<my-ip-address> via 127.0.0.1), req: 'GET /@somescope/somepackage', bytes: 0/1215","time":"2021-03-30T14:29:19.633Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":30,"req":{"method":"GET","url":"/@somescope/somepackage/-/eslint-config-base-2.1.4.tgz","headers":{"host":"npm.domain.com:443","x-forwarded-for":"<my-ip-address>","x-forwarded-proto":"https","connection":"close","user-agent":"npm/6.14.11 node/v12.21.0 linux x64","npm-in-ci":"false","npm-scope":"","npm-session":"7169a6db97a1df16","referer":"install [REDACTED]","pacote-req-type":"tarball","pacote-pkg-id":"registry:@somescope/somepackage@https://npm.domain.com:443/@somescope%2somepackage/-/eslint-config-base-2.1.4.tgz","accept":"*/*"},"remoteAddress":"127.0.0.1","remotePort":58960},"ip":"127.0.0.1","msg":"127.0.0.1 requested 'GET /@somescope/somepackage/-/eslint-config-base-2.1.4.tgz'","time":"2021-03-30T14:29:19.708Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":15095,"sub":"in","level":35,"request":{"method":"GET","url":"/@somescope/somepackage/-/eslint-config-base-2.1.4.tgz"},"user":null,"remoteIP":"<my-ip-address> via 127.0.0.1","status":401,"error":"authorization required to access package @somescope/somepackage","bytes":{"in":0,"out":90},"msg":"401, user: null(<my-ip-address> via 127.0.0.1), req: 'GET /@somescope/somepackage/-/eslint-config-base-2.1.4.tgz', error: authorization required to access package @somescope/somepackage","time":"2021-03-30T14:29:19.710Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":40,"msg":"Verdaccio started","time":"2021-03-30T14:32:07.817Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":20,"msg":"[local-storage/_sync]: init sync database","time":"2021-03-30T14:32:07.825Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":20,"folderName":"/home/verdaccio/verdaccio/storage","msg":"[local-storage/_sync]: folder /home/verdaccio/verdaccio/storage created succeed","time":"2021-03-30T14:32:07.826Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":20,"msg":"[local-storage/_sync/writeFileSync]: sync write succeed","time":"2021-03-30T14:32:07.826Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":20,"msg":"[local-storage/_sync]: init sync database","time":"2021-03-30T14:32:07.830Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":20,"folderName":"/home/verdaccio/verdaccio/storage","msg":"[local-storage/_sync]: folder /home/verdaccio/verdaccio/storage created succeed","time":"2021-03-30T14:32:07.830Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":20,"msg":"[local-storage/_sync/writeFileSync]: sync write succeed","time":"2021-03-30T14:32:07.830Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":40,"content":"htpasswd","prefix":"verdaccio","msg":"Plugin successfully loaded: verdaccio-htpasswd","time":"2021-03-30T14:32:07.838Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":40,"content":"audit","prefix":"verdaccio","msg":"Plugin successfully loaded: verdaccio-audit","time":"2021-03-30T14:32:07.861Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":20,"packageName":"@somescope/somepackage","msg":"[local-storage/readPackage] read a package: @somescope/somepackage","time":"2021-03-30T14:32:07.866Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":20,"packageName":"@somescope/somepackage","msg":"[local-storage/readPackage] read a package: @somescope/somepackage","time":"2021-03-30T14:32:07.867Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"level":40,"addr":"http://localhost:4873/","version":"verdaccio/4.12.0","msg":"http address - http://localhost:4873/ - verdaccio/4.12.0","time":"2021-03-30T14:32:07.871Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"sub":"in","level":30,"req":{"method":"POST","url":"/-/npm/v1/security/audits/quick","headers":{"host":"npm.domain.com:443","x-forwarded-for":"<my-ip-address>","x-forwarded-proto":"https","connection":"close","content-length":"270","user-agent":"npm/6.14.11 node/v12.21.0 linux x64","npm-in-ci":"false","npm-scope":"","npm-session":"c7f4a2e8d78d7536","referer":"dedupe","authorization":"<Classified>","content-type":"application/json","content-encoding":"gzip","accept":"*/*","accept-encoding":"gzip,deflate"},"remoteAddress":"127.0.0.1","remotePort":59464},"ip":"127.0.0.1","msg":"127.0.0.1 requested 'POST /-/npm/v1/security/audits/quick'","time":"2021-03-30T14:34:06.253Z","v":0}
{"name":"verdaccio","hostname":"hostname","pid":16957,"sub":"in","level":35,"request":{"method":"POST","url":"/-/npm/v1/security/audits/quick"},"user":null,"remoteIP":"<my-ip-address> via 127.0.0.1","status":200,"bytes":{"in":270,"out":145},"msg":"200, user: null(<my-ip-address> via 127.0.0.1), req: 'POST /-/npm/v1/security/audits/quick', bytes: 270/145","time":"2021-03-30T14:34:06.516Z","v":0}

Just the request log of Verdaccio from Systemd logs is:

Mar 30 14:22:23 servername verdaccio[15095]:  warn --- config file  - /home/verdaccio/verdaccio/config.yaml
Mar 30 14:22:23 servername verdaccio[15095]:  warn --- Verdaccio started
Mar 30 14:22:23 servername verdaccio[15095]:  warn --- Plugin successfully loaded: verdaccio-htpasswd
Mar 30 14:22:23 servername verdaccio[15095]:  warn --- Plugin successfully loaded: verdaccio-audit
Mar 30 14:22:23 servername verdaccio[15095]:  warn --- http address - http://localhost:4873/ - verdaccio/4.11.0
Mar 30 14:26:47 servername verdaccio[15095]:  http <-- 404, user: null(<my-ip-address> via 127.0.0.1), req: 'POST /-/v1/login', bytes: 25/150
Mar 30 14:26:59 servername verdaccio[15095]:  http <-- 409, user: null(<my-ip-address> via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:user', error: username is already registered
Mar 30 14:26:59 servername verdaccio[15095]:  http <-- 200, user: null(<my-ip-address> via 127.0.0.1), req: 'GET /-/user/org.couchdb.user:user?write=true', bytes: 0/51
Mar 30 14:26:59 servername verdaccio[15095]: (node:15095) [DEP0106] DeprecationWarning: crypto.createCipher is deprecated.
Mar 30 14:26:59 servername verdaccio[15095]:  http <-- 201, user: user(<my-ip-address> via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:user/-rev/undefined', bytes: 172/86
Mar 30 14:29:08 servername verdaccio[15095]:  http --> 404, req: 'GET https://registry.npmjs.org/@somescope%2Fsomepackage' (streaming)
Mar 30 14:29:08 servername verdaccio[15095]:  http --> 404, req: 'GET https://registry.npmjs.org/@somescope%2Fsomepackage', bytes: 0/21
Mar 30 14:29:08 servername verdaccio[15095]:  http <-- 201, user: user(<my-ip-address> via 127.0.0.1), req: 'PUT /@somescope/somepackage', bytes: 8267/53
Mar 30 14:29:19 servername verdaccio[15095]:  http --> 404, req: 'GET https://registry.npmjs.org/@somescope%2Fsomepackage' (streaming)
Mar 30 14:29:19 servername verdaccio[15095]:  http --> 404, req: 'GET https://registry.npmjs.org/@somescope%2Fsomepackage', bytes: 0/21
Mar 30 14:29:19 servername verdaccio[15095]:  http <-- 200, user: user(<my-ip-address> via 127.0.0.1), req: 'GET /@somescope/somepackage', bytes: 0/1215
Mar 30 14:29:19 servername verdaccio[15095]:  http <-- 401, user: null(<my-ip-address> via 127.0.0.1), req: 'GET /@somescope/somepackage/-/eslint-config-base-2.1.4.tgz', error: authorization required to access package @somescope/somepackage

Answered by juanpicado

Mar 30, 2021

I see user=null in your log, seems you are missing always-auth = true in your .npmrc file.

View full answer

juanpicado · 2021-03-30T19:56:58Z

juanpicado
Mar 30, 2021
Maintainer

I see user=null in your log, seems you are missing always-auth = true in your .npmrc file.

0 replies

MiK546 · 2021-03-31T08:10:19Z

MiK546
Mar 31, 2021
Author

Yeah, that seems to have fixed it. I guess npm by default doesn't authenticate GET requests, didn't know that. Thank you for the help!

1 reply

juanpicado Mar 31, 2021
Maintainer

Thanks for posting so detailed ticket, it is much easier to triage and help.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Verdaccio

Unable to install packages if access is limited to authenticated #2152

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Verdaccio

Unable to install packages if access is limited to authenticated #2152

MiK546 Mar 30, 2021

Replies: 2 comments · 1 reply

juanpicado Mar 30, 2021 Maintainer

MiK546 Mar 31, 2021 Author

juanpicado Mar 31, 2021 Maintainer

MiK546
Mar 30, 2021

Replies: 2 comments 1 reply

juanpicado
Mar 30, 2021
Maintainer

MiK546
Mar 31, 2021
Author

juanpicado Mar 31, 2021
Maintainer