CIDR allowlist not working for created tokens

[gabschne]

Meta: As requested in the bug template and because I'm not sure if this is a bug or just not fully implemented, I'm creating a discussion. Please feel free to convert to a bug or feature request.

I created a token using the npm token create --cidr="[...]" --registry [...] command. By looking at the verdaccio-db.json, I can verify that the CIDRs have been set:

[...]
    {
      "user": "<redacted>",
      "token": "<redacted>",
      "key": "<redacted>",
      "cidr": [
        "<redacted>",
        "<redacted>"
      ],
      "readonly": false,
      "created": 1736374987018
    }
[...]

However, the usage of the token seems no to be restricted to the specified CIDRs of the allowlist.

I can authenticate using the token from other IPs than the specified ones and the npm token list --registry [...] command doesn't output any of the CIDRs:

Publish token <redacted>… with id <redacted> created 2025-01-08

According to the official docs, the output should look like:

Publish token npm_af…  with id c03241 created 2017-10-02
with IP Whitelist: 192.168.0.1/24

I'm using the containerized Verdaccio, version 6.0.5, with a freshly converted 32-bit secret and the htpasswd auth plugin.

Is this part of the token auth logic not yet implemented or is it a bug? (Or am I missing something? I don't want to rule out this possibility, of course.)