passport-npm
Passport strategy for authenticating an npm
client.
usage
const NPMStrategy NPMStrategyErrorHandler = ;// check the login of a user and create a user object// set user to `false` if login is invalid { ;}// creates a string for `npm` to store in user .npmrc// send a falsey string to not use tokens (not recommended)//// use this to prevent `npm` from storing username and password on disk// commonly used to store an access token { }// similar to `authenticate`//// consumes the result token string serializeToken { ;} passport;router;
Recommended npm configuration
In your project repositories wishing to connect to the npm
authenticated server place a local $PROJECT/.npmrc
file with:
registry=http://path.to.server.local:1337/always-auth=true
Then run npm login
to put your authentication information in your user configuration at ~/.npmrc
.
This will keep your login information outside of your project.
[de]serializeNPMToken
an not passport.[de]serializeUser
?
Why npm
uses the authorization:
HTTP header and bearer tokens instead of Cookies. Passport only supports cookie based sessions normally. They are not named [de]serializeUser
to avoid confusion with passport based sessions.
router
?
Why This is required so that users can use npm login
against your router. It is optional, but recommended if you support basic auth.
NPMStrategyErrorHandler
?
Why npm
expects a JSON response for failed logins, Passport sends back plaintext. This middleware will correct errors to a format npm
understands and stop propagating the error. It expects error.status
be the expected status code and error.message
to be a message (Note: the npm
cli often ignores custom messages).
Don't want to support tokens for npm?
Not recommended, but:
- mandate
always-auth=true
for yournpm
configuration - ensure your
~/.npmrc
has login (_auth
andemail
) information entered in it properly. - create a
deserializeToken
method that always generates an falsey user - you must still have
serializeToken
successfully generate a falsey token (it will be thrown away after authentication)
Don't want to support basic auth for npm?
- Manually add your
_authToken
to your.npmrc
file with syntax like:
//my.registry.invalid/:_authToken="string to pass to deserializeToken"
- create a
authenticate
method that always generates a falsey user. - create a
serializeToken
method that always generates an Error.
Local testing
# startup PORT=8080 node example.js
npm login --registry=http://localhost:8080/# username = user # password = pass # email = # ignored npm --registry=http://localhost:8080/ install passport-npm
npm
doesn't always show the error messages I send
Correct, this is a feature of the npm
client and not related to passport-npm
.
npm
is always sending basic auth
This is most likely caused by your ~/.npmrc
user config having authentication information in it. Try npm logout
then npm login
.
yarn
?
Does this work with Currently, we cannot reliably setup configuration for yarn
due lacking options that match the npm
client to perform integration tests. It does appear to work though at least naively.