verdaccio-gitlab
Advanced tools
private npm registry (Verdaccio) using gitlab-ce as authentication and authorization provider
Use GitLab Community Edition as authentication provider for the private npm registry Verdaccio, the sinopia fork.
The main goal and differences from other sinopia/verdaccio plugins are the following:
This is experimental!
You need at least node version 8.x.x, codename carbon.
git clone https://github.com/bufferoverflow/verdaccio-gitlab.git
cd verdaccio-gitlab
yarn install
yarn start
NOTE: Define
http_proxyenvironment variable if you are behind a proxy.
Verdaccio is now up and running. In order the see this plugin in action, you can
use the following Verdaccio configuration in your ~/.config/verdaccio/config.yaml.
# Verdaccio storage location relative to $HOME/.config/verdaccio
storage: ./storage
listen:
- 0.0.0.0:4873
auth:
gitlab:
url: https://gitlab.com
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
'@*/*':
# scoped packages
access: $all
publish: $maintainer
proxy: npmjs
gitlab: true
'**':
access: $all
publish: $maintainer
proxy: npmjs
gitlab: true
# Log level can be changed to info, http etc. for less verbose output
logs:
- {type: stdout, format: pretty, level: debug}
Restart Verdaccio and authenticate into it with your credentials
using the Web UI http://localhost:4873 or via npm CLI:
yarn login --registry http://localhost:4873
and publish packages:
yarn publish --registry http://localhost:4873
Access and publish access rights are mapped following the rules below.
verdaccio-gitlab access control will only be applied to package sections that
are marked with gitlab: true as in the configuration sample above. If you
wish to disable gitlab authentication to any package config, just remove the
element from the config.
access is allowed depending on the following verdaccio package configuration
directives:
$all or $anonymous access levels at the package group definitionPlease note that no group or package name mapping is applied on access, any user successfully authenticated can access all packages.
publish is allowed if:
For 2. and 3., the GitLab user must have the access rights on the group or
project as specified in the auth.gitlab.publish setting.
For instance, assuming the following configuration:
auth:
gitlab:
publish = $maintainer
The GitLab user sample_user has access to:
group1 as $maintainergroup2 as $reportergroup3/project as $maintainerThen this user would be able to:
sample_usergroup1@group1/**@group3/projectThere would be an error if the user tried to publish any package under @group2/**.
The full set of configuration options is:
auth:
gitlab:
url: <url>
authCache:
enabled: <boolean>
ttl: <integer>
publish: <string>
| Option | Default | Type | Description |
|---|---|---|---|
url | <empty> | url | mandatory, the url of the gitlab server |
authCache: enabled | true | boolean | activate in-memory authentication cache |
authCache: ttl | 300 (0=unlimited) | integer | time-to-live of entries in the authentication cache, in seconds |
publish | $maintainer | [$guest, $reporter, $developer, $maintainer, $owner] | group minimum access level of the logged in user required for npm publish operations |
In order to avoid too many authentication requests to the underlying gitlab instance, the plugin provides an in-memory cache that will save the detected groups of the users for a configurable ttl in seconds.
No clear-text password is saved in-memory, just an SHA-256 hash of the user+password, plus the groups information.
By default, the cache will be enabled and the credentials will be stored for 300 seconds. The ttl is checked on access, but there's also an internal timer that will check expired values regularly, so data of users not actively interacting with the system will also be eventually invalidated.
Please note that this implementation is in-memory and not multi-process; if the cluster module is used for starting several verdaccio processes, each process will store its own copy of the cache, so each user will actually be logged in multiple times.
git clone https://github.com/bufferoverflow/verdaccio-gitlab.git
cd verdaccio-gitlab
docker-compose up --build -d
root and password verdaccio on Gitlab via http://localhost:50080The Dockerfile provides a default configuration file
that is internally available under /verdaccio/conf/config.yaml. In order
to overwrite this configuration you can provide your own file and mount it
on docker startup with the --volume option, or equivalent mechanism
(e.g. ConfigMaps on Kubernetes / OpenShift with the
helm chart).
Please adhere to the verdaccio community guidelines and run all the tests before creating a PR. The commit message shall follow the conventional changelog as it is enforced via local commit hook using husky and the @commitlint/config-conventional rule set.
PR's that do not pass CI will not be reviewed.
Run one of the following command to create a release:
yarn release:major
yarn release:minor
yarn release:patch
finally run
yarn publish
In order to run functional tests with debug output, set the
VERDACCIO_DEBUG=true environment variable,
as documented by verdaccio:
VERDACCIO_DEBUG=true yarn test:functional
FAQs
private npm registry (Verdaccio) using gitlab-ce as authentication and authorization provider
The npm package verdaccio-gitlab receives a total of 24 weekly downloads. As such, verdaccio-gitlab popularity was classified as not popular.
We found that verdaccio-gitlab demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.