Security News
JSR Working Group Kicks Off with Ambitious Roadmap and Plans for Open Governance
At its inaugural meeting, the JSR Working Group outlined plans for an open governance model and a roadmap to enhance JavaScript package management.
verdaccio-htpasswd
Advanced tools
The verdaccio-htpasswd package is a plugin for Verdaccio, a lightweight private npm proxy registry. This plugin allows you to manage user authentication using htpasswd files, which is a simple way to store usernames and passwords for HTTP authentication.
User Authentication
This feature allows you to authenticate users against an htpasswd file. The code sample demonstrates how to set up the htpasswd plugin and authenticate a user.
const Htpasswd = require('verdaccio-htpasswd');
const config = { file: './htpasswd', max_users: 1000 };
const htpasswd = new Htpasswd(config);
htpasswd.authenticate('username', 'password', (err, user) => {
if (err) {
console.error('Authentication failed:', err);
} else {
console.log('Authenticated user:', user);
}
});
User Registration
This feature allows you to register new users by adding them to the htpasswd file. The code sample demonstrates how to add a new user.
const Htpasswd = require('verdaccio-htpasswd');
const config = { file: './htpasswd', max_users: 1000 };
const htpasswd = new Htpasswd(config);
htpasswd.adduser('newuser', 'newpassword', (err, user) => {
if (err) {
console.error('User registration failed:', err);
} else {
console.log('Registered user:', user);
}
});
Password Management
This feature allows you to change the password of an existing user. The code sample demonstrates how to change a user's password.
const Htpasswd = require('verdaccio-htpasswd');
const config = { file: './htpasswd', max_users: 1000 };
const htpasswd = new Htpasswd(config);
htpasswd.changePassword('username', 'newpassword', (err) => {
if (err) {
console.error('Password change failed:', err);
} else {
console.log('Password changed successfully');
}
});
The htpasswd package is a simple utility for managing htpasswd files. It provides basic functionalities like adding and deleting users, but it does not integrate directly with Verdaccio like verdaccio-htpasswd does.
The http-auth package provides HTTP Basic and Digest authentication for Node.js. While it offers more advanced authentication mechanisms, it does not specifically integrate with Verdaccio for npm registry authentication.
The express-basic-auth package is a simple middleware for basic authentication in Express.js applications. It is useful for protecting routes with basic auth but does not offer the same level of integration with Verdaccio as verdaccio-htpasswd.
verdaccio-htpasswd
is a default authentication plugin for the Verdaccio.
This plugin is being used as dependency after
v3.0.0-beta.x
. Thev2.x
still contains this plugin built-in.
As simple as running:
$ npm install -g verdaccio-htpasswd
auth:
htpasswd:
file: ./htpasswd
# Maximum amount of users allowed to register, defaults to "+infinity".
# You can set this to -1 to disable registration.
#max_users: 1000
# Hash algorithm, possible options are: "bcrypt", "md5", "sha1", "crypt".
#algorithm: bcrypt
# Rounds number for "bcrypt", will be ignored for other algorithms.
# Setting this value higher will result in password verification taking longer.
#rounds: 10
# Log a warning if the password takes more then this duration in milliseconds to verify.
#slow_verify_ms: 200
It is important to note that when using the default bcrypt
algorithm and setting
the rounds
configuration value to a higher number then the default of 10
, that
verification of a user password can cause significantly increased CPU usage and
additional latency in processing requests.
If your Verdaccio instance handles a large number of authenticated requests using
username and password for authentication, the rounds
configuration value may need
to be decreased to prevent excessive CPU usage and request latency.
Also note that setting the rounds
configuration value to a value that is too small
increases the risk of successful brute force attack. Auth0 has a
blog article
that provides an overview of how bcrypt
hashing works and some best practices.
To log in using NPM, run:
npm adduser --registry https://your.registry.local
If you wish to handle access control using htpasswd file, you can generate username/password combination form here and add it to htpasswd file.
The htpasswd file contains rows corresponding to a pair of username and password separated with a colon character. The password is encrypted using the UNIX system's crypt method and may use MD5 or SHA1.
There are many ways to extend Verdaccio, currently it support authentication plugins, middleware plugins (since v2.7.0) and storage plugins since (v3.x).
FAQs
htpasswd auth plugin for Verdaccio
We found that verdaccio-htpasswd demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
At its inaugural meeting, the JSR Working Group outlined plans for an open governance model and a roadmap to enhance JavaScript package management.
Security News
Research
An advanced npm supply chain attack is leveraging Ethereum smart contracts for decentralized, persistent malware control, evading traditional defenses.
Security News
Research
Attackers are impersonating Sindre Sorhus on npm with a fake 'chalk-node' package containing a malicious backdoor to compromise developers' projects.