Skip to main content

认证

认证部分设置与 "Auth" 插件 息息相关。 包的访问限制也同时通过 包访问权限 控制。

客户端的认证流程由 npm 自行处理,在你通过以下命令登陆后: Once you log in to the application:

npm adduser --registry http://localhost:4873

npm 会将 Verdaccio 返回的 Token 保存在配置文件中,它存放于您的用户主目录下。 如需了解更多有关于 npm 配置 (.npmrc) 相关的内容,请查阅 官方文档.

cat .npmrc
registry=http://localhost:5555/
//localhost:5555/:_authToken="secretVerdaccioToken"
//registry.npmjs.org/:_authToken=secretNpmjsToken

匿名发布包

verdaccio allows you to enable anonymous publish. verdaccio 允许启用匿名发布,要使用这个功能,必须设置正确的 程序包访问权限

例如:

  'my-company-*':
access: $anonymous
publish: $anonymous
proxy: npmjs

Issue #212 所述,截至 npm@5.3.0 你仍然 无法在没有 Token 的情况下发布包

Understanding Groups

The meaning of $all and $anonymous

As you know Verdaccio uses the htpasswd by default. That plugin does not implement the methods allow_access, allow_publish and allow_unpublish. Thus, Verdaccio will handle that in the following way: That plugin does not implement the methods allow_access, allow_publish and allow_unpublish. Thus, Verdaccio will handle that in the following way:

  • If you are not logged in (you are anonymous), $all and $anonymous means exactly the same.
  • If you are logged in, $anonymous won't be part of your groups and $all will match any logged user. A new group $authenticated will be added to the list. A new group $authenticated will be added to your group list.

As a takeaway, $all will match all users, independently whether is logged or not.

The previous behavior only applies to the default authentication plugin. If you are using a custom plugin and such plugin implements allow_access, allow_publish or allow_unpublish, the resolution of the access depends on the plugin itself. Verdaccio will only set the default groups. If you are using a custom plugin and such plugin implements allow_access, allow_publish or allow_unpublish, the resolution of the access depends on the plugin itself. Verdaccio will only set the default groups.

Let's recap:

  • logged: $all, $authenticated, + groups added by the plugin
  • anonymous (logged out): $all and $anonymous.

默认 htpasswd

In order to simplify the setup, verdaccio use a plugin based on htpasswd. Since version v3.0.x the verdaccio-htpasswd plugin is used by default. Since version v3.0.x the verdaccio-htpasswd plugin is used by default.

auth:
htpasswd:
file: ./htpasswd
# Maximum amount of users allowed to register, defaults to "+inf".
# You can set this to -1 to disable registration.
#max_users: 1000
# You can set this to -1 to disable registration.
#max_users: 1000
属性类型必须的范例支持版本描述
文件string./htpasswd全部存储了加密认证信息的 htpasswd 文件
max_usersnumber1000全部最大的用户数量

如果需要禁止新用户注册,可将配置修改为 max_users: -1.