private NPM repository: block it from unauthorized access?

[Matthias Bleyl]

We set up a private NPM repository with some success:

* the repository seems to work fine
* it is possible to publish packages into the repository
* it is possible to install packages from the repository

However, it seems for the moment that EVERYBODY (knowing our repository) would be able to publish packages there, and that EVERYBODY would be able to install packages from our repository?

Our idea is of course to restrict the access to authorized users only - but how to do it?

I found some discussions on the net but no clear answers.

What can we do to block our private repository from unauthorized access by other users?

[Matthias Götzke]

You should use always-auth true with npm and configure couch to require auth for all access (see config of couchdb)

[Alex Kocharin]

 

No better solution yet?

 

Sending passwords each time isn't very good idea, so I wonder if anybody had any success in adding some kind of a temporary token.

 

 

31.03.2014, 00:37, "Matthias Götzke" <mgt...@gmail.com>:

--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nathan White]

I came across http://cnpmjs.org the other day. It is an open sourced - https://github.com/cnpm/cnpmjs.org. Pinned to some backend decisions like MySQL right now but seems to be a good alternative/solution.

I suspect we will start seeing more cloud providers for this problem soon. There are already a few depending on your criteria.

[Alex Kocharin]

 

I'm talking about basic auth and "always-auth" configuration in *all* npm-compatible private repositories.

 

Ideally, npm should communicate with the registry using private/public keypair (reuse ~/.ssh/id_rsa maybe)? And I'm asking if somebody already did something in  that direction.

 

-----

 

About cnpmjs, If you are a small company, and have very few packages, you don't have to use database at all. As I said earlier, install Sinopia and store all your packages on the hard disk. If it isn't enough, and you have performance/scalability issues with it, use CouchDB, and proxy public packages using npm-delegate. MySQL is neither simple not scalable enough, and using it to store json data sound like a bad idea.

 

Also, cloud providers don't make sense here. If you data is public, you can use registry.npmjs.org. If you data is private, you shouldn't put it into the cloud.

 

 

31.03.2014, 03:17, "Nathan White" <change...@gmail.com>: