/-/all endpoint doesn't use access groups
See original GitHub issueDescribe the bug We’re using the simple htpasswd auth plugin currently. Tried using https://github.com/btshj-snail/snail-verdaccio-group/ but unfortunately couldn’t get it to work yet, so we ended up with just regular lists of users instead of groups.
However, it seems that the /-/all endpoint stopped working - expectation here would be that authenticated users get all packages they are authenticated for when using that endpoint, but instead no packages are returned for anyone now (even if that person has explicit access to all packages).
To Reproduce Set up explicit access instead of using $all or $authenticated:
'**':
# scoped packages
access: user-01 user-02
publish: user-01
unpublish: user-01
- Log in in the web backend or through npm
- Use the /-/all endpoint and see that it’s empty
The same happens with explicit package access. The web interface lists the correct results, just that (important) all endpoint isn’t working (which is important since we’re using this with Unity Package Manager which accesses that endpoint to determine which packages it allows to download).
Expected behavior user-01 and user-02 see all packages in /-/all endpoint
Actual behavior /-/all endpoint is empty
EDIT: it seems the search endpoint, on the other hand, always returns all packages, also ignoring any auth! This is so weird.
EDIT 2: to summarize:
- current auth does not influence the outcome of search and /all
- search always returns all packages
- /all always returns 0 packages (unless for packages where $all is used)
- web interface lists the correct packages the user has auth for
Issue Analytics
- State:
- Created 3 years ago
- Comments:14 (8 by maintainers)
Top GitHub Comments
Sorry, didn’t get to it yet, will try over the next week
This reproduces easily with the default Verdaccio configuration (with htpasswd) when you remove “$all”, “$authenticated” and replace them by explicit user name lists
/all
returns nothing/search
still returns everything even when not authenticated