/-/all endpoint doesn't use access groups

Describe the bug We’re using the simple htpasswd auth plugin currently. Tried using https://github.com/btshj-snail/snail-verdaccio-group/ but unfortunately couldn’t get it to work yet, so we ended up with just regular lists of users instead of groups.

However, it seems that the /-/all endpoint stopped working - expectation here would be that authenticated users get all packages they are authenticated for when using that endpoint, but instead no packages are returned for anyone now (even if that person has explicit access to all packages).

To Reproduce Set up explicit access instead of using $all or $authenticated:

'**':
    # scoped packages
    access: user-01 user-02
    publish: user-01
    unpublish: user-01

• Log in in the web backend or through npm
• Use the /-/all endpoint and see that it’s empty

The same happens with explicit package access. The web interface lists the correct results, just that (important) all endpoint isn’t working (which is important since we’re using this with Unity Package Manager which accesses that endpoint to determine which packages it allows to download).

Expected behavior user-01 and user-02 see all packages in /-/all endpoint

Actual behavior /-/all endpoint is empty

EDIT: it seems the search endpoint, on the other hand, always returns all packages, also ignoring any auth! This is so weird.

EDIT 2: to summarize:

• current auth does not influence the outcome of search and /all
• search always returns all packages
• /all always returns 0 packages (unless for packages where $all is used)
• web interface lists the correct packages the user has auth for