"Download tarball" gives an error ("error: authorization required to access package") when authenticated
See original GitHub issueWhen browsing the registry with Verdaccio’s webui and logged in with an authenticated account, the “Download tarball” link does not works and I get an HTTP 401 errror with the following message:
{
"error": "authorization required to access package @acme/acme-foo"
}
However, the access with npm
(and a logged in user) works correctly.
Here is the server log for npm install @acme/acme-corp
:
debug--- [local-storage/readTarball] read a tarball for package: acme-foo-1.2.0-RC.2019.1.3.tgz
http <-- 200, user: client01(192.168.251.209), req: 'GET /@acme%2facme-foo/-/acme-foo-1.2.0-RC.2019.1.3.tgz', bytes: 0/48585
And here is the log when accessing the package with the webui and logged with user client01
:
info <-- 192.168.251.209 requested 'GET /@acme%2facme-foo/-/acme-foo-1.2.0-RC.2019.1.3.tgz'
http <-- 401, user: null(192.168.251.209), req: 'GET /@acme%2facme-foo/-/acme-foo-1.2.0-RC.2019.1.3.tgz', error: authorization required to access package @acme/acme-foo
The HTTP request made by the webui seems to correctly have the Authorization: Bearer <token>
header but the server log does not reports the request as being authenticated with user client01
and reports the user as null
.
I’m using the htpasswd
authentication plugin:
auth:
htpasswd:
file: data/conf/htpasswd
max_users: -1
Here is the content of my packages:
access control directive:
packages:
'@acme/*':
access: $authenticated
publish: admin
If I set access: $all
, then the “download tarball” link works in the webui.
I tried this on verdaccio v4.0.1 and v4.3.3, and both reports a HTTP 401 when downloading the package with the “Download tarball” link.
Does anyone else also noticed this error
Issue Analytics
- State:
- Created 4 years ago
- Reactions:8
- Comments:31 (11 by maintainers)
Top GitHub Comments
I can confirm that adding
security.api
section with legacy:false
andjwt
to the config fixes the issue for me. Running4.6.2
behind nginx reverse proxy. Thx @hdmr14 👍I can confirm that just adding this block the tarball download works (tested in brave) my web configuration just has the title key