Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Wrong scheme in tarball link for UI

See original GitHub issue

Describe the bug

When verdaccio is accessed via HTTPS, dist.tarball urls are returned with wrong scheme (http instead of https) to UI (api uri: /-/verdaccio/packages)

To Reproduce

Steps to reproduce the behavior:

Serve verdaccio via https
Try to download a package tarball

Expected behavior Tarball is downloaded

Actual behavior Tarball tries to be downloaded via http, which violates CSP (connect-src self).

Environment information

verdaccio --info: (cpu removed) Environment Info: System: OS: Linux 4.19 Alpine Linux Binaries: Node: 12.13.1 - /usr/local/bin/node Yarn: 1.19.1 - /usr/local/bin/yarn npm: 6.12.1 - /usr/local/bin/npm

verdaccio version: 4.4.2

It’s running in kubernetes cluster from a custom image based on verdaccio:4.4.2 and exposed via ingress.

Additional information: I think this is not UI bug but rather backend bug since tarball url shown by npm show has correct scheme (https).

Issue Analytics

State:
Created 4 years ago
Reactions:2
Comments:6 (6 by maintainers)

Top GitHub Comments

1reaction

coolspcommented, Feb 20, 2020

Thanks @stek29 I noticed the same issue based on a report (on a closed issue) in verdaccio/ui: Cannot download tarball after logging in # 75. Right when I had a fix and wanted to create a PR I noticed this. The fix is similar but I had opted to leave processPermissionsPackages as is and add a second loop before the next. E.g. In src/api/web/endpoint/packages.ts for route /packages:

      // Convert the tarball URI to reflect the registry URL being used
      for (const pkg of packages) {
        pkg.dist.tarball = getLocalRegistryTarballUri(pkg.dist.tarball, pkg.name, req, config.url_prefix);
      }

0reactions

juanpicadocommented, Feb 20, 2020

I confirm the bug, thanks for the report.

Screen Shot 2020-02-20 at 8 08 05 PM

npm show @juanpicado/registry_test

@juanpicado/registry_test@1.0.3-0f84c69-pr10.0 | MIT | deps: none | versions: 40
https://github.com/juanpicado/registry_test#readme

dist
.tarball: https://registry.verdaccio.org/@juanpicado%2fregistry_test/-/registry_test-1.0.3-0f84c69-pr10.0.tgz
.shasum: adb901870ec7dafd9a49ea99644bc7f4de58d170
.integrity: sha512-KE6iRkFQaZygdrtJZjuDJiuVjAiTHEGMcIVhwa6A8RXBOutMtjlpMyZtJ3w7GErm7TcUFpFmrkuSgKQTAmRspA==

dist-tags:
latest: 1.0.3-0f84c69-pr10.0

Via API I get https while via web I got http.