Wrong scheme in tarball link for UI
See original GitHub issueDescribe the bug
When verdaccio is accessed via HTTPS, dist.tarball urls are returned with wrong scheme (http instead of https) to UI (api uri: /-/verdaccio/packages
)
To Reproduce
Steps to reproduce the behavior:
- Serve verdaccio via https
- Try to download a package tarball
Expected behavior Tarball is downloaded
Actual behavior
Tarball tries to be downloaded via http, which violates CSP (connect-src self
).
Environment information
verdaccio --info: (cpu removed) Environment Info: System: OS: Linux 4.19 Alpine Linux Binaries: Node: 12.13.1 - /usr/local/bin/node Yarn: 1.19.1 - /usr/local/bin/yarn npm: 6.12.1 - /usr/local/bin/npm
verdaccio version: 4.4.2
It’s running in kubernetes cluster from a custom image based on verdaccio:4.4.2
and exposed via ingress.
Additional information:
I think this is not UI bug but rather backend bug since tarball url shown by npm show
has correct scheme (https).
Issue Analytics
- State:
- Created 4 years ago
- Reactions:2
- Comments:6 (6 by maintainers)
Top GitHub Comments
Thanks @stek29 I noticed the same issue based on a report (on a closed issue) in verdaccio/ui: Cannot download tarball after logging in # 75. Right when I had a fix and wanted to create a PR I noticed this. The fix is similar but I had opted to leave
processPermissionsPackages
as is and add a second loop before thenext
. E.g. Insrc/api/web/endpoint/packages.ts
for route/packages
:I confirm the bug, thanks for the report.
npm show @juanpicado/registry_test
Via API I get
https
while via web I gothttp
.