npm outdated and update does not work, but install works

[0815fox]

Describe the bug

When I issue an npm outdated or npm update command, npm fails with E403.

To Reproduce

1. Log in to private registry (aka have an ~/.npmrc)
2. install a package from your private, password protected repository using npm install
3. Try to upgrade your package using npm update or invoke npm outdated

Expected behavior
Should not fail with E403.

Docker || Kubernetes (please complete the following information):

• Docker verdaccio tag: latest

$ docker images verdaccio/verdaccio
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
verdaccio/verdaccio   latest              c542d9e516e4        2 weeks ago         659MB

$ npm --version
6.4.1

Configuration File (cat ~/.config/verdaccio/config.yaml)

storage: /verdaccio/storage
plugins: /verdaccio/plugins

web:
  title: Oblamatik npm repository
  scope: \@oblamatik

auth:
  htpasswd:
    file: ./htpasswd
    max_users: -1

  bitbucket:
    allow: MyTeam

packages:
  '@oblamatik/*':
    access: $authenticated
    publish: $authenticated

middlewares:
  audit:
    enabled: true

logs:
  - {type: stdout, format: pretty, level: http}

max_body_size: 1000mb

Debugging output

npm update @oblamatik/omw-middleware shows the following output:

$ npm update @oblamatik/omw-middleware --verbose
npm info it worked if it ends with ok
npm verb cli [ '/home/mkr/.nvm/versions/node/v8.11.4/bin/node',
npm verb cli   '/home/mkr/.nvm/versions/node/v8.11.4/bin/npm',
npm verb cli   'update',
npm verb cli   '@oblamatik/omw-middleware',
npm verb cli   '--verbose' ]
npm info using [email protected]
npm info using [email protected]
npm verb npm-session 8c99504fa195e079
npm verb update computing outdated modules to update
npm verb request uri https://npm.dev.oblamatik.ch/@oblamatik%2fomw-middleware
npm verb request no auth needed
npm info attempt registry request try #1 at 15:02:09
npm verb request id dc615f7f9a29d1a9
npm http request GET https://npm.dev.oblamatik.ch/@oblamatik%2fomw-middleware
npm http 403 https://npm.dev.oblamatik.ch/@oblamatik%2fomw-middleware
npm verb headers { server: 'nginx/1.14.0',
npm verb headers   date: 'Mon, 05 Nov 2018 14:02:09 GMT',
npm verb headers   'content-type': 'application/json; charset=utf-8',
npm verb headers   'content-length': '96',
npm verb headers   connection: 'keep-alive',
npm verb headers   'x-powered-by': 'verdaccio/3.8.1',
npm verb headers   'access-control-allow-origin': '*',
npm verb headers   etag: 'W/"60-ddeEwRsYkCfxZ4K8+J1Ht4SxMow"',
npm verb headers   vary: 'Accept-Encoding',
npm verb headers   'x-status-cat': 'http://flic.kr/p/aV6jFK',
npm verb headers   'strict-transport-security': 'max-age=31536000' }
npm verb stack Error: unregistered users are not allowed to access package @oblamatik/omw-middleware : @oblamatik/omw-middleware
npm verb stack     at makeError (/home/mkr/.nvm/versions/node/v8.11.4/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:329:12)
npm verb stack     at RegClient.<anonymous> (/home/mkr/.nvm/versions/node/v8.11.4/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:317:14)
npm verb stack     at Request._callback (/home/mkr/.nvm/versions/node/v8.11.4/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:216:14)
npm verb stack     at Request.self.callback (/home/mkr/.nvm/versions/node/v8.11.4/lib/node_modules/npm/node_modules/request/request.js:185:22)
npm verb stack     at emitTwo (events.js:126:13)
npm verb stack     at Request.emit (events.js:214:7)
npm verb stack     at Request.<anonymous> (/home/mkr/.nvm/versions/node/v8.11.4/lib/node_modules/npm/node_modules/request/request.js:1161:10)
npm verb stack     at emitOne (events.js:116:13)
npm verb stack     at Request.emit (events.js:211:7)
npm verb stack     at IncomingMessage.<anonymous> (/home/mkr/.nvm/versions/node/v8.11.4/lib/node_modules/npm/node_modules/request/request.js:1083:12)
npm verb stack     at Object.onceWrapper (events.js:313:30)
npm verb stack     at emitNone (events.js:111:20)
npm verb stack     at IncomingMessage.emit (events.js:208:7)
npm verb stack     at endReadableNT (_stream_readable.js:1064:12)
npm verb stack     at _combinedTickCallback (internal/process/next_tick.js:138:11)
npm verb stack     at process._tickCallback (internal/process/next_tick.js:180:9)
npm verb statusCode 403
npm verb pkgid @oblamatik/omw-middleware
npm verb cwd /home/mkr/work/twms/twms-backend
npm verb Linux 4.9.0-7-amd64
npm verb argv "/home/mkr/.nvm/versions/node/v8.11.4/bin/node" "/home/mkr/.nvm/versions/node/v8.11.4/bin/npm" "update" "@oblamatik/omw-middleware" "--verbose"
npm verb node v8.11.4
npm verb npm  v6.4.1
npm ERR! code E403
npm ERR! unregistered users are not allowed to access package @oblamatik/omw-middleware : @oblamatik/omw-middleware
npm verb exit [ 1, true ]
npm timing npm Completed in 1096ms

In the verdaccio logs I get the following entries:

http <-- 403, user: null(194.230.107.251 via 172.17.0.2), req: 'GET /@oblamatik%2fomw-middleware', error: unregistered users are not allowed to access package @oblamatik/omw-middleware

Analysis
Not sure, that verdaccio is responsible for this, as user "null" is definitely not allowed. However I am not sure, why npm thinks, that it does not need to send auth (log entry: npm verb request no auth needed)

Could you make a statement please?

[juanpicado]

If the user is null pretty likely the client do not sends the token. Perhaps enabling send always the authentication might work

[0815fox]

Do you have a hint on how to enable sending auth always on npm?

[juanpicado]

You can use https://docs.npmjs.com/misc/config#always-auth

[0815fox]

Thank you. With always-auth it works. So I have the following "feature requests":

1. Verdaccio should respond with the correct status code (401) in case there are no credentials at all (probably npm will send the credentials then) and only respond with 403 in case there are credentials but access is forbidden.
2. The npm adduser commands displayed in the web frontend whould include the --always-auth flag - enabled by a config option.

[juanpicado]

I'll analyze the reasons, it might be a bug or something else. I'll post here when I have a final answer.

How npm handles --always-auth is different as yarn does. yarn is enabled by default. So, both differs each other, I think pnpm follows npm approach. On front-end we suggest npm for obvious reasons but I cannot suggest a specific setup that might create another issues, but what I can do is suggest it on documentation (well highlighted). Does that make sense for you?

[0815fox]

In principle documentation does always help. However, as stated above, I think npm may work without setting always-auth to true if verdaccio would answer with status code 401 in case npm did not provide credentials but login is required. This is because of the small distinction between 401 and 403.

• 403 means something like: I saw your credentials and they are incorrect. Please don't try again, I won't let you in anyway.
• 401 means something like: I did not get any credentials. Please try again and include credentials with your request.

So verdaccio answering with 401 could resolve the issue without obliging every user to set always-auth to true. If sending out 401 instead of 403 does not solve the issue I would file a bug report against npm itself.

[0815fox]

I made a pull request which would emit 401 instead of 403 in case no user credentials were sent. I'd like to invite you to check it out.

[juanpicado]

thanks @0815fox I'll put it on my queue to check it and I'll back to you.

[juanpicado]

@0815fox your change makes sense for me. While you fix the small issues on PR I want to ask @ayusharma opinion on this field.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.