feat: add property forceMigrateToSecureLegacySignature (#4625)

* migrate to forceMigrateToSecureLegacySignature

* Update token.ts

* remove dep

* Update token.ts

.github/workflows/ci.yml

@@ -2,14 +2,20 @@ name: CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true  
+
 jobs:
   ci:
     name: Node ${{ matrix.node_version }}
 
     strategy:
       fail-fast: false
       matrix:
-        node_version: [14, 16, 18, 19, 20, 21]
+        node_version: [14, 16, 18, 19, 20, 21, 22]
 
     runs-on: ubuntu-latest
 

README.md

@@ -33,7 +33,9 @@ Install with npm:
 npm install --location=global verdaccio
 ```
 
-> Node.js v14 or higher is required for Verdaccio 5
+**Node.js v14 or higher is required for Verdaccio 5**
+
+> It's recommended using Node.js 20 (or latest LTS)
 
 or pull [Docker official image](https://verdaccio.org/docs/docker)
 
@@ -55,8 +57,6 @@ helm repo update
 helm install verdaccio/verdaccio
 ```
 
-Are you still using **Verdaccio 4**?. Check the [migration guide from 4.x to 5.x](https://verdaccio.org/blog/2021/04/14/verdaccio-5-migration-guide).
-
 ## Programmatic API
 
 Verdaccio can be used as a module for launch a server programmatically, [you can find more info at the website](https://verdaccio.org/docs/verdaccio-programmatically#using-the-module-api).

conf/default.yaml

@@ -127,6 +127,8 @@ server:
 # security:
 #   api:
 #     legacy: true
+#     # recomended set to true for older installations
+#     migrateToSecureLegacySignature: true
 #     jwt:
 #       sign:
 #         expiresIn: 29d

conf/docker.yaml

@@ -131,6 +131,8 @@ server:
 # security:
 #   api:
 #     legacy: true
+#     # recomended set to true for older installations
+#     migrateToSecureLegacySignature: true
 #     jwt:
 #       sign:
 #         expiresIn: 29d

package.json

@@ -20,23 +20,23 @@
   },
   "dependencies": {
     "@cypress/request": "3.0.1",
-    "@verdaccio/config": "7.0.0-next-7.13",
-    "@verdaccio/core": "7.0.0-next-7.13",
+    "@verdaccio/auth": "7.0.0-next-7.15",
+    "@verdaccio/config": "7.0.0-next-7.15",
+    "@verdaccio/core": "7.0.0-next-7.15",
     "@verdaccio/local-storage-legacy": "11.0.2",
-    "@verdaccio/logger-7": "7.0.0-next-7.13",
-    "@verdaccio/middleware": "7.0.0-next-7.13",
+    "@verdaccio/logger-7": "7.0.0-next-7.15",
+    "@verdaccio/middleware": "7.0.0-next-7.15",
     "@verdaccio/search-indexer": "7.0.0-next-7.2",
-    "@verdaccio/signature": "7.0.0-next.3",
+    "@verdaccio/signature": "7.0.0-next-7.5",
     "@verdaccio/streams": "10.2.1",
-    "@verdaccio/tarball": "12.0.0-next-7.13",
-    "@verdaccio/ui-theme": "7.0.0-next-7.13",
-    "@verdaccio/url": "12.0.0-next-7.13",
-    "@verdaccio/utils": "7.0.0-next-7.13",
+    "@verdaccio/tarball": "12.0.0-next-7.15",
+    "@verdaccio/ui-theme": "7.0.0-next-7.15",
+    "@verdaccio/url": "12.0.0-next-7.15",
+    "@verdaccio/utils": "7.0.0-next-7.15",
     "JSONStream": "1.3.5",
     "async": "3.2.5",
     "clipanion": "3.2.1",
     "compression": "1.7.4",
-    "cookies": "0.9.1",
     "cors": "2.8.5",
     "debug": "^4.3.4",
     "envinfo": "7.11.1",
@@ -55,13 +55,13 @@
     "pkginfo": "0.4.1",
     "semver": "7.6.0",
     "validator": "13.11.0",
-    "verdaccio-audit": "12.0.0-next-7.13",
-    "verdaccio-htpasswd": "12.0.0-next-7.13"
+    "verdaccio-audit": "12.0.0-next-7.15",
+    "verdaccio-htpasswd": "12.0.0-next-7.15"
   },
   "devDependencies": {
-    "@babel/cli": "7.24.1",
-    "@babel/core": "7.24.3",
-    "@babel/eslint-parser": "7.23.3",
+    "@babel/cli": "7.24.5",
+    "@babel/core": "7.24.5",
+    "@babel/eslint-parser": "7.24.5",
     "@babel/node": "7.23.9",
     "@babel/plugin-proposal-class-properties": "7.18.6",
     "@babel/plugin-proposal-decorators": "7.24.1",
@@ -76,13 +76,13 @@
     "@babel/plugin-syntax-dynamic-import": "7.8.3",
     "@babel/plugin-syntax-import-meta": "7.10.4",
     "@babel/plugin-transform-async-to-generator": "7.24.1",
-    "@babel/plugin-transform-classes": "7.24.1",
+    "@babel/plugin-transform-classes": "7.24.5",
     "@babel/plugin-transform-runtime": "7.24.3",
     "@babel/polyfill": "^7.12.1",
-    "@babel/preset-env": "7.24.3",
-    "@babel/preset-typescript": "7.23.3",
+    "@babel/preset-env": "7.24.5",
+    "@babel/preset-typescript": "7.24.1",
     "@babel/register": "7.23.7",
-    "@babel/runtime": "7.24.1",
+    "@babel/runtime": "7.24.5",
     "@octokit/rest": "19.0.13",
     "@trivago/prettier-plugin-sort-imports": "4.3.0",
     "@types/async": "3.2.24",
@@ -100,7 +100,7 @@
     "@typescript-eslint/eslint-plugin": "5.62.0",
     "@typescript-eslint/parser": "5.62.0",
     "@verdaccio-scope/verdaccio-auth-foo": "0.0.2",
-    "@verdaccio/types": "12.0.0-next.2",
+    "@verdaccio/types": "12.0.0-next-7.3",
     "babel-jest": "29.7.0",
     "babel-plugin-dynamic-import-node": "2.3.3",
     "cross-env": "7.0.3",
@@ -122,7 +122,7 @@
     "jest-junit": "15.0.0",
     "lockfile-lint": "4.12.1",
     "nock": "13.5.0",
-    "node-mocks-http": "^1.13.0",
+    "node-mocks-http": "^1.14.1",
     "pinst": "2.1.6",
     "prettier": "3.2.2",
     "rimraf": "3.0.2",
@@ -186,5 +186,10 @@
     "url": "https://opencollective.com/verdaccio",
     "logo": "https://opencollective.com/verdaccio/logo.txt"
   },
-  "packageManager": "yarn@3.8.1"
+  "packageManager": "yarn@3.8.1",
+  "dependenciesMeta": {
+    "@verdaccio/signature@7.0.0-next-7.5": {
+      "unplugged": true
+    }
+  }
 }

src/api/endpoint/api/user.ts

@@ -1,14 +1,14 @@
-import Cookies from 'cookies';
 import express, { Response, Router } from 'express';
 import _ from 'lodash';
 
+import { getApiToken } from '@verdaccio/auth';
 import { createRemoteUser } from '@verdaccio/config';
+import { validationUtils } from '@verdaccio/core';
 import { rateLimit } from '@verdaccio/middleware';
 import { Config, RemoteUser } from '@verdaccio/types';
-import { createSessionToken, getAuthenticatedMessage } from '@verdaccio/utils';
+import { getAuthenticatedMessage } from '@verdaccio/utils';
 
 import Auth from '../../../lib/auth';
-import { getApiToken, validatePassword } from '../../../lib/auth-utils';
 import { API_ERROR, API_MESSAGE, HEADERS, HTTP_STATUS } from '../../../lib/constants';
 import { logger } from '../../../lib/logger';
 import { ErrorCode } from '../../../lib/utils';
@@ -63,7 +63,7 @@ export default function (route: Router, auth: Auth, config: Config): void {
           }
         );
       } else {
-        if (validatePassword(password) === false) {
+        if (validationUtils.validatePassword(password) === false) {
           // eslint-disable-next-line new-cap
           return next(ErrorCode.getCode(HTTP_STATUS.BAD_REQUEST, API_ERROR.PASSWORD_SHORT));
         }

src/api/endpoint/api/v1/profile.ts

@@ -1,11 +1,11 @@
 import { Response, Router } from 'express';
 import _ from 'lodash';
 
+import { validationUtils } from '@verdaccio/core';
 import { rateLimit } from '@verdaccio/middleware';
 import { ConfigYaml } from '@verdaccio/types';
 
 import Auth from '../../../../lib/auth';
-import { validatePassword } from '../../../../lib/auth-utils';
 import { API_ERROR, APP_ERROR, HTTP_STATUS, SUPPORT_ERRORS } from '../../../../lib/constants';
 import { ErrorCode } from '../../../../lib/utils';
 import { $NextFunctionVer, $RequestExtend } from '../../../../types';
@@ -65,7 +65,7 @@ export default function (router: Router, auth: Auth, config: ConfigYaml) {
       const { name } = req.remote_user;
 
       if (_.isNil(password) === false) {
-        if (validatePassword(password.new) === false) {
+        if (validationUtils.validatePassword(password.new) === false) {
           /* eslint new-cap:off */
           return next(ErrorCode.getCode(HTTP_STATUS.UNAUTHORIZED, API_ERROR.PASSWORD_SHORT));
           /* eslint new-cap:off */

src/api/endpoint/api/v1/token.ts

@@ -2,12 +2,12 @@ import buildDebug from 'debug';
 import { Response, Router } from 'express';
 import _ from 'lodash';
 
+import { getApiToken } from '@verdaccio/auth';
 import { rateLimit } from '@verdaccio/middleware';
 import { Config, RemoteUser, Token } from '@verdaccio/types';
 import { stringToMD5 } from '@verdaccio/utils';
 
 import Auth from '../../../../lib/auth';
-import { getApiToken } from '../../../../lib/auth-utils';
 import { HEADERS, HTTP_STATUS, SUPPORT_ERRORS } from '../../../../lib/constants';
 import { logger } from '../../../../lib/logger';
 import Storage from '../../../../lib/storage';
@@ -81,10 +81,10 @@ export default function (router: Router, auth: Auth, storage: Storage, config: C
         }
 
         try {
-          const token = await getApiToken(auth, config, user, password);
-          const key = stringToMD5(token);
+          const token = (await getApiToken(auth, config, user, password)) as string;
+          const key = stringToMD5(token as string);
           // TODO: use a utility here
-          const maskedToken = mask(token, 5);
+          const maskedToken = mask(token as string, 5);
           const created = new Date().getTime();
 
           /**

src/api/web/api/user.ts

@@ -1,11 +1,12 @@
 import { Request, Response, Router } from 'express';
 import _ from 'lodash';
 
+import { validationUtils } from '@verdaccio/core';
 import { rateLimit } from '@verdaccio/middleware';
 import { Config, JWTSignOptions, RemoteUser } from '@verdaccio/types';
 
 import Auth from '../../../lib/auth';
-import { getSecurity, validatePassword } from '../../../lib/auth-utils';
+import { getSecurity } from '../../../lib/auth-utils';
 import { API_ERROR, APP_ERROR, HEADERS, HTTP_STATUS } from '../../../lib/constants';
 import { ErrorCode } from '../../../lib/utils';
 import { $NextFunctionVer } from '../../../types';
@@ -48,7 +49,7 @@ function addUserAuthApi(route: Router, auth: Auth, config: Config): Router {
       const { password } = req.body;
       const { name } = req.remote_user;
 
-      if (validatePassword(password.new) === false) {
+      if (validationUtils.validatePassword(password.new) === false) {
         auth.changePassword(name as string, password.old, password.new, (err, isUpdated): void => {
           if (_.isNil(err) && isUpdated) {
             next({