CHANGELOG.md

@@ -2,6 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [4.0.2](https://github.com/verdaccio/verdaccio/compare/v4.0.1...v4.0.2) (2019-06-13)
+
+
+### Bug Fixes
+
+* correctly check if the proxy setting evaluates to false ([#1336](https://github.com/verdaccio/verdaccio/issues/1336)) ([df834f4](https://github.com/verdaccio/verdaccio/commit/df834f4))
+* update dependencies ([e581634](https://github.com/verdaccio/verdaccio/commit/e581634)), closes [#1339](https://github.com/verdaccio/verdaccio/issues/1339)
+* update security policy details ([#1342](https://github.com/verdaccio/verdaccio/issues/1342)) ([ddcd89d](https://github.com/verdaccio/verdaccio/commit/ddcd89d))
+* **api:** force authenticate on login ([#1347](https://github.com/verdaccio/verdaccio/issues/1347)) ([85c1bd1](https://github.com/verdaccio/verdaccio/commit/85c1bd1))
+* **ui:** failed to load all packages after login ([192fb77](https://github.com/verdaccio/verdaccio/commit/192fb77))
+
+
+
 ## [4.0.1](https://github.com/verdaccio/verdaccio/compare/v4.0.0...v4.0.1) (2019-05-28)
 
 

SECURITY.md

@@ -1,30 +1,73 @@
 # Security Policy
 
-## Supported Versions
+## Supported versions
 
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
+The following table describes the versions of this project that are currently supported with security updates:
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 2.x   | :x:                |
-| 3.x   | :white_check_mark: |
-| 4.x   | :white_check_mark: |
+| 2.x   | :x:                  |
+| 3.x   | :white_check_mark:   |
+| 4.x   | :white_check_mark:   |
 
-## Reporting a Vulnerability
+## Responsible disclosure security policy
 
-At Verdaccio, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you've discovered a vulnerability, please follow the guidelines below to report it to our team:
+A responsible disclosure policy helps protect users of the project from publicly disclosed security vulnerabilities without a fix by employing a process where vulnerabilities are first triaged in a private manner, and only publicly disclosed after a reasonable time period that allows patching the vulnerability and provides an upgrade path for users.
 
-* Report it either [Snyk Security Team](https://snyk.io/vulnerability-disclosure/) or [npmjs Security Team](https://www.npmjs.com/advisories/report?package=verdaccio), they will be in contact with us in case of confirming the vulnerability.
-* E-mail your findings to [verdaccio@pm.me](mailto:verdaccio@pm.me). If the report contains highly sensitive information, please consider encrypting your findings using our [PGP key](https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc).
+When contacting us directly via email, we will do our best efforts to respond in a reasonable time to resolve the issue. When contacting a security program their disclosure policy will provide details on timeframe, processes and paid bounties.
 
-Please follow these rules when testing/reporting vulnerabilities:
-* Do not take advantage of the vulnerability you have discovered, for example by downloading more data than is necessary to demonstrate the vulnerability.
-* Do not read, modify or delete data that isn't your own.
-* We ask that you do not disclose the findings to third parties until it has been resolved.
+We kindly ask you to refrain from malicious acts that put our users, the project, or any of the project’s team members at risk.
 
-What we promise:
-* We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
-* We will keep you informed during all stages of resolving the problem.
-* To show our appreciation for your effort and cooperation during the report, we will list your name and a link to a personal website/social network profile on the page below so that the public can know you've helped keep Verdaccio secure.
+## Reporting a security issue
 
+At Verdaccio, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
+
+If you discover a security vulnerability, please use one of the following means of communications to report it to us:
+
+* Report the security issue to the Node.js Security WG through the [HackerOne program](https://hackerone.com/nodejs-ecosystem) for ecosystem modules on npm, or to [Snyk Security Team](https://snyk.io/vulnerability-disclosure). They will help triage the security issue and work with all involved parties to remediate and release a fix.
+
+Note that time-frame and processes are subject to each program’s own policy.
+
+* Report the security issue to the project maintainers directly at verdaccio@pm.me. If the report contains highly sensitive information, please be advised to encrypt your findings using our [PGP key](https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc) which is also available in this document.
+
+Your efforts to responsibly disclose your findings are sincerely appreciated and will be taken into account to acknowledge your contributions.
+
+## PGP key
+
+The following is this project’s PGP key which should be used to encrypt any sensitive information shared on unsecured medium such as e-mails:
+
+```
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: OpenPGP.js v4.5.1
+Comment: https://openpgpjs.org
+
+xsBNBFzm3asBCACxnJDv1r6dxiM2e8iqS6B7fxY2I3X1Rc+3m8mhXOwVwRG4
+AOrQ417oSzsVLf4iocg+DWrtxzY79odTLJEovVt79rxwqIIl4y96tH+29kLB
+ao7eaYZacfstonVkBAmxBLaYv1x7cqWuukm6sBCOxapW1X9BcbR3vOghDziY
+/1AwNjupAOPvKNMtghjrdh3w0iMfZS1hw28zjM1oCeezEil+CTjgQDN+69qS
+UFG/BInJ7CVn9TvhU85inSwpxVa576fkhvFoNUrGvFvYRWtXRJndbRdBodVj
+C9At/Gb2IeNf7xqXH2KloZ1yaVNVSzLX4jqrMWeF+9Z12SjUyL6G9TwDABEB
+AAHNIXZlcmRhY2Npb0BwbS5tZSA8dmVyZGFjY2lvQHBtLm1lPsLAdQQQAQgA
+HwUCXObdqwYLCQcIAwIEFQgKAgMWAgECGQECGwMCHgEACgkQpSvoGbwFJYhn
+2wf+JF+yLQXh1EFMih6lpbx243hvglgOWmcigYVRh5mSfULcdW2pmkPQXqhE
+DW73qqwN9G9piiPnGMw7sKoB7XJVuFKyvHOYKtem5UQVRvs2rTxnSc5qFcUJ
+0w3Tw/pZ9B3fYAEYti2B/GsSOzaECfBKCFOg15xXGAdwfgff5FsorN1Gb6MG
+eCO9c8faSF/+fQUCfokwMDVzxXQFZEMx3q/rHVJ/Fm+XelZ+00c9fdyiuPW5
+dM9gATle7lz0iPtxaUDGLW8QZ/7b6O8IJ1kle0tL4AE++bXsVWxNdzhlNohH
+Hn09sIdFnG4ySTz4YJjiDd70ZdQjOGEGvutymEIN1xcNq87ATQRc5t2rAQgA
+yX2ZhUCtrz7lzK0992yveB+duVF//yo9Pei2ra9Z3GNmA+oWlRH1FTWpAmVH
+uDdUchTnxAwaKntabt3Mb1AgEZwrdiG4LuHFbdx2ls93BJ5lXdp7vB6pVf3N
+IrhHKyQ/Y5L5kMSj/GjrhO19zmj6mPPEgb3M3ZIZjQUF4pro0pExuAPA9Wxe
+awn5+0BUYFs4mZQDtTdiVuz5tWA0fNtt1aBfOPA97tmn18y4b1b0iQIJQpep
+BVVnFLeAZOevDcBJFbmQOdAjufWSSgpzX+FZ3rx6RVwwKxUiVQyUuwSQkKh5
+RufZ5zE0y7Fe/YlWXbKoj4zNJqYtjPSPngQRWf7UpwARAQABwsBfBBgBCAAJ
+BQJc5t2rAhsMAAoJEKUr6Bm8BSWIoYQH+QDw0Z84tZK4N1lh49hYyohs6vNU
+9kG69nKLQA5NymPtTxh8YOJhdJL697FkvKI4OGEO2FXUmcJS3CBJ2nBVKMq2
+1biDRKC4OhIU2RgFhS6bHy6VOn24EYs77T+zX8YXpz8ulYVln2b0QZCubN0Z
+L50tEC8HnuVMVN+/pqITdD3FjzwGZgHdW8qkKgD6qhObHCl8/cW2buCsaIAY
+eZWVPgPY1S1U0V608qYNtUCkrmUW5Sl6YLvz7JTvTsaym5mzyFXF3ErAURgI
+/v4XaWmRgNGIxbIxsFGuEs+KIKBQDJmtvJCVpBNS5IYnFf5h/LA5cfkwMKJt
+wXhyE0b/iDs60ZM=
+=QWXs
+-----END PGP PUBLIC KEY BLOCK-----
+```

package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio",
-  "version": "4.0.1",
+  "version": "4.0.2",
   "description": "A lightweight private npm proxy registry",
   "author": {
     "name": "Verdaccio Maintainers",
@@ -16,18 +16,18 @@
   },
   "dependencies": {
     "@verdaccio/local-storage": "2.1.0",
-    "@verdaccio/streams": "2.0.0",
     "@verdaccio/readme": "1.0.3",
-    "@verdaccio/ui-theme": "0.1.10",
+    "@verdaccio/streams": "2.0.0",
+    "@verdaccio/ui-theme": "0.1.11",
     "JSONStream": "1.3.5",
-    "async": "3.0.1-0",
+    "async": "3.0.1",
     "body-parser": "1.19.0",
     "bunyan": "1.8.12",
     "commander": "2.20.0",
     "compression": "1.7.4",
     "cookies": "0.7.3",
     "cors": "2.8.5",
-    "dayjs": "1.8.13",
+    "dayjs": "1.8.14",
     "express": "4.16.4",
     "handlebars": "4.1.2",
     "http-errors": "1.7.2",
@@ -37,13 +37,13 @@
     "lodash": "4.17.11",
     "lunr-mutable-indexes": "2.3.2",
     "marked": "0.6.2",
-    "mime": "2.4.2",
+    "mime": "2.4.4",
     "minimatch": "3.0.4",
     "mkdirp": "0.5.1",
     "mv": "2.1.1",
     "pkginfo": "0.4.1",
     "request": "2.87.0",
-    "semver": "6.0.0",
+    "semver": "6.1.1",
     "verdaccio-audit": "1.2.0",
     "verdaccio-htpasswd": "2.0.0"
   },

src/api/endpoint/api/user.js

@@ -8,9 +8,10 @@ import Cookies from 'cookies';
 
 import { ErrorCode } from '../../../lib/utils';
 import { API_ERROR, API_MESSAGE, HTTP_STATUS } from '../../../lib/constants';
-import { createSessionToken, getApiToken, getAuthenticatedMessage, validatePassword } from '../../../lib/auth-utils';
+import { createRemoteUser, createSessionToken, getApiToken, getAuthenticatedMessage, validatePassword } from '../../../lib/auth-utils';
+import logger from '../../../lib/logger';
 
-import type { Config } from '@verdaccio/types';
+import type { Config, RemoteUser } from '@verdaccio/types';
 import type { $Response, Router } from 'express';
 import type { $RequestExtend, $ResponseExtend, $NextFunctionVer, IAuth } from '../../../../types';
 
@@ -22,17 +23,26 @@ export default function(route: Router, auth: IAuth, config: Config) {
     });
   });
 
-  route.put('/-/user/:org_couchdb_user/:_rev?/:revision?', async function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) {
+  route.put('/-/user/:org_couchdb_user/:_rev?/:revision?', function(req: $RequestExtend, res: $Response, next: $NextFunctionVer) {
     const { name, password } = req.body;
+    const remoteName = req.remote_user.name;
 
-    if (_.isNil(req.remote_user.name) === false) {
-      const token = name && password ? await getApiToken(auth, config, req.remote_user, password) : undefined;
+    if (_.isNil(remoteName) === false && _.isNil(name) === false && remoteName === name) {
+      auth.authenticate(name, password, async function callbackAuthenticate(err, groups) {
+        if (err) {
+          logger.logger.trace({ name, err }, 'authenticating for user @{username} failed. Error: @{err.message}');
+          return next(ErrorCode.getCode(HTTP_STATUS.UNAUTHORIZED, API_ERROR.BAD_USERNAME_PASSWORD));
+        }
 
-      res.status(HTTP_STATUS.CREATED);
+        const restoredRemoteUser: RemoteUser = createRemoteUser(name, groups);
+        const token = await getApiToken(auth, config, restoredRemoteUser, password);
+
+        res.status(HTTP_STATUS.CREATED);
 
-      return next({
-        ok: getAuthenticatedMessage(req.remote_user.name),
-        token,
+        return next({
+          ok: getAuthenticatedMessage(req.remote_user.name),
+          token,
+        });
       });
     } else {
       if (validatePassword(password) === false) {

src/lib/constants.js

@@ -151,10 +151,6 @@ export const PACKAGE_ACCESS = {
   ALL: '**',
 };
 
-export const UPDATE_BANNER = {
-  CHANGELOG_URL: 'https://github.com/verdaccio/verdaccio/releases/tag/',
-};
-
 export const STORAGE = {
   PACKAGE_FILE_NAME: 'package.json',
   FILE_EXIST_ERROR: 'EEXISTS',

src/lib/up-storage.js

@@ -551,7 +551,7 @@ class ProxyStorage implements IProxy {
       // Otherwise misconfigured proxy could return 407:
       // https://github.com/rlidwka/sinopia/issues/254
       //
-      if (this.proxy === false) {
+      if (!this.proxy) {
         headers['X-Forwarded-For'] = (req.headers['x-forwarded-for'] ? req.headers['x-forwarded-for'] + ', ' : '') + req.connection.remoteAddress;
       }
     }

test/unit/api/__api-helper.js

@@ -1,6 +1,7 @@
 // @flow
 
-import {HEADER_TYPE, HEADERS, HTTP_STATUS} from '../../../src/lib/constants';
+import {HEADER_TYPE, HEADERS, HTTP_STATUS, TOKEN_BEARER} from '../../../src/lib/constants';
+import {buildToken} from "../../../src/lib/utils";
 
 export function getPackage(
     request: any,
@@ -19,6 +20,24 @@ export function getPackage(
   });
 }
 
+export function loginUserToken(request: any,
+                               user: string,
+                               credentials: any,
+                               token: string,
+                               statusCode: number = HTTP_STATUS.CREATED) {
+  // $FlowFixMe
+  return new Promise((resolve) => {
+    request.put(`/-/user/org.couchdb.user:${user}`)
+      .send(credentials)
+      .set('authorization', buildToken(TOKEN_BEARER, token))
+      .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+      .expect(statusCode)
+      .end(function(err, res) {
+        return resolve([err, res]);
+      });
+  });
+}
+
 export function addUser(request: any, user: string, credentials: any,
                         statusCode: number = HTTP_STATUS.CREATED) {
   // $FlowFixMe
@@ -50,7 +69,7 @@ export function getProfile(request: any, token: string, statusCode: number = HTT
   // $FlowFixMe
   return new Promise((resolve) => {
     request.get(`/-/npm/v1/user`)
-      .set('authorization', `Bearer ${token}`)
+      .set('authorization', buildToken(TOKEN_BEARER, token))
       .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
       .expect(statusCode)
       .end(function(err, res) {