feat: add support for npm owner

[mbtools]

Here we go...

Overview (based on npm owner)

This PR will allow executing the npm owner command on a verdaccio registry.

The current owners of a package are stored using the maintainers property of package.json. Each version will also contain the historical list of owners at the time of publishing in the maintainers property of the version.

Note 1

Verdaccio does not store user emails. Therefore, maintainers are added using just the username (and an empty email field). There's also no email invitation flow for added owners as with the npm registry. Adding emails to user profiles might be a future enhancement (npm profile).

Note 2

By default, this PR will not impact on permissions for accessing packages. A new config option can be used to activate, checking package ownership when trying publish a new or unpublish an old version of a package:

publish:
  check_owners: true

If check_owners is true, then changing a package (publish/unpublish), will require that your user is listed as an owner of the package i.e. included in the maintainers array of the packument.

Technical details (based on npm cli)

• npm owner list

  • uses get /:package endpoint to retrieve the manifest and maintainers

• npm owner add/rm

  • uses get /-/user/:org_couchdb_user endpoint to get the users name and email (see below)
  • the maintainer list in the manifest is updated using put /:package endpoint (via request body)
  • the implementation is very similar to npm star

• get /-/user/:org_couchdb_user

  • added { name: <username>, email: '' } to the response if user is logged in (required by npm owner)
  • changed response to { ok: false } if user is not logged in (to mirror npm registry)

• put /-/user/:org_couchdb_user/:_rev?/:revision?

  • added validation of URL and request body to harden endpoint
    • example: put /-/user/org.couchdb.user:tom will raise an error when name: 'jerry' is contained in the body

• put /:package

  • npm publish will set maintainers: [ { name: <logged_in_user>, email: '' }] for new packages
  • npm owner will updated maintainers as provided by npm cli adding or removing owners

Status

• npm owner list
• npm owner add/rm
• npm publish, update package
• npm publish, update version metadata
• Add tests for the new scenarios

Example

> npm config get registry
http://localhost:8000/
> npm owner ls
mbtools <no-reply@marcbernardtools.com>
> npm owner add verdaccio
+ verdaccio (mbtools-demo)
> npm owner ls
mbtools <no-reply@marcbernardtools.com>
verdaccio <>
> npm owner rm verdaccio 
- verdaccio (mbtools-demo)
> npm owner ls
mbtools <no-reply@marcbernardtools.com>
> npm owner rm mbtools  
npm ERR! code EOWNERRM
npm ERR! Cannot remove all owners of a package. Add someone else first.
npm ERR! A complete log of this run can be found in: ...debug-0.log

[mbtools]

npm owner is now updating the package.json in verdaccio the same way as in the npm registry 😀

Next would be addressing Note 1 and Note 2 from above.

[juanpicado]

npm owner is now updating the package.json in verdaccio the same way as in the npm registry 😀

Next would be addressing Note 1 and Note 2 from above.

I didn't have much focus time to finish the review but I have no objections so far, great job I'll back to this next week (I'm afk lately)

[mbtools]

Todos:

• add checkAllowedToChangePackage to storage removePackage
• add checkAllowedToChangePackage to storage removeTarball

[mbtools]

This is it 😃 If you set publish > check_owners: true, users will have to be authenticated and belong to the maintainers of a package just like the npm registry (without org and team).

PS: I will update docs in separate PR.

[juanpicado]

This is it 😃 If you set publish > check_owners: true, users will have to be authenticated and belong to the maintainers of a package just like the npm registry (without org and team).

PS: I will update docs in separate PR.

Still half way to finish the deep testing but yeah that was one of my questions I had so far :) sorry I need to focus on the cipher issue but I will be back on this.

[mbtools]

fixing getTarballDetails, then back to this