Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 3.15.0
-
Fix Version/s: 3.15.1
-
Labels:
Description
Nexus has an anti-csrf request filter. This filter may block otherwise valid npm publish attempts with a message 401 Anti cross-site request forgery token mismatch.
npm verb publish registryBase https://example.com/repository/veneer/
npm verb request uri https://example.com/repository/veneer/@veneer%2fcore
npm verb request always-auth set; sending authorization
npm info attempt registry request try #1 at 11:46:25
npm verb request id 42115f81eec2cf80
npm http request PUT https://example.com/repository/veneer/@veneer%2fcore
REQUEST { url:
Url {
protocol: 'https:',
slashes: true,
auth: 'veneer.bot:********',
host: 'example.com',
port: null,
hostname: 'example.com',
hash: null,
search: null,
query: null,
pathname: '/repository/veneer/@veneer%2fcore',
path: '/repository/veneer/@veneer%2fcore',
href: 'https://example.com/repository/veneer/@veneer%2fcore' },
method: 'PUT',
headers:
{ 'accept-encoding': 'gzip',
version: '6.4.1',
accept: 'application/json',
referer: 'publish',
'npm-session': '42115f81eec2cf80',
'npm-in-ci': 'false',
'user-agent': 'npm/6.4.1 node/v8.11.3 linux x64',
'npm-scope': '@veneer' },
strictSSL: false,
cert: null,
key: null,
ca: null,
agent:
Agent {
domain: null,
_events: { free: [Function] },
_eventsCount: 1,
_maxListeners: undefined,
defaultPort: 443,
protocol: 'https:',
options:
{ key: null,
cert: null,
ca: null,
rejectUnauthorized: false,
localAddress: undefined,
maxSockets: 50,
keepAlive: true,
path: null },
requests: {},
sockets: {},
freeSockets: {},
keepAliveMsecs: 1000,
keepAlive: true,
maxSockets: 50,
maxFreeSockets: 256,
maxCachedSessions: 100,
_sessionCache: { map: {}, list: [] } },
proxy: 'http://proxy.example.com:8080/',
followRedirect: true,
encoding: null,
json:
{ _id: '@veneer/core',
name: '@veneer/core',
description: 'Veneer Core',
'dist-tags': { latest: '0.0.0-dummy.3' },
versions: { '0.0.0-dummy.3': [Object] },
readme: 'ERROR: No README data found!',
maintainers: [ [Object] ],
_attachments: { '@veneer/core-0.0.0-dummy.3.tgz': [Object] } },
callback: [Function] }
REQUEST make request https://example.com/repository/veneer/@veneer%2fcore
REQUEST onRequestResponse https://example.com/repository/veneer/@veneer%2fcore 401 { 'content-type': 'text/plain;charset=iso-8859-1',
date: 'Wed, 16 Jan 2019 13:46:38 GMT',
server: 'Nexus/3.15.0-01 (PRO)',
'x-content-type-options': 'nosniff',
'content-length': '46',
connection: 'Close' }
REQUEST reading response's body
REQUEST finish init function https://example.com/repository/veneer/@veneer%2fcore
REQUEST response end https://example.com/repository/veneer/@veneer%2fcore 401 { 'content-type': 'text/plain;charset=iso-8859-1',
date: 'Wed, 16 Jan 2019 13:46:38 GMT',
server: 'Nexus/3.15.0-01 (PRO)',
'x-content-type-options': 'nosniff',
'content-length': '46',
connection: 'Close' }
REQUEST end event https://example.com/repository/veneer/@veneer%2fcore
REQUEST has body https://example.com/repository/veneer/@veneer%2fcore 46
REQUEST invalid JSON received https://example.com/repository/veneer/@veneer%2fcore
REQUEST emitting complete https://example.com/repository/veneer/@veneer%2fcore
npm http 401 https://example.com/repository/veneer/@veneer%2fcore
npm verb bad json Anti cross-site request forgery token mismatch
npm ERR! registry error parsing json
npm verb headers { 'content-type': 'text/plain;charset=iso-8859-1',
npm verb headers date: 'Wed, 16 Jan 2019 13:46:38 GMT',
npm verb headers server: 'Nexus/3.15.0-01 (PRO)',
npm verb headers 'x-content-type-options': 'nosniff',
npm verb headers 'content-length': '46',
npm verb headers connection: 'Close' }
npm ERR! publish Failed PUT 401
npm verb stack SyntaxError: Unexpected token A in JSON at position 0
npm verb stack Anti cross-site request forgery token mismatch
npm verb stack at JSON.parse (<anonymous>)
npm verb stack at RegClient.<anonymous> (/home/example/n/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:243:23)
npm verb stack at Request._callback (/home/example/n/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:216:14)
npm verb stack at Request.self.callback (/home/example/n/lib/node_modules/npm/node_modules/request/request.js:185:22)
npm verb stack at emitTwo (events.js:126:13)
npm verb stack at Request.emit (events.js:214:7)
npm verb stack at Request.<anonymous> (/home/example/n/lib/node_modules/npm/node_modules/request/request.js:1161:10)
npm verb stack at emitOne (events.js:116:13)
npm verb stack at Request.emit (events.js:211:7)
npm verb stack at IncomingMessage.<anonymous> (/home/example/n/lib/node_modules/npm/node_modules/request/request.js:1083:12)
npm verb stack at Object.onceWrapper (events.js:313:30)
npm verb stack at emitNone (events.js:111:20)
npm verb stack at IncomingMessage.emit (events.js:208:7)
npm verb stack at endReadableNT (_stream_readable.js:1064:12)
npm verb stack at _combinedTickCallback (internal/process/next_tick.js:138:11)
npm verb stack at process._tickCallback (internal/process/next_tick.js:180:9)
npm verb cwd /home/example/workspace/veneer/veneer/packages/core
npm verb Linux 4.13.0-45-generic
npm verb argv "/home/example/n/bin/node" "/home/example/.local/bin/npm" "publish" "--verbose" "--log-level=silly"
npm verb node v8.11.3
npm verb npm v6.4.1
npm ERR! Unexpected token A in JSON at position 0
npm ERR! Anti cross-site request forgery token mismatch
Permanent Workaround
The bug has been fixed in 3.15.1 - please upgrade.
Temporary Workaround for 3.15.0
The anti-csrf filter can be temporarily disabled using a system property.
Edit sonatype-work/nexus3/etc/nexus.properties
Add this property on a new line:
nexus.security.anticsrftoken.enabled=false
Restart Nexus.
Attachments
Issue Links
- relates
-
-
- Closed
-