Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 3.15.0
-
Fix Version/s: 3.15.1
-
Labels:
Description
Nexus has an anti-csrf request filter. This filter may block otherwise valid npm publish attempts with a message 401 Anti cross-site request forgery token mismatch.
npm verb publish registryBase https://example.com/repository/veneer/ npm verb request uri https://example.com/repository/veneer/@veneer%2fcore npm verb request always-auth set; sending authorization npm info attempt registry request try #1 at 11:46:25 npm verb request id 42115f81eec2cf80 npm http request PUT https://example.com/repository/veneer/@veneer%2fcore REQUEST { url: Url { protocol: 'https:', slashes: true, auth: 'veneer.bot:********', host: 'example.com', port: null, hostname: 'example.com', hash: null, search: null, query: null, pathname: '/repository/veneer/@veneer%2fcore', path: '/repository/veneer/@veneer%2fcore', href: 'https://example.com/repository/veneer/@veneer%2fcore' }, method: 'PUT', headers: { 'accept-encoding': 'gzip', version: '6.4.1', accept: 'application/json', referer: 'publish', 'npm-session': '42115f81eec2cf80', 'npm-in-ci': 'false', 'user-agent': 'npm/6.4.1 node/v8.11.3 linux x64', 'npm-scope': '@veneer' }, strictSSL: false, cert: null, key: null, ca: null, agent: Agent { domain: null, _events: { free: [Function] }, _eventsCount: 1, _maxListeners: undefined, defaultPort: 443, protocol: 'https:', options: { key: null, cert: null, ca: null, rejectUnauthorized: false, localAddress: undefined, maxSockets: 50, keepAlive: true, path: null }, requests: {}, sockets: {}, freeSockets: {}, keepAliveMsecs: 1000, keepAlive: true, maxSockets: 50, maxFreeSockets: 256, maxCachedSessions: 100, _sessionCache: { map: {}, list: [] } }, proxy: 'http://proxy.example.com:8080/', followRedirect: true, encoding: null, json: { _id: '@veneer/core', name: '@veneer/core', description: 'Veneer Core', 'dist-tags': { latest: '0.0.0-dummy.3' }, versions: { '0.0.0-dummy.3': [Object] }, readme: 'ERROR: No README data found!', maintainers: [ [Object] ], _attachments: { '@veneer/core-0.0.0-dummy.3.tgz': [Object] } }, callback: [Function] } REQUEST make request https://example.com/repository/veneer/@veneer%2fcore REQUEST onRequestResponse https://example.com/repository/veneer/@veneer%2fcore 401 { 'content-type': 'text/plain;charset=iso-8859-1', date: 'Wed, 16 Jan 2019 13:46:38 GMT', server: 'Nexus/3.15.0-01 (PRO)', 'x-content-type-options': 'nosniff', 'content-length': '46', connection: 'Close' } REQUEST reading response's body REQUEST finish init function https://example.com/repository/veneer/@veneer%2fcore REQUEST response end https://example.com/repository/veneer/@veneer%2fcore 401 { 'content-type': 'text/plain;charset=iso-8859-1', date: 'Wed, 16 Jan 2019 13:46:38 GMT', server: 'Nexus/3.15.0-01 (PRO)', 'x-content-type-options': 'nosniff', 'content-length': '46', connection: 'Close' } REQUEST end event https://example.com/repository/veneer/@veneer%2fcore REQUEST has body https://example.com/repository/veneer/@veneer%2fcore 46 REQUEST invalid JSON received https://example.com/repository/veneer/@veneer%2fcore REQUEST emitting complete https://example.com/repository/veneer/@veneer%2fcore npm http 401 https://example.com/repository/veneer/@veneer%2fcore npm verb bad json Anti cross-site request forgery token mismatch npm ERR! registry error parsing json npm verb headers { 'content-type': 'text/plain;charset=iso-8859-1', npm verb headers date: 'Wed, 16 Jan 2019 13:46:38 GMT', npm verb headers server: 'Nexus/3.15.0-01 (PRO)', npm verb headers 'x-content-type-options': 'nosniff', npm verb headers 'content-length': '46', npm verb headers connection: 'Close' } npm ERR! publish Failed PUT 401 npm verb stack SyntaxError: Unexpected token A in JSON at position 0 npm verb stack Anti cross-site request forgery token mismatch npm verb stack at JSON.parse (<anonymous>) npm verb stack at RegClient.<anonymous> (/home/example/n/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:243:23) npm verb stack at Request._callback (/home/example/n/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:216:14) npm verb stack at Request.self.callback (/home/example/n/lib/node_modules/npm/node_modules/request/request.js:185:22) npm verb stack at emitTwo (events.js:126:13) npm verb stack at Request.emit (events.js:214:7) npm verb stack at Request.<anonymous> (/home/example/n/lib/node_modules/npm/node_modules/request/request.js:1161:10) npm verb stack at emitOne (events.js:116:13) npm verb stack at Request.emit (events.js:211:7) npm verb stack at IncomingMessage.<anonymous> (/home/example/n/lib/node_modules/npm/node_modules/request/request.js:1083:12) npm verb stack at Object.onceWrapper (events.js:313:30) npm verb stack at emitNone (events.js:111:20) npm verb stack at IncomingMessage.emit (events.js:208:7) npm verb stack at endReadableNT (_stream_readable.js:1064:12) npm verb stack at _combinedTickCallback (internal/process/next_tick.js:138:11) npm verb stack at process._tickCallback (internal/process/next_tick.js:180:9) npm verb cwd /home/example/workspace/veneer/veneer/packages/core npm verb Linux 4.13.0-45-generic npm verb argv "/home/example/n/bin/node" "/home/example/.local/bin/npm" "publish" "--verbose" "--log-level=silly" npm verb node v8.11.3 npm verb npm v6.4.1 npm ERR! Unexpected token A in JSON at position 0 npm ERR! Anti cross-site request forgery token mismatch
Permanent Workaround
The bug has been fixed in 3.15.1 - please upgrade.
Temporary Workaround for 3.15.0
The anti-csrf filter can be temporarily disabled using a system property.
Edit sonatype-work/nexus3/etc/nexus.properties
Add this property on a new line:
nexus.security.anticsrftoken.enabled=false
Restart Nexus.
Attachments
Issue Links
- relates
-
NEXUS-19890 Unable to upload file to Raw repo using Powershell
-
- Closed
-