Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-22328

NPM Logout Throws a 403 Error

    Details

    • Type: Bug
    • Status: Open
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: 3.19.0, 3.20.0
    • Fix Version/s: None
    • Component/s: NPM
    • Labels:
      None
    • Notability:
      2

      Description

      A user with basic read access e.g. nx-anonymous can successfully perform an 'npm login', but an 'npm logout' fails with a 403 as a DELETE request is being made to remove the npm token:

      npm logout --registry=http://localhost:8081/repository/npm/ -ddd
      ...
      npm http request DELETE http://localhost:8081/repository/npm/-/user/token/NpmToken.339faa21-76c9-3474-bbe1-1eec9fac617e
      npm http 403 http://localhost:8081/repository/npm/-/user/token/NpmToken.339faa21-76c9-3474-bbe1-1eec9fac617e
      npm verb headers { date: 'Thu, 09 Jan 2020 10:28:58 GMT',
      npm verb headers server: 'Nexus/3.20.0-04 (PRO)',
      npm verb headers 'x-content-type-options': 'nosniff',
      npm verb headers 'content-security-policy':
      npm verb headers 'sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation',
      npm verb headers 'x-xss-protection': '1; mode=block',
      npm verb headers 'content-length': '0' }
      npm verb stack Error: 403 Forbidden

      This is the same issue as reported previously in NEXUS-14459.

      It should be expected that for a given user, if they can successfully npm login with a given set of permissions then they should also be able to successfully npm logout.

      To work around this create a content selector with this expression:

      path =^ "/-/user/token/"
      

      And then a content selector privilege with that content selector and the "delete" action.  Assign  it to the user via a role.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              hardeepn Hardeep Nagra
              CC:
              Anders Hammar
              Last Updated By:
              Joe Tom Joe Tom
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title