Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24803

align user token content protection for non-content requests

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.22.0
    • Fix Version/s: None
    • Component/s: User Token
    • Labels:
      None
    • Notability:
      n/a

      Description

      The original intent of the NXRM user token content protection feature was as a way to discourage a build tool or user of that tool from storing corporate plain credentials in a file on disk.

      With the advent of repository formats where obtaining a format specific token is normal operation using realms ( npm/Docker), these format specific tokens somewhat obviate the need to use the NXRM User Token. Meaning the NXRM user token is not normally needed when fetching actual repository content ( assets / components ).

      Therefore for consistency across all repository formats and format specific token realms:

      • the only case where a request should fail with 401 due to NXRM user token content protection feature is if that specific HTTP request asked for content and attempted authentication in the same request using plain text ( non-token) credentials to a /repository/* content download endpoint.
      • allowing non-content operations, such as when authenticating with plain text credentials to obtain a format specific token ( ie. docker login / npm login ) for subsequent use should be allowed to succeed ( no corporate creds are stored on client disk, only format specific token), as no actual content is being requested in that case
      • any existing inconsistencies to the above two statements should be aligned across all formats/repos that have token realms, despite changes introduced in NEXUS-16159 in version 3.22.0

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Rich Seddon
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title