Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-31739

Repo 2 interprets npm Bearer token authentication as Basic authentication

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 2.14.13
    • Fix Version/s: None
    • Component/s: NPM
    • Notability:
      3

      Description

      Configure Repo 2 with

      • npm-group npm group repository containing an npm-proxy to the official registry
      • Anonymous access disabled ( to ensure auth is required to access repo content )
      • default admin user with admin123 password

      Configure an npm client with the following ~/.npmrc file:

      init.author.name = Jane Doe
      init.author.email = jane@example.com
      init.author.url = http://blog.example.com
      
      //localhost:8081/nexus/content/groups/npm-group/:_authToken=YWRtaW46YWRtaW4xMjM=
      

      Ensure you have a test package.json in the current directory that has dependencies.

      Try to install packages from the npm-group repo:

      npm install --registry=http://localhost:8081/nexus/content/groups/npm-group/
      

      Result is all downloads work because YWRtaW46YWRtaW4xMjM= is the Base64 encoded username and password ( admin:admin123 ).

      The npm client sends the following Authorization header indicating it is sending a Bearer token:

      Authorization: Bearer YWRtaW46YWRtaW4xMjM=
      

      The same configuration against Repo 3 does not work.

      Expected

      The client request should fail with 401 instead, since it sending a Bearer token, and repo 2 does not support a bearer token authentication.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                tigCommentSecurity.panel-title