The client authentication is handled by the
npm client itself. Once you log in to the application:
npm adduser --registry http://localhost:4873
A token is generated in the
npm configuration file hosted in your user home folder. For more information about
.npmrc read the official documentation.
cat .npmrc registry=http://localhost:5555/ //localhost:5555/:_authToken="secretVerdaccioToken" //registry.npmjs.org/:_authToken=secretNpmjsToken
verdaccio allows you to enable anonymous publish. To achieve that you will need to correctly set up your packages access.
'my-company-*': access: $anonymous publish: $anonymous proxy: npmjs
As is described on issue #212 until
email@example.com and all minor releases won't allow you publish without a token.
The meaning of
As you know Verdaccio uses
htpasswd by default. That plugin does not implement the methods
Thus, Verdaccio will handle that in the following way:
- If you are not logged in (you are anonymous),
$anonymousmeans exactly the same.
- If you are logged in,
$anonymouswon't be part of your groups and
$allwill match any logged user. A new group
$authenticatedwill be added to your group list.
$all will match all users, whether logged in or not.
The previous behavior only applies to the default authentication plugin. If you are using a custom plugin and such plugin implements
allow_unpublish, the resolution of the access depends on the plugin itself. Verdaccio will only set the default groups.
- logged in:
$authenticated+ groups added by the plugin.
- logged out (anonymous):
In order to simplify the setup,
verdaccio uses a plugin based on
htpasswd. Since version v3.0.x the
is used by default.
auth: htpasswd: file: ./htpasswd # Maximum amount of users allowed to register, defaults to "+inf". # You can set this to -1 to disable registration. #max_users: 1000
|file||string||Yes||./htpasswd||all||file that host the encrypted credentials|
|max_users||number||No||1000||all||set limit of users|
In case you decide to prevent users from signing up themselves, you can set