The client authentication is handled by
npm client itself. Once you login to the application:
npm adduser --registry http://localhost:4873
A token is generated in the
npm configuration file hosted in your user home folder. For more information about
.npmrc read the official documentation.
cat .npmrc registry=http://localhost:5555/ //localhost:5555/:_authToken="secretVerdaccioToken" //registry.npmjs.org/:_authToken=secretNpmjsToken
verdaccio allows you to enable anonymous publish, to achieve that you will need to set up correctly your packages access.
'my-company-*': access: $anonymous publish: $anonymous proxy: npmjs
As is described on issue #212 until
firstname.lastname@example.org and all minor releases won't allow you publish without a token.
The meaning of
As you know Verdaccio uses the
htpasswd by default. That plugin does not implement the methods
Thus, Verdaccio will handle that in the following way:
- If you are not logged in (you are anonymous),
$anonymousmeans exactly the same.
- If you are logged in,
$anonymouswon't be part of your groups and
$allwill match any logged user. A new group
$authenticatedwill be added to the list.
As a takeaway,
$all will match all users, independently whether is logged or not.
The previous behavior only applies to the default authentication plugin. If you are using a custom plugin and such plugin implements
allow_unpublish, the resolution of the access depends on the plugin itself. Verdaccio will only set the default groups.
$authenticated, + groups added by the plugin
- anonymous (logged out):
In order to simplify the setup,
verdaccio uses a plugin based on
htpasswd. Since version v3.0.x the
is used by default.
auth: htpasswd: file: ./htpasswd # Maximum amount of users allowed to register, defaults to "+inf". # You can set this to -1 to disable registration. #max_users: 1000
|file||string||Yes||./htpasswd||all||file that host the encrypted credentials|
|max_users||number||No||1000||all||set limit of users|
In case you decide to not allow users to sign up, you can set