rlidwka / sinopia-htpasswd Goto Github PK

auth plugin for sinopia supporting htpasswd format

JavaScript 100.00%

sinopia-htpasswd's Introduction

Installation

$ npm install sinopia
$ npm install sinopia-htpasswd

PS: Actually, this module is bundled with sinopia, so you don't have to install it like this. But with other auth plugins you have to.

Config

Add to your config.yaml:

auth:
  htpasswd:
    file: ./htpasswd

    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    #max_users: 1000

Password file format

Passwords are stored in htpasswd file, and it is designed to be compatible with Nginx.

We use standard password hashing in linux (same as in /etc/shadow, on most modern systems it's salted SHA-512), but you can use whatever your glibc supports.

You can manually add new user with this command (see different commands here):

$ echo "user:`mkpasswd --method=sha-512 password`" >> htpasswd

For plugin writers

It's called as:

require('sinopia-htpasswd')(config, stuff)

Where:

config - module's own config
stuff - collection of different internal sinopia objects
- stuff.config - main config
- stuff.logger - logger

This should export two functions:

adduser(user, password, cb)

It should respond with:
- cb(err) in case of an error (error will be returned to user)
- cb(null, false) in case registration is disabled (next auth plugin will be executed)
- cb(null, true) in case user registered successfully
It's useful to set err.status property to set http status code (e.g. err.status = 403).
authenticate(user, password, cb)

It should respond with:
- cb(err) in case of a fatal error (error will be returned to user, keep those rare)
- cb(null, false) in case user not authenticated (next auth plugin will be executed)
- cb(null, [groups]) in case user is authenticated
Groups is an array of all users/usergroups this user has access to. You should probably include username itself here.

sinopia-htpasswd's People

Contributors

Stargazers

Watchers

Forkers

vstone ccjon lennybacon cdarne anarh j-fuentes leelow soyhuce peterzhou84 soundofdarkness longucodes

sinopia-htpasswd's Issues

non-crypt3 version

for windows guys... and probably for node 0.11

Groups in htpasswd

Is there a way to define groups to authenticate with (e.g. in the case of htgroups). Thanks!

Disabling user registration does not work

config:

auth:
  htpasswd:
    file: /data/sinopia/htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to 0 to disable registration.
    max_users: 0

adduser:

[vagrant@nodejs ~]$ npm adduser
Username: xxx
Password: 
Email: (this IS public) [email protected]

Result:

tail -n1 /data/sinopia/htpasswd
xxx:$6$enUFPJHfZdQUxA==$nRt6buDmJKbGeLIIrX50xVrZHNfv2y3SxVBscLsvdHs.XMHdPjr3sDN/2hFTYUf5j3.Q0R4daxt79tyw9Phul0:autocreated 2014-09-26T11:11:01.807Z

htpasswd from apache2 generates other hashes than sinopia/npm-adduser

When I use htpasswd from the apache2 distribution to add a user to the file on the command line (is this not how it's meant, despite the name?) an entry like the following is created:

user1:$apr1$pnQSEnhe$AIwFNEA6xOecE7l0/mTeh.

This entry does NOT work in the authentication; the request is denied.

After setting max_users > 0 in config.yaml and creating another user with npm/adduser, an entry with a longer hash has been added:

user2:$6$zAsH+/KRfsOzgw==$LGzgf.I8ctW/day/J6AjZoe8sH5FaznwFb3bR9AEdbCDTojAjul/ZTzN2u95n1dc/m1057SHqHxleZ2DpOI.s.:autocreated 2015-02-08T00:03:45.226Z

Do the tools possibly use different hash algorithms? How should I add an entry to the htpasswd file from the command line if not using the htpasswd tool?

Offset is out of bounds with an empty htpasswd file

touch ./htpasswd

fatal --- uncaught exception, please report this
Error: Offset is out of bounds
    at Object.fs.read (fs.js:468:11)
    at /data/apps/node/sinopia/node_modules/sinopia-htpasswd/utils.js:55:10
    at Object.oncomplete (fs.js:107:15)

echo '#foobar' > ./htpasswd

 http  <-- 409, user: undefined, req: 'PUT /-/user/org.couchdb.user:admin/-rev/undefined', error: bad username/password, access denied

prebuilt

I created a prebuilt version of sinopia-htpasswd for a docker-container that contains somewhat-modified version of sinopia. They're all hosted on npm/github at the moment:

(all the repos are hosted at codingalchemy)

I'll post an issue on sinopia's repo for a more feedback (mostly has to do with simplifying the dependency chain / docker)

Include tool to add users to `htpasswd` file offline.

Currently, to add a user to a private sinopia registry, user registrations must be opened to the world. The user should then sign up, and registrations be locked down again.

This is insecure, as an attacker could sign up in the brief time that the real user is creating their account. Additionally, this method requires restarting the sinopia server twice, which is not great if it is in continuous use.

An alternative is to offer a command line tool that adds a user to a htpasswd file that administrators can run on the server itself. Because this does not open registrations to anyone who does not already have SSH access to the box, this is secure.

I have written a tool (https://bitbucket.org/takeflight/sinopia-aduser) which does exactly this. If you're interested, I can create a pull request that adds this functionality to this package, or you could use the code for inspiration if you implement this yourself.