verdaccio-static-access-token 0.0.2

package/.circleci/config.yml

@@ -0,0 +1,46 @@
+version: 2.1
+
+orbs:
+  node: circleci/node@7.2.1
+
+jobs:
+  build:
+    docker:
+      - image: cimg/node:lts
+    steps:
+      - checkout
+      - node/install-packages:
+          pkg-manager: npm
+      - run:
+          name: Run tests
+          command: npm test
+  release:
+    docker:
+      - image: cimg/node:lts
+    steps:
+      - checkout
+      - node/install-packages:
+          pkg-manager: npm
+      - run:
+          name: Publish to npm
+          command: |
+            echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/.npmrc
+            npm publish
+
+workflows:
+  build-and-release:
+    jobs:
+      - build:
+          filters:
+            tags:
+              only: /.*/
+      - release:
+          requires:
+            - build
+          filters:
+            tags:
+              only: /^v[0-9]+(\.[0-9]+){2}$/
+            branches:
+              ignore: /.*/
+          context:
+            - VOODOO_NPM_RW

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Voodoo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,2 @@
+# verdaccio-static-access-token
+Static access token middleware plugin for Verdaccio 6+

package/config.example.yml

@@ -0,0 +1,37 @@
+storage: ./storage
+plugins: ./plugins
+
+web:
+  title: Verdaccio
+
+middlewares:
+  static-access-token:
+    enabled: true
+    tokens:
+      - key: my-super-secret-key
+        user: verdaccio-user
+        readonly: true
+      - key: my-super-secret-key-with-write-perms
+        user: verdaccio-user
+        readonly: false
+
+# You still need an auth plugin. For example, the default one:
+auth:
+  htpasswd:
+    file: ./htpasswd
+
+packages:
+  '@*/*':
+    access: $all
+    publish: verdaccio-user
+    unpublish: verdaccio-user
+    proxy: npmjs
+
+  '**':
+    access: $all
+    publish: verdaccio-user
+    unpublish: verdaccio-user
+    proxy: npmjs
+
+logs:
+  - { type: stdout, format: pretty, level: http }

package/index.js

@@ -0,0 +1,115 @@
+'use strict'
+
+const crypto = require('crypto')
+
+class StaticAccessTokenMiddleware {
+  constructor (config, stuff) {
+    this.stuff = stuff
+    this.stuff.logger.info('[verdaccio-static-access-token] Configuring')
+
+    this.enabled = config && config.enabled !== false
+
+    if (!this.enabled) {
+      this.stuff.logger.info('[verdaccio-static-access-token] Disabled')
+      this.tokens = []
+      return
+    }
+
+    this.tokens = config.tokens || []
+  }
+
+  // eslint-disable-next-line camelcase
+  register_middlewares (app, authInstance, storageInstance) {
+    if (!this.enabled) {
+      return
+    }
+    if (!this.tokens.length) {
+      this.stuff.logger.error('[verdaccio-static-access-token] No tokens configured, skipping middleware setup')
+      return
+    }
+
+    this.tokens.forEach(t => {
+      if (!t || !t.key || !t.user) {
+        throw new Error('[verdaccio-static-access-token] A token is missing a key or user.')
+      }
+      if (t.key.length < 16) {
+        throw new Error(`[verdaccio-static-access-token] Token "${t.key}" for user "${t.user}" is too insecure. Must be at least 16 characters long.`)
+      }
+    })
+
+    this.stuff.logger.info(`[verdaccio-static-access-token] register_middlewares loaded ${this.tokens.length} tokens`)
+
+    // Create a map of 'Bearer <token>' to token config for quick lookup
+    const accessTokens = new Map(this.tokens
+      .map(_ => `Bearer ${_.key}`)
+      .map((authHeader, i) => [authHeader, this.tokens[i]]))
+
+    // Verdaccio 6 might hide the secret in 'security.api.jwt.secret', fallback to 'secret'
+    const globalConfig = storageInstance.config
+    const verdaccioSecret = globalConfig.security.api.jwt.secret || globalConfig.secret
+
+    app.use((req, res, next) => {
+      // Just skip it LOL
+      if (!req.headers || !req.headers.authorization) {
+        return next()
+      }
+
+      if (req.headers && req.headers.authorization && accessTokens.has(req.headers.authorization)) {
+        const overwrite = accessTokens.get(req.headers.authorization)
+
+        // If the token is read-only we should forbid write methods
+        if (overwrite.readonly) {
+          const writeMethods = ['POST', 'PUT', 'DELETE', 'PATCH']
+          if (writeMethods.includes(req.method.toUpperCase())) {
+            this.stuff.logger.warn(`[verdaccio-static-access-token] Read-only token used for write method: ${req.method} ${req.url}`)
+            return res.status(403).send('Forbidden: Read-only token')
+          }
+        }
+
+        this.stuff.logger.info(`[verdaccio-static-access-token] Swapping static token for JWT User: ${overwrite.user}`)
+
+        // Generate a REAL JWT compatible with Verdaccio 6
+        req.headers.authorization = this._buildVerdaccio6JWT(
+          overwrite.user,
+          verdaccioSecret,
+          overwrite.readonly
+        )
+      }
+      next()
+    })
+  }
+
+  _buildVerdaccio6JWT (user, secret, readonly) {
+    const header = { alg: 'HS256', typ: 'JWT' }
+
+    // Payload must include standard Verdaccio groups!
+    const payload = {
+      name: user,
+      groups: readonly ? ['$all', '$authenticated', 'ci-readonly'] : ['$all', '$authenticated', '@all', '@authenticated', 'ci-readwrite'],
+      iat: Math.floor(Date.now() / 1000), // Issued at now
+      exp: Math.floor(Date.now() / 1000) + (60 * 60 * 24) // Expires in 1 day
+    }
+
+    const base64Url = (obj) => Buffer.from(JSON.stringify(obj))
+      .toString('base64')
+      .replace(/=/g, '')
+      .replace(/\+/g, '-')
+      .replace(/\//g, '_')
+
+    const encodedHeader = base64Url(header)
+    const encodedPayload = base64Url(payload)
+    const unsignedToken = `${encodedHeader}.${encodedPayload}`
+
+    const signature = crypto.createHmac('sha256', secret)
+      .update(unsignedToken)
+      .digest('base64')
+      .replace(/=/g, '')
+      .replace(/\+/g, '-')
+      .replace(/\//g, '_')
+
+    return `Bearer ${unsignedToken}.${signature}`
+  }
+}
+module.exports = (config, stuff) => {
+  return new StaticAccessTokenMiddleware(config, stuff)
+}

package/package.json

@@ -0,0 +1,31 @@
+{
+  "name": "verdaccio-static-access-token",
+  "version": "0.0.2",
+  "description": "Middleware for Verdaccio 6+ to support static access tokens for CI/CD workflows",
+  "main": "index.js",
+  "scripts": {
+    "test": "standard"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/VoodooTeam/verdaccio-static-access-token.git"
+  },
+  "keywords": [
+    "verdaccio",
+    "auth",
+    "plugin",
+    "verdaccio-plugin",
+    "token"
+  ],
+  "author": "Voodoo Gaming https://www.voodoo.io",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/VoodooTeam/verdaccio-static-access-token/issues"
+  },
+  "homepage": "https://github.com/VoodooTeam/verdaccio-static-access-token#readme",
+  "dependencies": {},
+  "devDependencies": {
+    "standard": "^12.0.1",
+    "verdaccio": "^3.11.6"
+  }
+}