Skip to main content

npm Security

If Anonymous Access is enabled, any anonymous user has read access to the repositories and repository groups. If disabled or write access is required for publishing a package, the user needs to authenticate to the repository manager. There are two methods to authenticate npm with your repository manager; you should only use one at a time.

Authentication Using Realm and Login

This authentication method requires thenpm Bearer Token Realm. Simply add the realm to the active realms in the Realms section of the Security menu from the Administration menu to activate it as documented in Realms.

Once the realm is activated, a npm CLI user can establish the authentication to a repository with the npm adduser ( npm login is an equivalent alias ) command.

Note that due to breaking changes to authentication introduced in npm version 9, you must include --auth-type=legacy in the command as illustrated below.

npm adduser --auth-type=legacy --registry=http://localhost:8081/repository/npm-internal/

Provide your repository manager username and password as well as an email address when prompted. Upon successful completion, a line for authentication of this combination is automatically added to your .npmrc configuration file for the specific repository.

Despite its name, the npm adduser command does not actually create a user account inside Nexus Repository. It merely associates a token with an existing user account and allows the CLI to store that token for re-use.

Authentication Using Basic Auth

In some instances you cannot use the realm and login method. This includes when using user tokens for authentication or when using a username that includes a capital letter (the npm login command does not support usernames that include capital letters). In these cases, you can still use npm by configuring it to use basic authentication with your repository manager. This authentication method involves editing the .npmrc configuration file to add an encoded username and password. It is considered the less flexible of the methods supported.

At the end of this process, your .npmrc file should look something like the following example:

registry=//nexus.example/repository/npm-all/
email=name@domain.com
//nexus.example/repository/npm-all/:_auth=YWRtaW46YWRtaW4xMjM= 
  • registry=//nexus.example/repository/npm-all/ - This line indicates the default registry to your repository using the actual URL of your Nexus Repository instance.

  • email=name@domain.com - This line sets the email address associated with your npm user.

  • //nexus.example/repository/npm-all/:_auth=YWRtaW46YWRtaW4xMjM= - This is the crucial line for authentication.

    • First, it specifies the registry URL again

    • :_auth=: adds the configuration key for setting the authentication token

    • YWRtaW46YWRtaW4xMjM=: represents the base64-encoded string representing the username and password

To generate the base64-encoded string for username:password, use the command line call to openssl as in the following example. Note that example uses the admin user with password admin123:

echo -n 'admin:admin123' | openssl base64

Other tools for the encoding are uuencode or, for Windows users, certutil. To use certutil on Windows you need to put the credentials to be encoded into a file:

admin:admin123

Note

Ensure your file does not have extra whitespace or a trailing line separator as either of these will negatively impact the resultant output.

Then run:

c:\certutil /encode in.txt out.txt 

After this, the base64 encoded credentials can be found in between the begin and end certificate lines in the output file as in the following example:

-----BEGIN CERTIFICATE-----
YWRtaW46YWRtaW4xMjM=
-----END CERTIFICATE-----

Note

Whatever tool you use to generate the encoded username and password string can be tested by encoding the string admin:admin123, which should result in YWRtaW46YWRtaW4xMjM= . Another example is jane:testpassword123, which should result in amFuZTp0ZXN0cGFzc3dvcmQxMjM=.

Once you have encoded credentials, add them to the .npmrc file so that it looks like the provided example.

registry=//nexus.example/repository/npm-all/
email=name@domain.com
//nexus.example/repository/npm-all/:_auth=YWRtaW46YWRtaW4xMjM= 

Proxying and Authenticating in Package Manager Clients

In order to configure a package manager client, you will first need to retrieve your user token from Nexus Repository.

Retrieve the base64 encoded string from your user token by taking the following steps:

1. After logging in, navigate to your Account and select the User Token option.

2. Select Access user token.

3. Provide your password to authenticate.

4. Scroll to the field called "Use the following for a base64 representation of "user:password"

5. Select Copy to Clipboard.

Then, follow the instructions for your package manager client below using your base64 value wherever you see <base64token> in the examples.

npm

1. Configure the registry using a line like the following example:

npm config set registry="https://nexus.example/repository/repository-name/"

2. Configure authentication using a line like the following replacing the URL with the actual URL for your registry and <base64token> with your previously copied base64 value:

npm config set //nexus.example/repository/repository-name/:_auth=<base64token>

3. Check the current configuration using the following:

npm config ls

Yarn

1. Configure the registry using a line like the following example:

yarn config set registry "https://nexus.example/repository/repository-name"

2. Configure authentication using code like the following example:

npm config set //nexus.example/repository/repository-name/:_auth=<base64token>

3. Check the current configuration using the following:

yarn config list