npm Security

This authentication method requires thenpm Bearer Token Realm. Simply add the realm to the active realms in the Realms section of the Security menu from the Administration menu to activate it as documented in Realms.

Once the realm is activated, a npm CLI user can establish the authentication to a repository with the npm adduser ( npm login is an equivalent alias ) command.

Note that due to breaking changes to authentication introduced in npm version 9, you must include --auth-type=legacy in the command as illustrated below.

npm adduser --auth-type=legacy --registry=http://localhost:8081/repository/npm-internal/

Provide your repository manager username and password as well as an email address when prompted. Upon successful completion, a line for authentication of this combination is automatically added to your .npmrc configuration file for the specific repository.

Despite its name, the npm adduser command does not actually create a user account inside Nexus Repository. It merely associates a token with an existing user account and allows the CLI to store that token for re-use.

In some instances you cannot use the realm and login method, for example if you have a username which includes capital letters (disallowed by npm login). In these you can still use npm by configuring it to use basic auth with your repository manager. This authentication method involves editing the .npmrc configuration file adding an encoded username and password as well as configuring authentication to always occur. It is considered the less flexible of the methods supported.

The _auth variable has to be generated by base64-encoding the string of username:password. You can create this encoded string with the command line call to openssl e.g. for the admin user using password admin123:

echo -n 'admin:admin123' | openssl base64

Other tools for the encoding are uuencode or, for Windows users, certutil. To use certutil on Windows you need to put the credentials to be encoded into a file:

admin:admin123

Then run:

c:\certutil /encode in.txt out.txt 

After this the base64 encoded credentials can be found in between the begin and end certificate lines in the output file:

-----BEGIN CERTIFICATE-----
YWRtaW46YWRtaW4xMjM=
-----END CERTIFICATE-----

Once you have encoded credentials they can be added to the .npmrc file, along with your author email and enabled authentication (below your already entered registry configuration). For example, for admin/admin123:

email=you@example.com
always-auth=true
_auth=YWRtaW46YWRtaW4xMjM= 

In order to configure a package manager client, you will first need to retrieve your user token from Nexus Repository.

Retrieve the base64 encoded string from your user token by taking the following steps:

1. After logging in, navigate to your Account and select the User Token option.

2. Select Access user token.

3. Provide your password to authenticate.

4. Scroll to the field called "Use the following for a base64 representation of "user:password"

5. Select Copy to Clipboard.

Then, follow the instructions for your package manager client below using your base64 value wherever you see "base64token" in the examples.

npm config set registry="https://nexus.example/repository/repository-name/"

npm config set _auth="base64token"

npm config ls

yarn config set registry "https://nexus.example/repository/repository-name"

npm config set always-auth=true
npm config set _auth="base64token"

yarn config list