Why build NPM private server

  • As the front-end team grows, there will be more reusable tools or components that cannot be put into an NPM repository because of sensitive business information
  • Many common things will always be updated iteratively, without a local collective management, then there will be the phenomenon of inconsistent versions, resulting in the phenomenon of management chaos
  • Private servers are able to cache package resources, which increases the download speed
  • Building an NPM private server is a kind of accumulation of the whole team’s technical precipitation

Two, the steps of building a private server

  • Make sure node has been installed and is later than 8.x
  • Install verdaccio private server builder tools

npm i -g verdaccio

When the installation is complete, a verdaccio folder will be added under /Users/admin/.config

In this case, there are two files in the file, one is config.yaml and the other is storage

  • The config.yaml folder is the configuration file for Verdaccio. It contains the default configuration

    Storage:./storage // Specifies the cache address of the package on the current private server. The default is storage folder

    By default, the plugins folder is the plugins folder, but this configuration is only useful for docker deployment./ / When verdaccio is started separately, the plugins cannot be placed in this folder

    // To configure the verdaccio visual interface, you can configure title or gravatar web: title: verdaccio

    // htpasswd is the authentication plug-in of Verdaccio. After the initial startup, the htpasswd file will be generated in the verdaccio folder. // htpasswd stores the user information that can log into the private server. file: ./htpasswd

    Uplinks: uplinks: Uplinks: Uplinks: Uplinks: Uplinks: Uplinks: Uplinks: Uplinks

    NPMJS: url: npm.taobao.org/

    // Set permissions for each type of packages.

    // The named packages need to be placed first, because the order of reading is from top to bottom, otherwise the permission control may failCopy the code

    / / by keyword matching the package name, such as’ @ demo/’ can match ‘@ demo/demo’ ‘@ / *’ :

    // Access sets which users can download packages and see package information on the private server. $all: access: $all // publish specifies which users can publish packages. $authenticated specifies which users publish: $authenticated // unpublish can delete packages. $anonymous unpublish: $anonymous // proxy Specifies the upstream links to be used. If the private server does not have any upstream links, the proxy will be downloaded from the upstream linksCopy the code

    ‘**’: access:
    a l l p u b l i s h : all publish:     authenticated unpublish: $authenticated proxy: npmjs

    // Set the port to be enabled by Verdaccio. If you want others to be able to access it, you need to write it in the following formCopy the code

    Listen: 0.0.0.0:4873

All, all, authenticated, and $anonymous are optional when configuring permissions for packages. You can also write specific user names and change the configuration of permission groups

  • After the installation, you can directly start verdaccio, directly command line input verdaccio

verdaccio

After startup, the configuration file location information, the enabled plug-in information, as well as the address information and the version number of Verdaccio is returned

  • At this point, the basic private server setup is complete. You can set the NPM source as the address of the private server to publish and delete packages

  • The source can be set in the.npMRc file in the project

  • You can also download the NRM source management tool to quickly switch between NPM sources

Three, how to complete private server authority management

  • Since Verdaccio is available to anyone by default, you need to close the registration window first
Auth: htpasswd: file:./htpasswd // This configuration item can disable the registration function max_users: -1Copy the code

  • At the same time use the htpasswd plug-in provided by the tool (hostingcanada.org/htpasswd-ge…). , generate the user name and password for the corresponding user, and then write the user name and password into the htpasswd file under the verdaccio folder; Only the added users can log in to the private server

  • Then you need to modify the config. Yaml configuration in the Verdaccio file: Set access, publish, unpublish groups for different packages. Htpasswd is the default authentication plug-in, so only the corresponding user names (all, all, all, authenticated, $anonymous) can be written
Package: '@*/*': // access: $all // publish Unpublish: xiaoming proxy: NPMJS '**': access: $all publish: $authenticated unpublish: $authenticated proxy: npmjsCopy the code

  • When you need to manage a lot of packages and each kind of permission and need to subdivide users, or for some permission groups will be ordinary to change different users, configuration may be more troublesome, here need plug-in help; The plug-in groups users into user groups, which are then used to configure different permissions
Auth: htpasswd: file:./htpasswd // This configuration item can disable the registration function max_users: -1 duGroup: // Here you can define user group demoPublish: [xiaoming, xiaohong, xiaoli] demoUnpublish: [xiaojun, xiaoming] testPublish: [xiaoming,xiaojun] packages: '@demo/*': Publish: demoPublish unpublish: demoUnpublish proxy: NPMJS 'test': access: $all publish: testPublish unpublish: demoUnpublish proxy: npmjsCopy the code

  • Next, the use and development of plug-ins

  • Use of plug-ins: When you need to use a plug-in, you need to put the plug-in package in the global node_modules folder that verdaccio depends on. Otherwise, an error will be reported when verdaccio is started, indicating that the corresponding plug-in cannot be found

  • Plug-in development: First of all, verdaccio plug-ins must follow the specified rules. A simple way is to use the Yo tool, which can directly generate a template that conforms to the rules of verdaccio plug-ins

  • NPM i-g yo NPM i-g generator-verdaccio-plugin NPM i-g yo NPM i-g generator-verdaccio-plugin NPM i-g yo NPM i-g generator-verdaccio-plugin

  • Here is a plugin I wrote to divide users into user groups and assign permissions (plugin address: github.com/weijunran/v…)

const createError = require('http-errors'); class DynamicGroupPlugin { constructor(config, Stuff) {// config plugins received config items // stuff config.yaml config items this.pluginsconfig = config} // Check whether there are configurations under the current permission CheckPkgAction (PKG,action){return PKG [action] == null} // Authenticate (action) {return (user, PKG, cb)=>{ let { name:userName,groups:userGroups } = user let authArr = pkg[action] let isTrue = authArr.some((authItem)=>{ if(authItem === userName){ return true } else if(userGroups.includes(authItem)){ return true } else{ let key = authItem;  let pluginsArr = this.pluginsConfig[`${key}`] return pluginsArr! Some ((item)=>{if(item === userName){return true}})}}) if(isTrue) return cb(null, true); } if (userName) {// if (userName) {cb(createError(403, `user ${userName} is not allowed to ${action} package ${pkg.name}`)); } else { cb(createError(401, `authorization required to ${action} package ${pkg.name}`)); } } } allow_access(user, pkg, cb) { let action = 'access'; if(this.checkPkgAction(pkg,action)){ return cb(null, false) } // in case of restrict the access return this.authenticate(action)(user,pkg,cb) } allow_publish(user, pkg, cb) { let action = 'publish'; if(this.checkPkgAction(pkg,action)){ return cb(null, false) } // in cass to check if has permission to publish return this.authenticate(action)(user,pkg,cb) } allow_unpublish(user, pkg, cb){ let action = 'unpublish'; if(this.checkPkgAction(pkg,action)){ return cb(null, false) } return this.authenticate(action)(user,pkg,cb) } } module.exports = (cfg, stuff) => new DynamicGroupPlugin(cfg, stuff);Copy the code

Four,

First verdaccio document description is not so comprehensive, and didn’t get the timely update on the feeling, and there are a lot of problem is has not been resolved, but for just need to configure the simple permissions, and just want to use free tools to quickly build NPM private servers, so verdaccio feel is more suitable.