Minimal Verdaccio Auth Plugin that validates non JWT _authToken against an external API endpoint.
apiJWTmiddleware you can not npm login/adduser
to publish tokens u will need an authtoken with according rights.
however if you initially set up via npm adduser and add your token u can still login to the web UI.
- ✅ Only 2 config options:
endpoint,timeout - ✅ Native
fetch()(Node.js 18+) - ✅ Timeout & Error Handling
- ✅ JWT Support: Web UI login works unchanged if you have added users via npm adduser
- ✅ Allowed groups dynamically from API response
# Install the plugin either globally or in your plugins folder
npm i @practical/verdaccio-api-token
# verdaccio will look for the plugin globally in your node_modules folder
# for local installation you can specify the plugins folder
plugins: ./plugins/node_modules # optional
auth:
'@practical/verdaccio-api-token':
endpoint: https://your-api.com/verdaccio/verify # Required
timeout: 5000 # Optional (ms)
signupUrl: your signup page # Optional
# set your auth config as u like
packages:
'yourPrivatePackage':
access: $authenticated
publish: admin developer #example users create your own
unpublish: adminin the projects' .npmrc file add the token
//registry.your-domain.com/:_authToken=YOUR_API_TOKEN
API Endpoint Format Your validation endpoint must support this request/response format:
Request:
{
"token": "your-custom-token-here"
}Response (Valid Token):
{
"groups": ["developers", "users"]
}API Response should return groups that you defined or an empty array find out more about package access https://www.verdaccio.org/docs/packages
// ✅ Success
{ "groups": ["$authenticated"] }
// ❌ Fails
{ "groups": [] }