PoC: Investigate feasibility for single vs. multiple registry approaches in custom node registries

[joepavitt]

Description

Scope

Single day PoC to explore npm registry feasibility for #5087

Outcomes

• Decision on single registry vs. registry per Team
• Constraints (forever)
• Constraints (temporary)

Playback at Engineering Meeting on Tuesday 18th February, 2025

Epic/Story

#5087

Have you provided an initial effort estimate for this issue?

I have provided an initial effort estimate

[hardillb]

I believe a custom vedaccio auth plugin will allow for a single instance, shared between all teams

• All packages to be scoped with the team hashid e.g. @abc123/package-name
• A per team username/password to be used to publish packages to the repo
  • getting per user to work work oauth would be a challenge (not enough time to really see if possible)
• Might want to make the password one time use only, and have it generated under the team -> settings
• Should be able to use the /-/npm/v1/token api to generate a read only token that can be shared for the instances/device
  POST payload
  {"password":"secret","readonly":false,"cidr_whitelist":[]}
  where password is the password for the user that owns the bearer token
  cidr_whitelist for limiting souce IP addresses (probably not going to use this)
  Needs bearer auth with an existing read/write token
• Will probably disable the Web UI

// how to get the initial token https://stackoverflow.com/a/35831310

[hardillb]

P.s. I still don't like TypeScript

[joepavitt]

Might want to make the password one time use only, and have it generated under the team -> settings

Just checking, this would be required for each npm publish?

[joepavitt]

Will probably disable the Web UI

Which Web UI?

[hardillb]

Just checking, this would be required for each npm publish?

The UX for this is going to be horrible

• generate 1 time password in FF
• use 1 time password to get a token with (using npm logon --registry https://npm.flowfuse.cloud
• add scoped registry to .npmrc file
  //@team-hash:registry=https://npm.flowfuse.cloud/
  This would be one time, the token would be used for each publish afterwards.

But would need to check we can invalidate the tokens after later

Which Web UI?

verdaccio web ui, still need to double check, but I don't think there is a way to limit which scopes/pacakges are shown in the UI.

[joepavitt]

verdaccio web ui,

Agreed, that should be disabled either way, we don't need to expose our internal wiring.

The UX for this is going to be horrible

Please consider alternatives then

[hardillb]

npm Tokens stop working when the password for the issuing user is changed (due to how the tokens are validated, by recovering the original password used to issue them and being passed to the auth function), this means we can cancel issued tokens.

But it does mean that we can't use single use passwords for generating tokens as mentioned earlier.