usage.md

Usage

1. Login
   1. On the Verdaccio UI
   2. On the Command Line
      1. Option A) Using the Built-In CLI
      2. Option B) Using the Commands from the UI
2. Signing Out
3. Revoking Tokens
   1. With JWT Security
   2. With AES Encryption (legacy)
      1. As a Registry User
      2. As a Registry Owner
   3. Revoking the Registry Owner GitHub Token

Login

On the Verdaccio UI

• Click the login button. You get redirected to GitHub and prompted to authorize the registry to access your public information.
• If the registry requires private org membership, click the Request or Grant button next to the org to get read:org access to the registry.
• Authorize the registry to access your GitHub user and org info. You only need to do this once.
• Once completed, you'll be redirected back to Verdaccio.
• You are now logged in 🎉.

On the Command Line

Option A) Using the Built-In CLI

The easiest way to configure npm is to use this short command:

npx verdaccio-github-oauth-ui --registry http://localhost:4873

On success you should see this page in your browser:

Option B) Using the Commands from the UI

• Verdaccio 5:

Open the "Configuration" dialog and click "Copy to clipboard":

• Run the copied commands on your terminal:

npm config set //localhost:4873/:_authToken "SECRET_TOKEN"

• Verify npm is set up correctly by running the whoami command:

npm whoami --registry http://localhost:4873

If you see your GitHub username, you are ready to start installing and publishing packages.

Signing Out

Click the Logout button as per usual.

Revoking Tokens

Verdaccio has two authorization methods. Depending on your chosen method, you will need to revoke the token in a different way.

You can read more about this in the Verdaccio docs:

• Diving into JWT support for Verdaccio 4
• Expiring Tokens

You can find a more detailed breakdown of tokent types and token revocation in #176.

With JWT Security

API/CLI tokens are valid for the duration you configured in the verdaccio config at security.api.jwt.sign.expiresIn. UI tokens are valid for the duration you configured in the verdaccio config at security.web.sign.expiresIn. After this period, tokens are automatically invalid.

You can revoke all tokens for all users by changing the Verdaccio secret in storage/.verdaccio-db.json.

With AES Encryption (legacy)

You can revoke the token by revoking it in the GitHub settings.

As a Registry User

• Go to https://github.com/settings/applications
• Find the OAuth app for your registry
• Click the Revoke button from the ... menu as shown below

As a Registry Owner

• Go to https://github.com/settings/applications, or, if owned by an org, https://github.com/organizations/ORG_NAME/settings/applications
• Find the OAuth app for your registry
• Open the OAuth app settings
• On the settings page click the Revoke all user tokens button

Revoking the Registry Owner GitHub Token

GitHub memberships are determined using the auth.github-oauth-ui.token that you configured in the verdaccio config.

This token can be revoked at https://github.com/settings/tokens where you created it.