Sonatype Introduces Next Generation Dependency Management | Press Release

blog-logo Sonatype Blog

How to Access npm Packages After Securing Nexus Repository Manager

March 20, 2020 By Daniel Pacurici

This article addresses those who are using, or having interest in using, Nexus Repository Manager as their package manager for npm packages, Docker images, etc., but also for those who are curious about Nexus security.

Some time ago, I was called npm expert — just because I was the lucky one to get a ticket regarding security of our npm packages. After researching how to secure these packages, I had to find out how to access then the npm packages from Nexus — and why it does not always work as expected. I thought this guide would help fellow developers.

Why should I secure my Nexus Server?

Consider the following scenario: You are working in a very big company made of a lot of teams. Although you may think that your co-workers from different teams will do no harm to your project, would you still risk it? There should be no risk IF you don’t have any sensitive data. But what if you have middleware guarding the security of your APIs and they experience vulnerabilities?

Another reason to secure Nexus is because usually you have it for your own private projects — most probably won’t work for someone else’s project — they should not try to use them, nor should they be able to see these projects.

And one more point (the list, I think, can continue): although you can secure your repositories and the source code is not public between the whole company (private github / bitbucket repositories), having an internal URL is public for everyone. The Nexus server URL look something like this and it’s accessible from intranetwork.

https://nexus.intern.*subdomain*.*domain*.com

Browse

Unsecure Nexus on internal server

As you can see, we can browse all the npm packages on this server with some additional information, we can install them, etc. The good thing is, you cannot delete the asset unless you login. 👍 But we should still avoid this.

One more thing you can do without logging in is to actually configure this Nexus 😱 (see cogwheel next to search bar).

Ok, so now, how do we secure it ?

First, click on the cogwheel, of course.

NexusPkgManager

How to secure Nexus

Then, once the cogwheel was clicked, open the Security Tab and go to Anonymous. Then uncheck the mark annnndSAVE.

Congratulations, your Nexus Repository Manager is now secured!

Secured

What’s next?

Since we are now securing Nexus, installing and publishing of an npm package from your Nexus server will require login.

yarninstall

So first step would be to run npm login. This would help — partially. But actually another very important part is your project’s .npmrc file. Adding always-auth=true is mandatory.

So your .npmrc should look like this:

registry-always

Great! Now we secured our Nexus server and we can download the npm packages!!


One more very important piece of advice: Sometimes, even if we are logged in and everything seems fine, we might still get the 401 Unauthorized error code. Even npm login will run into errors if we try again. npm caches your token under $HOME/.npmrc like this.


nexusintern

Sometimes we have to remove the .npmrc file or its content and re-run npm login.

How do I publish an npm package to Nexus?

Yes, running npm publish would come up with some questions regarding your authentication. This would work. But if you are using CI builds to publish, it won’t work, of course. So what we have to do is to append to the .npmrc _auth=[base64 string of username:password pair]

So now your .npmrc should look like this:

registry
Since you should not commit your base64 string to your repository, that’s a matter of how to configure your CI/CD projects. But that’s a topic for another story. Thanks for reading!

Tags: npm, Nexus Repository, nexus repository manager, featured, News and Views, Post developers/devops

Written by Daniel Pacurici

Daniel is a full-stack software engineer with main focus on Javascript technologies (NodeJS, ReactJS). He calls himself a great team player, always motivating his team members and making sure everyone is productive at work. He has product ownership, taking initiative and responsibility whenever he sees the need for it. Funny, social and easy-going, Daniel is a great team member. More by Daniel at https://dev.to/dannypk and https://github.com/dannypk/