This article addresses those who are using, or having interest in using, Sonatype Nexus Repository Manager as their package manager for npm packages, Docker images, etc., but also for those who are curious about Sonatype Nexus security.
Some time ago, I was called npm expert — just because I was the lucky one to get a ticket regarding security of our npm packages. After researching how to secure these packages, I had to find out how to access then the npm packages from Sonatype Nexus — and why it does not always work as expected. I thought this guide would help fellow developers.Why should I secure my Sonatype Nexus Server?
Consider the following scenario: You are working in a very big company made of a lot of teams. Although you may think that your co-workers from different teams will do no harm to your project, would you still risk it? There should be no risk IF you don’t have any sensitive data. But what if you have middleware guarding the security of your APIs and they experience vulnerabilities?
Another reason to secure Sonatype Nexus is because usually you have it for your own private projects — most probably won’t work for someone else’s project — they should not try to use them, nor should they be able to see these projects.
And one more point (the list, I think, can continue): although you can secure your repositories and the source code is not public between the whole company (private github / bitbucket repositories), having an internal URL is public for everyone. The Sonatype Nexus server URL look something like this and it’s accessible from intranetwork.
https://nexus.intern.*subdomain*.*domain*.com
Unsecure Sonatype Nexus on internal server
As you can see, we can browse all the npm packages on this server with some additional information, we can install them, etc. The good thing is, you cannot delete the asset unless you login. 👍 But we should still avoid this.
One more thing you can do without logging in is to actually configure this Sonatype Nexus 😱 (see cogwheel next to search bar).
Ok, so now, how do we secure it ?
First, click on the cogwheel, of course.
How to secure Sonatype Nexus Repository
Then, once the cogwheel was clicked, open the Security Tab and go to Anonymous. Then uncheck the mark annnnd — SAVE.
Congratulations, your Sonatype Nexus Repository Manager is now secured!
What’s next?
Since we are now securing Sonatype Nexus, installing and publishing of an npm package from your Sonatype Nexus server will require login.
So first step would be to run npm login. This would help — partially. But actually another very important part is your project’s .npmrc file. Adding always-auth=true is mandatory.
So your .npmrc should look like this:
Great! Now we secured our Sonatype Nexus server and we can download the npm packages!!
One more very important piece of advice: Sometimes, even if we are logged in and everything seems fine, we might still get the 401 Unauthorized error code. Even npm login will run into errors if we try again. npm caches your token under $HOME/.npmrc like this.
Sometimes we have to remove the .npmrc file or its content and re-run npm login.
How do I publish an npm package to Sonatype Nexus?
Yes, running npm publish would come up with some questions regarding your authentication. This would work. But if you are using CI builds to publish, it won’t work, of course. So what we have to do is to append to the .npmrc _auth=[base64 string of username:password pair]
So now your .npmrc should look like this:
Since you should not commit your base64 string to your repository, that’s a matter of how to configure your CI/CD projects. But that’s a topic for another story. Thanks for reading!
