Nexus package manager: How to access your NPM packages after securing Nexus
This story addresses mostly to those who are using or having interest in using Nexus as their package manager for NPM packages, Docker images etc but also to those who are just curious reading about Nexus security.
Some time ago, I was called NPM Expert — just because I was the lucky one to get a ticket regarding security of our NPM packages. After researching how to secure, I had to find out how to access then the NPM packages from Nexus — and why is not always working properly. After we fought with some issues, I thought these guide might help some other developers as well.
Why should I secure my Nexus Server actually?
Consider the following scenario: You are working in a very big company made of a lot of teams. Although you may think that your co-workers from different teams should do no harm to your project, would you still risk it? There should be no risk IF you don’t have any sensitive data. But what if you may have some middlewares concerning security of your APIs and they could spoil for example some vulnerabilities.
Another reason to secure is because usually you have it for your own private projects— most probably it won’t work for someone else’s project — they should not nor try to use them, they should not see it.
And one more point (the list I think can continue), although you can secure your repositories and the source code is not public between the whole company (private github / bitbucket repositories), having an internal URL it’s public for everyone. The Nexus server URL look something like this and it’s accessible from intranetwork. https://nexus.intern.*subdomain*.*domain*.com
As you can see, we can browse all the npm packages on this server with some additional information, we can install them etc. The good thing is of course, you cannot delete the asset unless you login. 👍 But we should still avoid this.
One more thing you can do without logging in is to actually configure this nexus 😱 (see Cogwheel next to search bar).
Ok, so now, how do we secure it ?
First, click on the Cogwheel, of course.
Then, once the cogwheel was clicked, open the Security Tab and go to Anonymous. Then uncheck the mark annnnd — SAVE.
Congratulations, your Nexus is now secured!
What’s next?
Since we are now securing Nexus, installing and publishing of an npm package from your Nexus server will require login.
$ yarn install
yarn install v1.19.1
[1/4] Resolving packages...
[2/4] Fetching packages...
error An unexpected error occurred: "https://nexus.intern.***.***.***/repository/npm-group/auth/-/auth-1.0.0.tgz: Request failed \"401 Unauthorized\"".info If you think this is a bug, please open a bug report with the information provided in "C:\\nexus\\test-nexus-security\\yarn-error.log".
So first step would be to run npm login. This would help — partially. But actually another very important part is your project’s .npmrc file. Adding always-auth=true is mandatory.
So your .npmrc should look like this:
registry=https://nexus.intern.***.***.***/repository/npm-group/
always-auth=true
Great ! Now we secured our Nexus server and we can download the npm packages !!
One more very important piece of advice: sometimes, even if we are logged in and everything seems fine, we might still get the 401 Unauthorized error code. Even npm login will run into errors if we try again. NPM caches your token under $HOME/.npmrc like this.
//nexus.intern.***.***.***/repository/npm-group/:_authToken=NpmToken.753f5b43-47d3-3c0a-adde-f81e1e474444
Sometimes we have to remove the .npmrc file or its content and re-run npm login.
Now, how do I publish an npm package to Nexus?
Yes, running npm publish would come up with some questions regarding your authentication. This would work. But if you are using CI builds to publish, it won’t work, of course. So what we have to do is to append to the .npmrc _auth=[base64 string of username:password pair]
So now your .npmrc should look like this:
registry=https://nexus.intern.***.***.***/repository/npm-group/
always-auth=true
_auth=Z2lnZWw6cGFzdGE=
Thanks for reading and if this helped, please share, follow and clap !