verdaccio-api-token

Minimal Verdaccio Auth Plugin that validates non JWT _authToken against an external API endpoint. ⚠️ **not htpasswd compatible **: as we override apiJWTmiddleware you can not npm login/adduser to publish tokens u will need an authtoken with according rights. however if you initially set up via npm adduser and add your token u can still login to the web UI.

Features

• ✅ Only 2 config options: endpoint, timeout
• ✅ Native fetch() (Node.js 18+)
• ✅ Timeout & Error Handling
• ✅ JWT Support: Web UI login works unchanged if you have added users via npm adduser
• ✅ Allowed groups dynamically from API response

Setup

# Install the plugin either globally or in your plugins folder
npm i @practical/verdaccio-api-token

config.yaml

# verdaccio will look for the plugin globally in your node_modules folder
# for local installation you can specify the plugins folder
plugins: ./plugins/node_modules # optional


# !!! Important: Place the plugin before htpasswd so custom tokens are checked first
auth:
  '@practical/verdaccio-api-token':
    endpoint: https://your-api.com/verdaccio/verify  # Required
    timeout: 5000  # Optional (ms)
  htpasswd:
    file: ./htpasswd
    max_users: -1

# set your auth config as u like
packages:
  'yourPrivatePackage':
    access: $authenticated
    publish: admin developer #example users create your own
    unpublish: admin

in the projects' .npmrc file add the token

//registry.your-domain.com/:_authToken=YOUR_API_TOKEN

API Endpoint Format Your validation endpoint must support this request/response format:

Request:

{
  "token": "your-custom-token-here"
}

Response (Valid Token):

{
  "groups": ["developers", "users"]
}

API Response should return groups that you defined or an empty array find out more about package access https://www.verdaccio.org/docs/packages

// ✅ Success
{ "groups": ["$authenticated"] }

// ❌ Fails
{ "groups": [] }