This article addresses those who are using, or interested in using, Sonatype Nexus Repository as their package manager for npm packages, Docker images, etc., but also for those curious about Sonatype Nexus Repository security.
Some time ago, I was called npm expert — just because I was lucky to get a ticket regarding security of our npm packages. After researching how to secure these packages, I had to find out how to access the npm packages from Sonatype Nexus Repository — and why it does not always work as expected. I thought this guide would help fellow developers.
Why Should I Secure My Sonatype Nexus Repository Server?
Consider the following scenario: You are working in a big company made of many teams. Although you may think your co-workers from different teams will do no harm to your project, would you still risk it? There should be no risk if you don't have any sensitive data. But what if you have middleware guarding the security of your APIs, and they experience vulnerabilities?
Another reason to secure Sonatype Nexus Repository is because usually you have it for your own private projects — probably won't work for someone else's project — they should not try to use them, nor should they see these projects.
And one more point (the list, I think, can continue): although you can secure your repositories and the source code is not public between the whole company (private GitHub / Bitbucket repositories), having an internal URL is public for everyone. The Sonatype Nexus Repository server URL looks like this, and it's accessible from intra-network.
https://nexus.intern.*subdomain*.*domain*.com
Unsecure Sonatype Nexus Repository on internal server
As you can see, we can browse all the npm packages on this server with additional information, we can install them, etc. The good thing is, you cannot delete the asset unless you login. But we should still avoid this.
One more thing you can do without logging in is actually configure this Sonatype Nexus Repository (see cogwheel next to search bar).
Ok, So Now, How Do We Secure It?
First, click on the cogwheel, of course.
How to secure Sonatype Nexus Repository
Then, once the cogwheel was clicked, open the Security Tab and go to Anonymous. Then uncheck the mark and — SAVE.
Congratulations, your Sonatype Nexus Repository is now secured.
What's Next?
Since we are now securing Sonatype Nexus Repository, installing and publishing an npm package from your Sonatype Nexus Repository server will require login.
So, the first step would be to run npm login. This would help — partially. But actually another important part is your project's .npmrc file. Adding always-auth=true is mandatory.
So your .npmrc should look like this:
Now we secured our Sonatype Nexus Repository server, and we can download the npm packages.
One more very important piece of advice: Sometimes, even if we are logged in and everything seems fine, we might still get the 401 Unauthorized error code. Even npm login will run into errors if we try again. npm caches your token under $HOME/.npmrc like this.
Sometimes we have to remove the .npmrc file or its content and re-run npm login.
How Do I Publish an npm Package to Sonatype Nexus Repository?
Yes, running npm publish would come up with some questions regarding your authentication. This would work. But if you are using CI builds to publish, it won't work, of course. So, what we have to do is append to the .npmrc _auth=[base64 string of username:password pair]
So now your .npmrc should look like this:
Since you should not commit your base64 string to your repository, that's how to configure your CI/CD projects. But that's a topic for another story. Thanks for reading.
Daniel is a full-stack software engineer with main focus on Javascript technologies (NodeJS, ReactJS). He calls himself a great team player, always motivating his team members and making sure everyone is productive at work. He has product ownership, taking initiative and responsibility whenever he ...
Tags
Discover a Better Way to SCA
Forrester evaluated 10 SCA providers and recognized Sonatype with the highest possible scores. Learn why Sonatype was named a leader in Forrester Wave™ for SCA.