Skip Navigation
Resources Blog Access npm packages after securing Sonatype Nexus Repository

Access npm packages after securing Sonatype Nexus Repository

This article addresses those who are using, or having interest in using, Sonatype Nexus Repository as their package manager for npm packages, Docker images, etc., but also for those who are curious about Sonatype Nexus Repository security.

Some time ago, I was called npm expert — just because I was the lucky one to get a ticket regarding security of our npm packages. After researching how to secure these packages, I had to find out how to access then the npm packages from Sonatype Nexus Repository — and why it does not always work as expected. I thought this guide would help fellow developers.

Why should I secure my Sonatype Nexus Repository server?

Consider the following scenario: You are working in a very big company made of a lot of teams. Although you may think that your co-workers from different teams will do no harm to your project, would you still risk it? There should be no risk IF you don't have any sensitive data. But what if you have middleware guarding the security of your APIs and they experience vulnerabilities?

Another reason to secure Sonatype Nexus Repository is because usually you have it for your own private projects — most probably won't work for someone else's project — they should not try to use them, nor should they be able to see these projects.

And one more point (the list, I think, can continue): although you can secure your repositories and the source code is not public between the whole company (private GitHub / Bitbucket repositories), having an internal URL is public for everyone. The Sonatype Nexus Repository server URL look something like this and it's accessible from intranetwork.

https://nexus.intern.*subdomain*.*domain*.com

Browse

Unsecure Sonatype Nexus Repository on internal server

As you can see, we can browse all the npm packages on this server with some additional information, we can install them, etc. The good thing is, you cannot delete the asset unless you login. 👍 But we should still avoid this.

One more thing you can do without logging in is to actually configure this Sonatype Nexus Repository 😱 (see cogwheel next to search bar).

Ok, so now, how do we secure it?

First, click on the cogwheel, of course.

NexusPkgManager

How to secure Sonatype Nexus Repository

Then, once the cogwheel was clicked, open the Security Tab and go to Anonymous. Then uncheck the mark annnndSAVE.

Congratulations, your Sonatype Nexus Repository is now secured!

Secured

What's next?

Since we are now securing Sonatype Nexus Repository, installing and publishing of an npm package from your Sonatype Nexus Repository server will require login.

yarninstall

So, first step would be to run npm login. This would help — partially. But actually another very important part is your project's .npmrc file. Adding always-auth=true is mandatory.

So your .npmrc should look like this:

registry-always

Now we secured our Sonatype Nexus Repository server and we can download the npm packages.

One more very important piece of advice: Sometimes, even if we are logged in and everything seems fine, we might still get the 401 Unauthorized error code. Even npm login will run into errors if we try again. npm caches your token under $HOME/.npmrc like this.


nexusintern

Sometimes we have to remove the .npmrc file or its content and re-run npm login.

How do I publish an npm package to Sonatype Nexus Repository?

Yes, running npm publish would come up with some questions regarding your authentication. This would work. But if you are using CI builds to publish, it won't work, of course. So what we have to do is to append to the .npmrc _auth=[base64 string of username:password pair]

So now your .npmrc should look like this:

registry
Since you should not commit your base64 string to your repository, that's a matter of how to configure your CI/CD projects. But that's a topic for another story. Thanks for reading!

Picture of Daniel Pacurici

Written by Daniel Pacurici

Daniel is a full-stack software engineer with main focus on Javascript technologies (NodeJS, ReactJS). He calls himself a great team player, always motivating his team members and making sure everyone is productive at work. He has product ownership, taking initiative and responsibility whenever he sees the need for it. Funny, social and easy-going, Daniel is a great team member. More by Daniel at https://dev.to/dannypk and https://github.com/dannypk/