Add support for PAT to NPM registry
Problem to solve
The GitLab NPM Registry allows Javascript developers to build, publish and version their NPM packages to their GitLab instance. However, NPM requires users to authenticate with OAuth and since the GitLab personal access token does not support OAuth, users are forced to generate their own token (outside of GitLab) in order to use the registry, which is not a scalable solution for our enterprise customers. In addition, this prevents users from using two-factor authentication for their GitLab accounts.
Issue https://gitlab.com/gitlab-org/gitlab-ce/issues/63438 adds OAuth2 support to the personal access token. Now we will add support authentication via personal access token for the NPM Registry.
Intended users
Proposal
Allow users to authenticate to the NPM Registry using their GitLab personal access token, which with the completion of https://gitlab.com/gitlab-org/gitlab-ce/issues/63438 now supports OAuth.
Further details
Use cases
- A Javascript (node.js) developer at a Premium customer wants to start using GitLab as their NPM Registry.
- Since the feature is enabled at the instance level, the developer can easily enable the feature at the project level by navigating to Settings->General->Permissions and enabling 'Packages'
- They click on 'Packages' and see the empty state page that directs them to the NPM documentation
- They see an updated version of this section of documentation that documents how to authenticate to the NPM registry using their personal access token, which now supports OAuth2.
- They then generate a personal access token by navigating to their User Settings menu and selecting Access Tokens.
- They choose a name and optional expiry date for the token.
- They choose the desired scopes.
- They click the Create personal access token button.
- They save the personal access token somewhere safe, since once they leave or refresh the page they won’t be able to access it again.
- The developer then modifies their .npmrc file to point to the NPM Registry and authenticate with their new OAuth enabled personal access token.
- The developer then specifies the GitLab registry for NPM by updating their package.json file specify the registry for NPM
- Finally, they start pushing their NPM packages to the GitLab NPM Registry.
Sample .npmrc
; Set URL for your scoped packages.
; For example package with name `@foo/bar` will use this URL for download
@foo:registry=https://gitlab.com/api/v4/packages/npm/
; Add the OAuth token for the scoped packages URL. This will allow you to download
; `@foo/` packages from private projects.
//gitlab.com/api/v4/packages/npm/:_Authorization: Bearer $TOKEN>
; Add OAuth token for uploading to the registry. Replace <your_project_id>
; with the project you want your package to be uploaded to.
//gitlab.com/api/v4/projects/<your_project_id>/packages/npm/:_Authorization: Bearer $TOKEN>
Benefits
- Allow users to use the NPM Registry and still leverage two-factor authentication
- Bring the NPM Registry closer in feature parity to the Maven Repository.
- First step in adding OAuth support to all GitLab tokens
Permissions and Security
The permissions should remain the same. At the instance level, any user can view and download packages. But, only developers with permission to the project can upload and delete them.
Action | Guest | Reporter | Developer | Maintainer | Owner |
---|---|---|---|---|---|
Pull from Maven repository or NPM registry or Conan Repository | x | x | x | x | |
Publish to Maven repository or NPM registry or Conan Repository | x | x | x |
Documentation
- NPM User Documentation
- Personal Access Token Documentation: we will add a note here about what scope must be selected to use the NPM/Maven registries.
Testing
- Test that we avoid collisions and do not authenticate
doorkeeper
tokens asPATs
and vice-versa. - Test that the new PAT works with the NPM Registry.
What does success look like, and how can we measure that?
Metrics to collect
Category | Metric | Aggregated by | SMAU Eligible? |
---|---|---|---|
Package Registry | # of page views of /packages
|
|
Yes |
Package Registry | # of page views of /packages/*
|
|
Yes |
Package Registry | # of unique users that visit /packages
|
|
Yes |
Package Registry | # of npm push events to the Maven Repository |
|
Yes |
Package Registry | # of packages deleted from the UI |
|
Yes |
Success
Success looks like we have unblocked our users from using the NPM Registry. We can measure this by reaching out to our customers that have requested this feature and seeing if they are unblocked.
What is the type of buyer?
This feature will be focused on Director and Executives, as it is a Premium/Silver and Ultimate/Gold feature. https://about.gitlab.com/handbook/ceo/pricing/#four-tiers