Skip to content

Commit

Permalink
docs: update token revocation section, resolves #176
Browse files Browse the repository at this point in the history
  • Loading branch information
n4bb12 committed Apr 22, 2023
1 parent 8a9ed4f commit ff4cf30
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 28 deletions.
21 changes: 0 additions & 21 deletions docs/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,6 @@
5. [Using Environment Variables](#using-environment-variables)
4. [Configuring Package Access](#configuring-package-access)
5. [Configuring a Proxy](#configuring-a-proxy)
6. [Revoking Tokens](#revoking-tokens)
1. [As a Registry User](#as-a-registry-user)
2. [As a Registry Owner](#as-a-registry-owner)

### Compatibility

Expand Down Expand Up @@ -174,21 +171,3 @@ export GLOBAL_AGENT_HTTP_PROXY=http://127.0.0.1:8080
See the
[global-agent](https://github.com/gajus/global-agent#environment-variables) docs
for detailed configuration instrcutions.

## Revoking Tokens

### As a Registry User

- Go to https://github.com/settings/applications
- Find the OAuth app for your registry
- Click the <kbd>Revoke</kbd> button from the <kbd>...</kbd> menu as shown below

<img src="screenshots/revoke.png" width="584" />

### As a Registry Owner

- Go to https://github.com/settings/applications, or, if owned by an org,
https://github.com/organizations/ORG_NAME/settings/applications
- Find the OAuth app for your registry
- Open the OAuth app settings
- On the settings page click the <kbd>Revoke all user tokens</kbd> button
62 changes: 55 additions & 7 deletions docs/usage.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,12 @@
1. [Option A) Using the Built-In CLI](#option-a-using-the-built-in-cli)
2. [Option B) Using the Commands from the UI](#option-b-using-the-commands-from-the-ui)
2. [Signing Out](#signing-out)
1. [On the Verdaccio UI](#on-the-verdaccio-ui-1)
2. [On the Command Line](#on-the-command-line-1)
3. [Revoking Tokens](#revoking-tokens)
1. [With JWT Security](#with-jwt-security)
2. [With AES Encryption (legacy)](#with-aes-encryption-legacy)
1. [As a Registry User](#as-a-registry-user)
2. [As a Registry Owner](#as-a-registry-owner)
3. [Revoking the Registry Owner GitHub Token](#revoking-the-registry-owner-github-token)

## Login

Expand Down Expand Up @@ -64,11 +68,55 @@ publishing packages.

## Signing Out

### On the Verdaccio UI

Click the <kbd>Logout</kbd> button as per usual.

### On the Command Line
## Revoking Tokens

Verdaccio has two authorization methods. Depending on your chosen method, you
will need to revoke the token in a different way.

You can read more about this in the Verdaccio docs:

- [Diving into JWT support for Verdaccio 4](https://verdaccio.org/blog/2019/04/19/diving-into-jwt-support-for-verdaccio-4)
- [Expiring Tokens](https://verdaccio.org/docs/best/#expiring-tokens)

You can find a more detailed breakdown of tokent types and token revocation in
[#176](https://github.com/n4bb12/verdaccio-github-oauth-ui/issues/176).

### With JWT Security

API/CLI tokens are valid for the duration you configured in the verdaccio config
at `security.api.jwt.sign.expiresIn`. UI tokens are valid for the duration you
configured in the verdaccio config at `security.web.sign.expiresIn`. After this
period, tokens are automatically invalid.

You can revoke **all** tokens for **all** users by changing the Verdaccio secret
in `storage/.verdaccio-db.json`.

### With AES Encryption (legacy)

You can revoke the token by revoking it in the GitHub settings.

#### As a Registry User

- Go to https://github.com/settings/applications
- Find the OAuth app for your registry
- Click the <kbd>Revoke</kbd> button from the <kbd>...</kbd> menu as shown below

<img src="screenshots/revoke.png" width="584" />

#### As a Registry Owner

- Go to https://github.com/settings/applications, or, if owned by an org,
https://github.com/organizations/ORG_NAME/settings/applications
- Find the OAuth app for your registry
- Open the OAuth app settings
- On the settings page click the <kbd>Revoke all user tokens</kbd> button

### Revoking the Registry Owner GitHub Token

GitHub memberships are determined using the `auth.github-oauth-ui.token` that
you configured in the verdaccio config.

Unless OAuth access is revoked in the GitHub settings, the token is valid
indefinitely.
This token can be revoked at https://github.com/settings/tokens where you
created it.

0 comments on commit ff4cf30

Please sign in to comment.