I want to host an npm package for each of my individual clients, and I want to publish those packages to a private Verdaccio instance. I also want ClientA to only have access to package A, and not to be able to access the packages for ClientB.
How can I do that?
My current plan is to simply edit the config file every time I get a new client, then restart the server. So, here's what that file might look like right now:
packages:
"@my-repo/client-a-*":
access: admin client-a
publish: admin
Then I get ClientB and I edit the file to look like this and restart the server:
packages:
"@my-repo/client-a-*":
access: admin client-a
publish: admin
"@my-repo/client-b-*":
access: admin client-b
publish: admin
I think this would allow ClientA to have readOnly access to client-a packages, and then ClientB would have readOnly access to client-b packages. Do you think this will work? Edit: I confirmed the above does work, allbeit a kind of tedious and manual solution.
Ok - now, can I simplify this with regex?? Can I use group names or regex to match the client name with their package directory? It might look like this (the config below is a guess):
packages:
"@my-repo/$userId-*":
access: admin $userId
publish: admin
So, in this rule $userId acts as a variable, and it would result in every registered user only having access to packages published with the prefix of their own username. Is that possible, and how can I do?
Edit: No. It's not possible. See answer below.
Grouping multiple users into a "group" is NOT supported, per this thread and comment (Sept, 2018) by the core maintainer himself:
It's not possible in that way, currently, user === group. So, you must define all users are allowed in each section (access, publish).
However, it appears at least a small handful of developers have searched for this type of a solution:
So, I'll just have to tediously edit the config file to add/remove users and packages for them each specifically. Fortunately, Docker makes it pretty easy to just restart the service.