frontend-maven-plugin icon indicating copy to clipboard operation
frontend-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon eirslett

Allow Authentication via Http Header

Open MichaelCkr opened this issue 3 years ago • 1 comments

Do you want to request a feature or report a bug?

Feature

What is the current behavior?

Authentication for downloading npm and node (goal install-node-and-npm) is only possible via username and password. In a CI pipeline one may usually use a token, which needs a authentication via an http header.

See coding in com.github.eirslett.maven.plugins.frontend.lib.DefaultFileDownloader#execute.

What is the expected behavior?

I'd like to use kind of following server configuration in my maven settings

<server>
   <id>gitlab</id>
   <configuration>
      <httpHeaders>
         <property>
            <name>Job-Token</name>
            <value>${env.CI_JOB_TOKEN}</value>
         </property>
      </httpHeaders>
   </configuration>
</server>

with the server id configured in the plugin configuration.

E.g. gitlab added the opportunity to use the CI_JOB_TOKEN for authentication with an http header, see issue 30650 here. Using a token like this, allow to drop any configured token, because it is created for every pipeline individually. Using a job token with a username und password authentication unfortunately is not possible.

Please mention your frontend-maven-plugin and operating system version.

  • frontend-maven-plugin in version 1.12.1
  • OS: Debian GNU/Linux 10 (buster)

MichaelCkr avatar Jul 15 '22 08:07 MichaelCkr

Are there any plans on fixing this?

aixigo-soffermann avatar Feb 23 '24 12:02 aixigo-soffermann

It looks like this isn't supported by Maven: https://maven.apache.org/settings.html#servers

According to the documentation, it seems like Maven only supports basic authentication or SSH keys. I'm very reluctant to add custom authentication mechanisms that are not part of Maven officially. Is it possible to send the CI token as <password> instead in maven, instead of as a header? I mean, you're already using the same Maven artifactory for downloading your jar dependencies, so it should be working already, right?

eirslett avatar Sep 04 '24 12:09 eirslett

@eirslett: Thank you for taking your time to look into this.

This is indeed supported by Maven, the configuration section is left empty in your documentation page, but there is another one: https://maven.apache.org/guides/mini/guide-http-settings.html#http-headers

So the example <server> section from above is working for other dependency downloads in Maven, for example when running against Artifactory as repository server (which would not accept the token as HTTP-Auth password).

I had a small bug in my pull request from yesterday, but with the latest commit the HTTP-Header authentication is working as expected.

liefke avatar Sep 04 '24 14:09 liefke

I just recognized that my documentation link from above is outdated since Maven 3.9.0, but the following page is telling the same about HTTP headers: https://maven.apache.org/guides/mini/guide-resolver-transport.html#custom-http-headers

liefke avatar Sep 04 '24 15:09 liefke