Limiting access to read modules is not working

[iamdinesh]

I have provided read access to only 'dinesh.jayakumar' in confi.yaml. Then I have added the user prem.j using npm adduser command. But when i tried to run npm install , I got the module in my local machine. By the same time, sinopia server logs prints a message saying "user prem.j is not allowed to access package ". Here my expectation is when i don't have permission to pull that module, it should download that module to my local.

My configuration file.

#
# This is the default config file. It allows all users to do anything,
# so don't use it on production systems.
#
# Look here for more config file examples:
# https://github.com/rlidwka/sinopia/tree/master/conf
#

# path to a directory with all packages
storage: /home/dinesh/.local/share/sinopia/storage

auth:
  htpasswd:
    file: ./htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    #max_users: 1000

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    # scoped packages
    access: $all
    publish: $authenticated

  '*':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: dinesh.jayakumar

    # allow all known users to publish packages
    # (anyone can register by default, remember?)
    publish: $authenticated

    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs

# log settings
logs:
  - {type: stdout, format: pretty, level: http}
  #- {type: file, path: sinopia.log, level: info}

listen: localhost:1200

[edmofro]

@iamdinesh I know it's been almost a year, but did you ever get to the bottom of this? I'm having the same issue.

[edmofro]

Adding 'always-auth' solved it for me.