is it possible to configure Nexus to use GitHub Packages as a npm proxy? HTTP authentication option doesn’t seem to work.
Here are GitHub docs how to do it locally: Configuring npm for use with GitHub Packages - GitHub Docs
But no luck with Nexus npm proxy.
Update: I have updated Nexus to the newest Linux version (OSS 3.27.0-03). Now I have the option to setup HTTP Authentication as “Preemptive Bearer Token”. And now, it seems that Nexus can talk with GitHub npm repo, but there must be some a bug, because downloading tarball does not work. It responds with 404.
Update 2 and solution:
In my opinion there is some serious bug in Nexus. But it works. What you need to do is to use a classic HTTP Username authentication, as username you GH username, and as password - personal token. Now you must uncheck checkbox “Validate that all content uploaded to this repository is of a MIME type appropriate for the repository format”… Which is stupid.
It will NOT work with “Preemptive Bearer Token”.
Sonatype, please fix this…
Ok, that was not a solution. It seemed to work, but it didn’t - I was not able to install any other version of the package without invalidating the cache.
About issues and fixes:
Nexus is using HttpClient 4.5, which is using since version 4.1 DefaultRedirectStrategy. According to the documentation :
302 Moved Temporarily, 301 Moved Permanently and 307 Temporary Redirect status codes will result in an automatic redirect of HEAD and GET methods only.
and (probably) HttpClient is copying all headers from the original request. Normally it’s not an issue, but GitHub Package Registry is redirecting (with 302) to an automatically generated AWS (S3 probably) link with the X-Amz-Credential GET parameter. AWS does not allow us to use both the Authorization Bearer token and the mentioned X-Amz-Credential , and responses with HTTP 400.
The fix is to manually handle redirect, so we can use the execute method to control if we should or shouldn’t add the Authorization Bearer header (by checking the existence of X-Amz-Credential ).
In the NpmContentValidator, Nexus was adding always a .json extension if there was no extension at all. Which was wrong. npm packages’ names in AWS are just some random hashes without extension. But those are application/octet-stream - which is the tarball that we are expecting to get.
The fix is to check if the declared content type is application gzip. If so then let’s append .tgz instead .json.