Update 3:
Ok, that was not a solution. It seemed to work, but it didn’t - I was not able to install any other version of the package without invalidating the cache.
Here is a PR with the fix: NEXUS-23750 - Does not support npm GitHub Package Registry by marverix · Pull Request #79 · sonatype/nexus-public · GitHub
About issues and fixes:
First problem
Nexus is using HttpClient 4.5, which is using since version 4.1 DefaultRedirectStrategy. According to the documentation :
302 Moved Temporarily, 301 Moved Permanently and 307 Temporary Redirect status codes will result in an automatic redirect of HEAD and GET methods only.
and (probably) HttpClient is copying all headers from the original request. Normally it’s not an issue, but GitHub Package Registry is redirecting (with 302) to an automatically generated AWS (S3 probably) link with the X-Amz-Credential GET parameter. AWS does not allow us to use both the Authorization Bearer token and the mentioned X-Amz-Credential , and responses with HTTP 400.
The fix is to manually handle redirect, so we can use the execute method to control if we should or shouldn’t add the Authorization Bearer header (by checking the existence of X-Amz-Credential ).
Second problem
In the NpmContentValidator, Nexus was adding always a .json extension if there was no extension at all. Which was wrong. npm packages’ names in AWS are just some random hashes without extension. But those are application/octet-stream - which is the tarball that we are expecting to get.
The fix is to check if the declared content type is application gzip. If so then let’s append .tgz instead .json.