Cannot login - this user already exists

[henkosch]

Sinopia crashes when I try to login.

This is the output:

 warn  --- config file  - /home/henko/.config/sinopia/config.yaml
 warn  --- http address - http://localhost:4873/
 http  <-- 409, user: undefined, req: 'PUT /-/user/org.couchdb.user:henko', error: this user already exists
 http  <-- 200, user: undefined, req: 'GET /-/user/org.couchdb.user:henko?write=true', bytes: 0/106
 fatal --- uncaught exception, please report this
Error: Module did not self-register.
    at Error (native)
    at Object.Module._extensions..node (module.js:460:18)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:311:12)
    at Module.require (module.js:366:17)
    at require (module.js:385:17)
    at module.exports (/usr/local/lib/node_modules/sinopia/node_modules/crypt3/index.js:24:9)
    at Object.verify_password (/usr/local/lib/node_modules/sinopia/node_modules/sinopia-htpasswd/utils.js:93:12)
    at /usr/local/lib/node_modules/sinopia/node_modules/sinopia-htpasswd/index.js:39:16
    at /usr/local/lib/node_modules/sinopia/node_modules/sinopia-htpasswd/index.js:113:9

Node and npm versions used:
server: Ubuntu 14.04
server npm: 2.14.7
server node: 4.2.1
client npm: 2.14.7
client node: 4.2.1

Update:
I have solved the uncaught exception problem, but I still cannot login. See below.

[henkosch]

It was something to do with node-crypt3 not building for some reason. I reinstalled sinopia, node-crypt3 still does not build, but sinopia seems to install without it.

sendanor/node-crypt3#9

Now the uncaught exception is gone, but I still cannot login with an existing user:

 http  <-- 409, user: undefined, req: 'PUT /-/user/org.couchdb.user:henko', error: this user already exists
 http  <-- 200, user: undefined, req: 'GET /-/user/org.couchdb.user:henko?write=true', bytes: 0/106
 http  <-- 409, user: undefined, req: 'PUT /-/user/org.couchdb.user:henko/-rev/undefined', error: this user already exists

Well of course it exists, that's why I want to login with it...

I used
npm login

Which is the same as
npm adduser

And according to the docs, adduser is the way to authenticate, too:
https://docs.npmjs.com/cli/adduser

You may use this command multiple times with the same user account to authorize on a new machine. When authenticating on a new machine, the username, password and email address must all match with your existing record.

So how can I login with an existing user?

[henkosch]

I have fixed this issue by adding an extra authenticate call before add_user in the PUT request handler. This way if the user can authenticate itself with the current plugin, then it will be instantly logged in instead of sending back a HTTP 409.

Of course when the password is invalid, the add_user will be called and it will failed because the user already exists. But currently using the auth plugin authenticate interface there is no way to tell if the user exists or the password did not match, so we can just return the user already exists message when the password is wrong.

Please review my changes.

[nagliyvred]

This is a real blocker for anyone who is using sinopia for their private packages. Any chance this could be prioritised? Thanks.
P.S. Using a forked version works, but it would be nice to see it fixed in the master too.

[roykolak]

bump on this...

[roykolak]

epp... it was the wrong password for me... embarrassed

[eatrocks]

I also get the error of "this user already exists : -/user/org.couchdb.user:xxxxxxxx/-rev/undefined" when doing npm adduser --registry...
I manually applied the fix in the attached pull request from henkosch but it does not resolve the issue for me.
I'm using Sinopia v 1.3.1, npm v 2.11.3

[mcansky]

same problem here; very annoying

[mcansky]

I can confirm @henkosch patch fixes the issue

[AdrieanKhisbe]

👍

[eatrocks]

We found that deleting the appropriate user entry from the htpasswd file allowed the user to adduser successfully. See your config.yaml file for the location of the htpasswd file, ours was ./htpasswd
We are v1.3.1.

[konradjurk]

So whats the status on this? I'd like to login with my existing user, and found that login and user creation is the same thing.

When I do
curl -s -H "Accept: application/json" -H "Content-Type:application/json" -X PUT --data '{"name": "user", "password": "pw"}' http://registry/-/user/org.couchdb.user:user

... I get this beautiful answer:

{
  "error": "this user already exists"
}

Why is this a PUT and not a POST anyways and why is login and user creation the same thing?

[remie]

You can get this working by doing an authenticated request:

Creating a user
curl -s \ -H "Accept: application/json" \ -H "Content-Type:application/json" \ -X PUT --data '{"name": "username", "password": "password"}' \ http://registry/-/user/org.couchdb.user:username

Login existing user
curl -s \ -H "Accept: application/json" \ -H "Content-Type:application/json" \ -X PUT --data '{"name": "username", "password": "password"}' \ --user username:password \ http://registry/-/user/org.couchdb.user:username

This is actually also what NPM does, see https://github.com/npm/npm-registry-client/blob/856eefea40a2a88618835978e281300e3406924b/lib/adduser.js#L62-L90

[grimborg]

Any way around this? It's still broken on the latest version of sinopia.

I add the users to htpasswd and they cannot login. (Allowing them to register is not an option: anyone could register, which is not what I want).

Update: I found a workaround: adding the users in the config file, and generating their passwords using require('crypto').createHash('sha1').update(pass).digest('hex').

It looks like it should also be possible to add the passwords to the htpasswd file, but I found two different in various documentations (including sinopia-htpasswd) (using the htpasswd tool from apache-tools, or mkpasswd from whois), but neither work generate a password that sinopia recognizes.

[ijsf]

Also confirmed broken here. Quite inconvenient.

[skozin]

The format of htpasswd has seemingly changed, now it looks like this:

username1:{SHA}XYZXYZXYZXYZXYZXYZXYZXYZXYZ=:autocreated 2016-01-01T00:00:00.000Z
username2:{SHA}XYZXYZXYZXYZXYZXYZXYZXYZXYF=:autocreated 2016-01-01T00:00:00.000Z

So that's why previously-generated files don't work.

If you wish to use htpasswd, the workaround is to allow sinopia to create htpasswd file by temporarily launching it in the mode that allows adding new users:

1. Launch sinopia with config.yaml containing auth.htpasswd.file set to some path, and auth.htpasswd.max_users set to e.g. 1000.
2. Make sure the file that auth.htpasswd.file points to does not exist.
3. Use npm CLI to login all your users.
4. Save the contents of auth.htpasswd.file.

Now you can re-launch sinopia with auth.htpasswd.max_users set to -1 to avoid adding new users. Or you can launch it on a new host, it doesn't matter as long as htpasswd and config.yaml are copied there.

Also, this htpasswd file re-generation does not invalidate NPM client tokens, as long as usernames and passwords remain the same and value in the secret field in <storage-path>/.sinopia-db.json file is not changed (where <storage-path> is set by the storage field in config.yaml).