verdaccio: Unpublish fails with custom auth plugin

Same issue on my side, appears that allow_unpublish in auth.ts lookup around plugin without waiting for response. It means each auth plugin will be asked for unpublish and the first to respond will win, but others will still generate callback call. after that unpublish on storage side will be called multiple time and result on a 403 on the second attemps.

https://github.com/verdaccio/verdaccio/blob/7b67bea4b8ec5de29ffc04b1f99c9d041c14ac57/src/lib/auth.ts#L208-L217

publish is coded in a different way and has no issues : https://github.com/verdaccio/verdaccio/blob/7b67bea4b8ec5de29ffc04b1f99c9d041c14ac57/src/lib/auth.ts#L246-L261

and as @xpepermint , removing default plugin fix the issue.

Thanks, I’ll try to test it this week.

Just faced this issue after adding unpublish to GitLab plug-in. Plug-in simply calls

public allow_unpublish(...) {
      return cb(null, true);
}

Package is unpublished and deleted from the storage successfully, but end response is 403 Forbidden - DELETE. Error:

~/projects/example$ npm unpublish @example/core@0.1.2
npm ERR! code E403
npm ERR! 403 403 Forbidden - DELETE http://localhost:4873/@example%2fcore/-rev/3-91dfcdbcde2adc73 - user xxx is not allowed to unpublish package @example/core
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.

Repository: https://github.com/igorpupkinable/verdaccio-gitlab/tree/unpublish-action

Stack trace:

trace--- authentication for user xxx was successfully.
trace--- [middleware/allow][unpublish] allow for xxx
trace--- allow unpublish for @example/core
trace--- [gitlab] unpublish: checking group: xxx for user: xxx and package: @example/core
trace--- [gitlab] unpublish: checking group: example for user: xxx and package: @example/core
debug--- [gitlab] user: xxx allowed to unpublish package: @example/core based on package-name
trace--- allowed unpublish for @example/core
debug--- unpublishing @example/core
trace--- [local-storage/getPackageStorage]: storage selected: ./storage/data
trace--- [local-storage/getPackageStorage]: storage path: /home/xxx/.config/verdaccio/storage/data/@example/core
debug-=- [storage] removing package @example/core
debug--- [local-storage/readPackage] read a package: @example/core
trace--- [local-storage/_readStorageFile] read a file: /home/xxx/.config/verdaccio/storage/data/@example/core/package.json
trace--- fallback unpublish for @example/core has groups: true for xxx
trace--- allow_action for unpublish for @example/core has groups: true for xxx

===>    trace--- [auth/allow_action]: user: undefined
===>    trace--- [auth/allow_action]: hasPermission? false for user: undefined
===>    trace--- forbidden publish for @example/core, it will fallback on unpublish permissions
===>    http <-- 403, user: xxx(127.0.0.1), req: 'DELETE /@example%2fcore/-rev/3-91dfcdbcde2adc73', error: user xxx is not allowed to unpublish package @example/core

trace--- [local-storage/_readStorageFile] read file succeed: /home/xxx/.config/verdaccio/storage/data/@example/core/package.json
trace--- [local-storage/readPackage/_readStorageFile] read a package succeed: @example/core
trace--- local-storage: [remove] package @example/core has been removed
debug--- [local-storage/_sync]: init sync database
debug--- [local-storage/_sync]: folder /home/xxx/.config/verdaccio/storage/data created succeed
debug--- [local-storage/_sync/writeFileSync]: sync write succeed
debug--- [local-storage/deletePackage] delete a package package.json
trace--- local-storage: [get] full list of packages (1) has been fetched
debug-=- [storage/_deleteAttachments] delete attachments total: 1
debug--- [local-storage/deletePackage] delete a package core-0.1.2.tgz
debug--- [local-storage/removePackage] remove a package: /home/xxx/.config/verdaccio/storage/data/@example/core

I am happy to provide more information if required.

No updates from my side, projects at work have a higher priority at the moment.

@DanielRuf Added my setup under this repo- https://github.com/ankitjain28may/verdaccio-experiments

Run these commands to install:

mv data/conf/config.sample.yaml data/conf/config.yaml
docker-compose up --build

Now try to publish some registry and unpublish it. Hope it helps, let me know what else do you need. Thanks 😃