Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a Team level Audit Log Entry when NPM publish/unpublish #5268

Open
hardillb opened this issue Mar 7, 2025 · 2 comments
Open

Add a Team level Audit Log Entry when NPM publish/unpublish #5268

hardillb opened this issue Mar 7, 2025 · 2 comments
Assignees
@hardillb
Labels
area:api Work on the platform API size:M - 3 Sizing estimation point task A piece of work that isn't necessarily tied to a specific Epic or Story.
Milestone
2.15

Comments

@hardillb
Copy link
Contributor

hardillb commented Mar 7, 2025

Description

This is to allow the npm registry to log team level audit log entries when packages are published/unpublished from the registry

npm registry has callbacks for pub/unpub

Challenges:

  • Needs new endpoint in forge/routes/logging/index.js for team level audit events
  • This is a 3rd party posting on behalf of a team (owner/member). Would need a trusted auth token.
  • Can't post as the user as it doesn't have access to the users token at the point in the npm auth plugin
  • We could "attach" the users auth token in the auth callback as an extra "group" but that but feels ugly.
  • Or we could keep a lookup table of users -> tokens in memory of the auth plugin. Better but still eww

Epic/Story

#5087

Have you provided an initial effort estimate for this issue?

I have provided an initial effort estimate
@hardillb hardillb added the task A piece of work that isn't necessarily tied to a specific Epic or Story. label Mar 7, 2025
@joepavitt joepavitt added this to the 2.15 milestone Mar 7, 2025
@joepavitt joepavitt added size:M - 3 Sizing estimation point area:api Work on the platform API labels Mar 7, 2025
@joepavitt joepavitt moved this to Todo in 🛠 Development Mar 7, 2025
@hardillb hardillb self-assigned this Mar 7, 2025
hardillb added a commit that referenced this issue Mar 7, 2025
@hardillb
Team NPM Audit Logging package
0cf8bd6 
part of #5268
@hardillb hardillb mentioned this issue Mar 7, 2025
Merged
10 tasks
@hardillb
Copy link
Contributor Author

hardillb commented Mar 7, 2025

OK, we can only handle publish events

This is because an unpublish event triggers both the publish and the unpublish auth callbacks multiple times with no way to know which event is actually the single unpublish envent.

@hardillb
Copy link
Contributor Author

hardillb commented Mar 7, 2025

And we don't get the version number in the publish event, we do get to know who did it and the name, but that is it

@joepavitt joepavitt moved this from Todo to Review in 🛠 Development Mar 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hardillb hardillb

Labels
area:api Work on the platform API size:M - 3 Sizing estimation point task A piece of work that isn't necessarily tied to a specific Epic or Story.
Projects
🛠 Development
Status: Review
Milestone
2.15
Development

No branches or pull requests
2 participants
@hardillb @joepavitt