Verdaccio Tokens now short-lived
-
N nebulon marked this topic as a question
-
Would it be possible to allow OIDC login in addition to the old way to login? We kind of rely on verdaccio and generally like cloudron for managing it. But with this kind of basic infrastructure stuff, stuff has to work. And a change like this, where first all previous tokens are rendered obsolete, then the normal npm login flow does not work anymore, then tokens expire after a day, rendering all infrastructure work regarding this from the day before basically useless is NOT a nice ux for us.
-
Hey @philkunz as of right now, there are 174 apps in the Cloudron catalog.
Even me a "partner", does not have every app installed, tested and fully in my head, not yet!If you wish to get more responses from the community, you need to be more verbose in writing your topics.
I am not writing this wag my finger but to help you, getting better and faster help from everyone here
Since I do not know the Verdaccio app at all, it would be a tremendous help for me do get details, to then maybe reproduce the issue and find a solution.
Your critic about UX is completly understandable and very valid.
After some quick research I found this github issue, which seems very similar to what you are describing.
https://github.com/verdaccio/verdaccio/issues/168and I found https://verdaccio.org/docs/next/best/#expiring-tokens which might solve your issue already?
-
You're right. Sometimes it is just this feeling of: "It worked perfectly before"
Btw: Thank you for finding the config.
And yes, the good thing is: Cloudron offers a generally really nice mix of managed experience without blocking control. On the other side, if stuff is working, and then it is not -> I'm sometimes a little confused about how migrations work, if I add too much custom stuff... -
You're right. Sometimes it is just this feeling of: "It worked perfectly before"
Btw: Thank you for finding the config.
And yes, the good thing is: Cloudron offers a generally really nice mix of managed experience without blocking control. On the other side, if stuff is working, and then it is not -> I'm sometimes a little confused about how migrations work, if I add too much custom stuff...@philkunz said in Verdaccio Tokens now short-lived:
"It worked perfectly before"
Yes I can second that. With that annoyance in the brain everyone tents to cut short and be like "WHY?! IT WORKED?!".
@philkunz said in Verdaccio Tokens now short-lived:
On the other side, if stuff is working, and then it is not -> I'm sometimes a little confused about how migrations work, if I add too much custom stuff...
What I can tell you from ~5 years of experience with Cloudron.
This only sometimes happens if mayor changes take place.
A normal app update normally never results in such pain.
But if certain changes need to take place, like now with required OIDC, things can get a bit difficult.
Not only because Cloudron changes stuff, but with OIDC come other changes that people do not have in mind.
Like the user / password problem that does no longer work with any OIDC app.
That is why I wrote such an exsessive guide for Nextcloud:
https://forum.cloudron.io/topic/10067/guide-external-nextcloud-with-openid-social-login-calendar-caldav-synchronizationBut sometimes, these changes are required for security reasons or because the apps requrie it suddenly.
I can 100 % understand your frustration and anoyance, but remember, same goes on when managing all these apps
"Why does this app now require ODIC in a minor version change? And without that fruther security update are not possible? WTF?!"
But I think there is a learning point here.
Maybe this update https://forum.cloudron.io/post/105728 should have been anounced 1-2 weeks before with some TL;DR "keep in mind the following stuff might break".
And yet, afaik, the Cloudron Team does not have the posibilty to notify users that use app XYZ specifically about these changes.
It has to be done in the forum.
I see improvment potential here. -
Usually if such breakage is known upfront (which wasn't the case here, I guess we didn't expect the tokens get invalidated and then also expire in 1 day!) we would have released a major package version update, which requires manual updates so we can notify the admins.
