Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to specify a custom registry to fetch plugins from #2093

Open
nbverboven-medallia opened this issue Jan 12, 2023 · 10 comments
Open

Allow to specify a custom registry to fetch plugins from #2093

nbverboven-medallia opened this issue Jan 12, 2023 · 10 comments

Comments

@nbverboven-medallia
Copy link

Is your feature request related to a problem? Please describe.
At the company I work for, we were thinking about extending Altair's functionality with some plugins for internal use. With the current implementation, they would have to be publicly accesible to be installed but, for security reasons, we may only be able to publish them to a private registry.

Describe the solution you'd like
Lets say we have a package called altair-graphql-plugin-test. We could add a fourth way of sourcing plugins called custom or custom-registry (the name is tentative) which would be used like

custom:[email protected]::[url]->[https://company.private-registry.com]

I'm not really sure on how authentication would work but I'm guessing extra options may be necessary, such as token, user and password.

Describe alternatives you've considered
The authentication options could also be added to the url source but I'm not familiar enough with the inner workings of fetching a package from a private registry to know if this would give us the expected result.

Additional context
N/A

@nbverboven-medallia
Copy link
Author

nbverboven-medallia commented Jan 13, 2023

The idea of this issue was to discuss the feasability of this feature and possible implementations. After that, I can open a PR and start working on it.

@imolorhe
Copy link
Collaborator

Hey, so just to check, the url plugin source will not work for your use case?

@imolorhe
Copy link
Collaborator

Thinking about it, one thing that will need to be addressed is the CSP for this. The CSP will block any scripts from any other domain that is not specified. One way around this will be to add a new option for the private registry when initializing Altair -- when it is hosted e.g. via the express middleware, and add the domain to the CSP.

@nbverboven-medallia
Copy link
Author

The issues I see with using the url approach are that

  1. It requires the user to manually authenticate so an authenticacion cookie is generated.
  2. The definition ends up being quite verbose because the url needs to be fully specified. Something like
url:altair-graphql-plugin-my-plugin::[url]->[https://my-private-registry.company.com/api/npm/virtual-npm/altair-graphql-plugin-my-plugin@latest]

In my view, those are mainly UX things, but I'd rather tackle them if it was possible to increase the chances of people wanting to use this feature.

Apart from that, there's also what you mentioned about the CSP. From your comment, it seems that this feature would only work for a hosted version of Altair, right? It doesn't seem reasonable (or possible) to dynamically modify the CSP otherwise.

@imolorhe
Copy link
Collaborator

Yes. It is only possible for hosted versions of Altair, or the desktop applications. It's not possible with the browser extensions

@imolorhe
Copy link
Collaborator

Yours is the first request for the private registry. I'm happy to look into this more, but this is not priority for me at the moment.

If I understand what you're saying, we should define (or adopt, if there's already a standard for authentication with private registries) a proper authentication process for the private registry.

@nbverboven-medallia
Copy link
Author

If I understand what you're saying, we should define (or adopt, if there's already a standard for authentication with private registries) a proper authentication process for the private registry.

Yes, that was what I had in mind.

Yours is the first request for the private registry. I'm happy to look into this more, but this is not priority for me at the moment.

No worries. There's still the chance that we can make the plugins public but, if we end up needing this feature, it's likely that we open a pull request and start working on it (provided there's a chance of it being merged eventually).

@imolorhe
Copy link
Collaborator

Before creating the PR, it would be better to discuss exactly what the authentication part will look like.

@nbverboven-medallia
Copy link
Author

Agreed. Will keep you posted.

@imolorhe
Copy link
Collaborator

Is this still a relevant issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants