-
-
Notifications
You must be signed in to change notification settings - Fork 322
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to specify a custom registry to fetch plugins from #2093
Comments
The idea of this issue was to discuss the feasability of this feature and possible implementations. After that, I can open a PR and start working on it. |
Hey, so just to check, the |
Thinking about it, one thing that will need to be addressed is the CSP for this. The CSP will block any scripts from any other domain that is not specified. One way around this will be to add a new option for the private registry when initializing Altair -- when it is hosted e.g. via the express middleware, and add the domain to the CSP. |
The issues I see with using the
In my view, those are mainly UX things, but I'd rather tackle them if it was possible to increase the chances of people wanting to use this feature. Apart from that, there's also what you mentioned about the CSP. From your comment, it seems that this feature would only work for a hosted version of Altair, right? It doesn't seem reasonable (or possible) to dynamically modify the CSP otherwise. |
Yes. It is only possible for hosted versions of Altair, or the desktop applications. It's not possible with the browser extensions |
Yours is the first request for the private registry. I'm happy to look into this more, but this is not priority for me at the moment. If I understand what you're saying, we should define (or adopt, if there's already a standard for authentication with private registries) a proper authentication process for the private registry. |
Yes, that was what I had in mind.
No worries. There's still the chance that we can make the plugins public but, if we end up needing this feature, it's likely that we open a pull request and start working on it (provided there's a chance of it being merged eventually). |
Before creating the PR, it would be better to discuss exactly what the authentication part will look like. |
Agreed. Will keep you posted. |
Is this still a relevant issue? |
Is your feature request related to a problem? Please describe.
At the company I work for, we were thinking about extending Altair's functionality with some plugins for internal use. With the current implementation, they would have to be publicly accesible to be installed but, for security reasons, we may only be able to publish them to a private registry.
Describe the solution you'd like
Lets say we have a package called
altair-graphql-plugin-test
. We could add a fourth way of sourcing plugins calledcustom
orcustom-registry
(the name is tentative) which would be used likeI'm not really sure on how authentication would work but I'm guessing extra options may be necessary, such as
token
,user
andpassword
.Describe alternatives you've considered
The authentication options could also be added to the
url
source but I'm not familiar enough with the inner workings of fetching a package from a private registry to know if this would give us the expected result.Additional context
N/A
The text was updated successfully, but these errors were encountered: