Request advice for a plugin implementation

[blendsdk]

Hi,

I would like to achieve granular control when accessing and downloading packages.

For example, an authenticated UserA is allowed to download package-v1.0.0 but NOT package-v2.0.0
I think Verdaccio does not provide such functionality by default and I have to develop a plugin for this (or a series of plugins).

To me it is not really clear where this access control should be implemented?
Is it at storage level? package.js endpoint level, or authentication level.

Any advice is greatly appreciated.

[juanpicado]

Related #226 #810
#818

To me it is not really clear where this access control should be implemented?

In verdaccio side, which is the responsable to delegate information to the auth plugin. If you observ in our side we extract the file name but we don't use the version.
https://github.com/verdaccio/verdaccio/blob/master/src/api/middleware.js#L104

I'd considerate this change if we don't affect current plugins.

[blendsdk]

I have done some debugging and it looks like the allow:104 method is eventually calling auth:121. There the pkg:124 is constructed and passed to the plugins.

In order to support this, the extra information should come from middleware.js and augmented to pkg. Unfortunately my knowledge of the code-base is limited to test it extensively. But it looks like the implementation is quite possible.