Optional adduser() method for auth plug-ins is only partly optional

[AllanJard]

Your Environment

• verdaccio version: 5.23.2
• node version : v18.15.0
• package manager: 9.5.0
• os: Linux
• platform: npm

Describe the bug

I've been writing a basic plug-in for a Verdaccio server I'm working on using the API described here. The interface and documentation suggests that it is optional, and while Verdaccio does run without it, npm login will always fail.

To Reproduce

Create a simple plug-in that doesn't have an adduser() function:

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });

const createError = require('http-errors');
const commonsApi = require('@verdaccio/commons-api')

/**
 * Editor custom authentication plug-in
 */
class AuthCustomPlugin {
	constructor(config, options) {
		this.logger = options.logger;

		return this;
	}

	authenticate(user, password, cb) {
		cb(null, []);
	}

	allow_access(user, pkg, cb) {
		cb(null, true);
	}

	allow_publish(user, pkg, cb) {
		cb(null, true);
	}

	allow_unpublish(user, pkg, cb) {
		cb(null, true);
	}
}
exports.default = AuthCustomPlugin;

Run Verdaccio with this plug-in and attempt npm login for an existing user. This results in:

npm ERR! code E409
npm ERR! 409 Conflict - PUT https://..../-/user/org.couchdb.user:allan/-rev/undefined - username is already registered

npm ERR! A complete log of this run can be found in: /....npm/_logs/2023-04-14T14_40_06_339Z-debug-0.log

The console output from Verdaccio is:

0|verdaccio  | info <-- 127.0.0.1 requested 'POST /-/v1/login'
0|verdaccio  | http <-- 200, user: null(.... via 127.0.0.1), req: 'POST /-/v1/login', bytes: 22/0
0|verdaccio  | http <-- 404, user: null(.... via 127.0.0.1), req: 'POST /-/v1/login', bytes: 22/150
0|verdaccio  | info <-- 127.0.0.1 requested 'PUT /-/user/org.couchdb.user:allan'
0|verdaccio  | http <-- 200, user: null(.... via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:allan', bytes: 143/0
0|verdaccio  | warn --- the plugin method add_user in the auth plugin is deprecated and will be removed in next major release, notify to the plugin author
0|verdaccio  | error--- the user allan could not being added. Error: username is already registered
0|verdaccio  | http <-- 409, user: null(.... via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:allan', error: username is already registered
0|verdaccio  | info <-- 127.0.0.1 requested 'GET /-/user/org.couchdb.user:allan?write=true'
0|verdaccio  | http <-- 200, user: null(.... via 127.0.0.1), req: 'GET /-/user/org.couchdb.user:allan?write=true', bytes: 0/0
0|verdaccio  | http <-- 304, user: null(.... via 127.0.0.1), req: 'GET /-/user/org.couchdb.user:allan?write=true', bytes: 0/0
0|verdaccio  | info <-- 127.0.0.1 requested 'PUT /-/user/org.couchdb.user:allan/-rev/undefined'
0|verdaccio  | http <-- 200, user: null(.... via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:allan/-rev/undefined', bytes: 187/0
0|verdaccio  | warn --- the plugin method add_user in the auth plugin is deprecated and will be removed in next major release, notify to the plugin author
0|verdaccio  | error--- the user allan could not being added. Error: username is already registered
0|verdaccio  | http <-- 409, user: null(.... via 127.0.0.1), req: 'PUT /-/user/org.couchdb.user:allan/-rev/undefined', error: username is already registered

If you now add the following function to the plug-in:

        adduser(user, pass, cb) {
                cb(null, true);
        }

Then you can login successfully.

Related: I'd been looking at this issue before discovering that adduser() is required to allow existing users to login.

I'm not sure what the right fix it - either to make it a required method, or to allow adduser to pass for the plug-in if it wasn't defined (could anyone be depending on this behaviour?!).

[brendanbond]

Linking to #943 in case anyone else has a custom auth plugin and is receiving the same E409 error; thanks @AllanJard !