Composer ask for user credentials, i never set those.
tekkimariani opened this issue · comments
I have build my installation with this structure:
/git/vendor.package.git
/httpdocs/satis.json:
{
"name": "tekki/mypackage",
"homepage": "https://domain.dev",
"repositories": [
{ "type": "vcs", "url": "git/vendor.package.git" }
],
"require": {
"vendor/package": "*"
}
}
webuser@server:~$ php bin/satis build httpdocs/satis.json httpdocs
Scanning packages
wrote packages to httpdocs/include/all$70dd784b426c2e04a5467781f1f1ca9f724c5fd9.json
Writing packages.json
Pruning include directories
Deleted httpdocs/include/all$96e5c0926e9d7f87094d1ba307e38ea76cd09c53.json
Writing web view
I got this files:
/httpdocs/include/all$70dd784b426c2e04a5467781f1f1ca9f724c5fd9.json
/httpdocs/index.html
/httpdocs/packages.json
Everything looks fine.
Then i try to pull this repository to an existing composer project.
composer.json:
{
"name": "tekki/usemypackage",
"repositories": [{
"type": "composer",
"url": "https://domain.dev"
}],
"require": {
"tekki/mypackage": "*"
}
}
$ composer require tekki/mypackage
Authentication required (domain.dev):
Username: ?
Password: ?
[Composer\Downloader\TransportException]
Invalid credentials for 'https://domain.dev/packages.json', aborting.
I have never set any username or password. So I have no idea what they are or why composer is ask for it.
Here are my Questions:
Do I miss something?
Why composer ask for those credentials?
Where to set them?
Missing verbose log.
[client xxx.xxx.xxx.xxx] ModSecurity: Warning. Matched phrase "/packages.json" at REQUEST_FILENAME. [file "/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "140"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /packages.json found within REQUEST_FILENAME: /packages.json"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "package.domain.dev"] [uri "/packages.json"] [unique_id "XRDfgakOwSPBJKrL-@HwyQAAABU"]
It was my fault. Access was restricted by Plesks Web Application Firewall and because of subdomain I was searching in the wrong error_logs.
But anyway it was irritating, the user data are queried, instead of receiving an error.