Composer ask for user credentials, i never set those.

Question

Composer ask for user credentials, i never set those.

tekkimariani opened this issue 5 years ago · comments

I have build my installation with this structure:

/git/vendor.package.git
/httpdocs/satis.json:

{
	"name": "tekki/mypackage",
	"homepage": "https://domain.dev",
	"repositories": [
    	{ "type": "vcs", "url": "git/vendor.package.git" }
  	],
	"require": {
    	"vendor/package": "*"
  	}
}

webuser@server:~$ php bin/satis build httpdocs/satis.json httpdocs
Scanning packages
wrote packages to httpdocs/include/all$70dd784b426c2e04a5467781f1f1ca9f724c5fd9.json
Writing packages.json
Pruning include directories
Deleted httpdocs/include/all$96e5c0926e9d7f87094d1ba307e38ea76cd09c53.json
Writing web view

I got this files:

/httpdocs/include/all$70dd784b426c2e04a5467781f1f1ca9f724c5fd9.json
/httpdocs/index.html
/httpdocs/packages.json

Everything looks fine.

Then i try to pull this repository to an existing composer project.

composer.json:

{
    "name": "tekki/usemypackage",
    "repositories": [{
        "type": "composer",
        "url": "https://domain.dev"
    }],
    "require": {
        "tekki/mypackage": "*"
    }
}

$ composer require tekki/mypackage

      Authentication required (domain.dev):
      Username: ?
      Password: ?

[Composer\Downloader\TransportException]                                       
Invalid credentials for 'https://domain.dev/packages.json', aborting.

I have never set any username or password. So I have no idea what they are or why composer is ask for it.

Here are my Questions:

Do I miss something?
Why composer ask for those credentials?
Where to set them?

Rob · Answer 1 · Mon Jun 24 2019 16:17:22 GMT+0800 (China Standard Time)

Missing verbose log.

tekki mariani · Answer 2 · Tue Jun 25 2019 01:47:52 GMT+0800 (China Standard Time)

[client xxx.xxx.xxx.xxx] ModSecurity: Warning. Matched phrase "/packages.json" at REQUEST_FILENAME. [file "/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "140"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /packages.json found within REQUEST_FILENAME: /packages.json"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "package.domain.dev"] [uri "/packages.json"] [unique_id "XRDfgakOwSPBJKrL-@HwyQAAABU"]

It was my fault. Access was restricted by Plesks Web Application Firewall and because of subdomain I was searching in the wrong error_logs.
But anyway it was irritating, the user data are queried, instead of receiving an error.