Blog RSS Feed Subscribe

Jordi Boggiano

Jordi Boggiano Passionate web developer, specialized in web performance and php. Partner at Nelmio, information junkie and speaker.

Categories

Authentication management in Composer

Up until today if you run a home-grown package repository serving private packages it was quite a pain to use with Composer. You did not have efficient way to password-protect the repository except by inlining the password in the composer.json or by typing the username/password every single time.

With the merge of PR#1862 and some further improvements you can now remove credentials from your composer.json! The first time Composer needs to authenticate against some domain it will prompt you for a username/password and then you will be asked whether you want to store it. The storage can be done either globally in the COMPOSER_HOME/auth.json file (COMPOSER_HOME defaults to ~/.composer or %APPDATA%/Composer on Windows) or also in the project directory directly sitting besides your composer.json.

You can also configure these by hand using the config command if you need to configure a production machine to be able to run non-interactive installs. For example to enter credentials for example.org one could type:

composer config http-basic.example.org username password

That will store it in the current directory's auth.json, but if you want it available globally you can use the --global (-g) flag.

The advantage of having it in a separate file is that you can easily add this auth.json to .gitignore and let every developer in your company have their own credentials in there.

And I did not forget the security-minded folks that do not want to store anything on disk and do not want to be prompted every time! You can use composer config -g store-auths false

Altogether these small improvements should make some use cases much easier so that is great news.

May 27, 2014 // News, PHP

Post a comment:


Formatting: you may use [code php] [/code] (or other languages) for code blocks, links are automatically linked. <strong>, <em> and <blockquote> html tags are allowed without nesting, the rest will be escaped.

Subscribe to this RSS Feed Comments

2014-05-28 15:56:28

cordoval

very nice addition, thank you very much!

2014-05-29 21:20:24

Swop

Nice feature. Thanks a lot Jordi :-)

2014-05-30 08:56:30

Maximilian Berghoff

Hi,

that's a nice feature.

Would have one questions:

Home-grown package repository just works with
"repositories":[{"type":"vcs","url":"file:// or https:// or .."},
or are there other way, except from buying a private license on packagist?

I am on my way to introduce that at our company, so buying an account in that case would be to early. I just fetch all repos by "file://" from a our network storage. Are there other better examples?
Read some stuff about setting up the git repos on a server by https:// or just an user called git.

2014-06-01 07:17:29

Mairu

@Maximilian Berghoff:
I guess you are searching for https://github.com/composer/satis