0

Let’s say I have an NPM organization and I just created a private npm module with my company’s IP/framework that we reuse internally.

I want this module to be reused in multiple projects for multiple clients. However I want to offer this private npm package only once / project / client. (Or: once / machine / client)

How do I avoid the client taking that private npm package and reuse it for other projects without my company agreeing to it by purchasing another license?

Is there a way to protect packages like this for an agency/client type lincensed relationship?

I know with an .npmrc file the client’s server where the package is installed needs to be authenticated, however I don’t know if that authentication can be restricted to a single Host/IP or something similar?

Is there a solution for this? If not, what would it take to develop it?

Adam Halasz
  • 57,421
  • 66
  • 149
  • 213

1 Answers1

1

Since the packages will be served via HTTP(S), you can enforce the clients to go through an API gateway, which will enforce those rules of rate limiting you want, so for example you can use Kong's Rate Limiting feature (https://docs.konghq.com/hub/kong-inc/rate-limiting/), setup a Kong API gateway as a proxy for the npm registry.

itayad
  • 289
  • 2
  • 10
  • Hi @itayad, thanks for the response. Kong looks interesting, never used it before. Can you show me an example of how this would work? I’m a bit confused about what URL’s I have to proxy? The package.json would contain for example the dependency of @organization/module. How would an npm install command on the client’s machine access the Gateway instead of the direct npm routes? – Adam Halasz Jun 08 '20 at 08:40
  • If you're managing the NPM registry by yourself and not using the public NPM registry, then you can achieve your objective of limiting access to certain packages. Managing a private NPM registry is possible with products like artifactory, which you can install in your organization, and out of the box it allows you to manage authorization to packages, but for advanced rate limiting, setting up an API gateway (e.g kong) will allow you to setup more advanced restrictions – itayad Jun 09 '20 at 05:31