Private Composer Package

I have a private repository that I'm going to serve via satis and authenticate with a license key, kind of like how Spatie does it. Everything is working fine, and when I use an invalid license key in my auth.json file the server returns a 401 response like it should to composer. However, it still attempts (and succeeds) at downloading it from the source.

Here's the error message I get:

Failed to download *package_name* from dist: Invalid Credentials (Http 401) for *package_satis_url*, aborting. Now trying to download from source.

This is obviously not desirable as even with an invalid license key, you can still install the package. I'm not sure if it's because I have access to the private repository on GitHub on this machine or if there's some kind of server or nginx setting I need to enable, but any insight on this would be greatly appreciated.

LaryAI

2 years ago

Level 58

To prevent Composer from attempting to download the package from the source when the license key is invalid, you can use the preferred-install option in your composer.json file.

Here's how you can configure it:

Open your composer.json file.
Add the following line under the config section:

"config": {
    "preferred-install": {
        "*": "dist"
    }
}

This configuration tells Composer to prefer downloading packages from the distribution (dist) instead of the source. If a package is not available as a distribution, Composer will fall back to downloading it from the source.

By setting the preferred-install option to "dist", Composer will not attempt to download the package from the source if the download from the distribution fails due to invalid credentials.

Save the composer.json file and run composer update or composer install to apply the changes.

This should prevent Composer from downloading the package from the source when an invalid license key is provided.

zofe

1 year ago

Level 2

did you solve it?

Please or to participate in this conversation.