fix: clean up stale smoke test container before run

docs: trim README, link to docs site, fix website URL
chore: remove internal release runbook from public repo
2026-04-13 00:20:33 +00:00 · 2026-03-15 22:25:37 +00:00 · 2026-03-15 22:21:08 +00:00 · 2026-03-15 21:57:05 +00:00 · 2026-03-15 21:54:13 +00:00 · 2026-03-15 21:50:14 +00:00
17 changed files with 350 additions and 158 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -85,3 +85,93 @@ jobs:
        with:
          sarif_file: trivy-fs.sarif
          category: trivy-fs
+
+  integration:
+    name: Integration
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Build NORA
+        run: cargo build --release --package nora-registry
+
+      # -- Start NORA --
+      - name: Start NORA
+        run: |
+          NORA_STORAGE_PATH=/tmp/nora-data ./target/release/nora &
+          for i in $(seq 1 15); do
+            curl -sf http://localhost:4000/health && break || sleep 2
+          done
+          curl -sf http://localhost:4000/health | jq .
+
+      # -- Docker push/pull --
+      - name: Configure Docker for insecure registry
+        run: |
+          echo '{"insecure-registries": ["localhost:4000"]}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
+          sleep 2
+
+      - name: Docker — push and pull image
+        run: |
+          docker pull alpine:3.20
+          docker tag alpine:3.20 localhost:4000/test/alpine:integration
+          docker push localhost:4000/test/alpine:integration
+          docker rmi localhost:4000/test/alpine:integration
+          docker pull localhost:4000/test/alpine:integration
+          echo "Docker push/pull OK"
+
+      - name: Docker — verify catalog and tags
+        run: |
+          curl -sf http://localhost:4000/v2/_catalog | jq .
+          curl -sf http://localhost:4000/v2/test/alpine/tags/list | jq .
+
+      # -- npm (read-only proxy, no publish support yet) --
+      - name: npm — verify registry endpoint
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/npm/lodash)
+          echo "npm endpoint returned: $STATUS"
+          [ "$STATUS" != "000" ] && echo "npm endpoint OK" || (echo "npm endpoint unreachable" && exit 1)
+
+      # -- Maven deploy/download --
+      - name: Maven — deploy and download artifact
+        run: |
+          echo "test-artifact-content-$(date +%s)" > /tmp/test-artifact.jar
+          CHECKSUM=$(sha256sum /tmp/test-artifact.jar | cut -d' ' -f1)
+          curl -sf -X PUT --data-binary @/tmp/test-artifact.jar             http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
+          curl -sf -o /tmp/downloaded.jar             http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
+          DOWNLOAD_CHECKSUM=$(sha256sum /tmp/downloaded.jar | cut -d' ' -f1)
+          [ "$CHECKSUM" = "$DOWNLOAD_CHECKSUM" ] && echo "Maven deploy/download OK" || (echo "Checksum mismatch!" && exit 1)
+
+      # -- PyPI (read-only proxy, no upload support yet) --
+      - name: PyPI — verify simple index
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/simple/)
+          echo "PyPI simple index returned: $STATUS"
+          [ "$STATUS" = "200" ] && echo "PyPI endpoint OK" || (echo "Expected 200, got $STATUS" && exit 1)
+
+      # -- Cargo (read-only proxy, no publish support yet) --
+      - name: Cargo — verify registry API responds
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/cargo/api/v1/crates/serde)
+          echo "Cargo API returned: $STATUS"
+          [ "$STATUS" != "000" ] && echo "Cargo endpoint OK" || (echo "Cargo endpoint unreachable" && exit 1)
+
+      # -- API checks --
+      - name: API — health, ready, metrics
+        run: |
+          curl -sf http://localhost:4000/health | jq .status
+          curl -sf http://localhost:4000/ready
+          curl -sf http://localhost:4000/metrics | head -5
+          echo "API checks OK"
+
+      - name: Stop NORA
+        if: always()
+        run: pkill nora || true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -72,7 +72,7 @@ jobs:
          push: true
          tags: ${{ steps.meta-alpine.outputs.tags }}
          labels: ${{ steps.meta-alpine.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine,ignore-error=true
          cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine,mode=max

      # ── RED OS ───────────────────────────────────────────────────────────────
@@ -98,7 +98,7 @@ jobs:
          push: true
          tags: ${{ steps.meta-redos.outputs.tags }}
          labels: ${{ steps.meta-redos.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos,ignore-error=true
          cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos,mode=max

      # ── Astra Linux SE ───────────────────────────────────────────────────────
@@ -124,13 +124,14 @@ jobs:
          push: true
          tags: ${{ steps.meta-astra.outputs.tags }}
          labels: ${{ steps.meta-astra.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,ignore-error=true
          cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,mode=max

      # ── Smoke test ──────────────────────────────────────────────────────────
      - name: Smoke test — verify alpine image starts and responds
        run: |
-          docker run --rm -d --name nora-smoke -p 5555:5000 \
+          docker rm -f nora-smoke 2>/dev/null || true
+          docker run --rm -d --name nora-smoke -p 5555:4000 -e NORA_HOST=0.0.0.0 \
            ${{ env.NORA }}/${{ env.IMAGE_NAME }}:latest
          for i in $(seq 1 10); do
            curl -sf http://localhost:5555/health && break || sleep 2
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -0,0 +1,8 @@
+# Gitleaks configuration
+# https://github.com/gitleaks/gitleaks
+
+[allowlist]
+  description = "Allowlist for false positives"
+
+  # Documentation examples with placeholder credentials
+  commits = ["92155cf6574d89f93ee68503a7b68455ceaa19af"]
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,28 @@ All notable changes to NORA will be documented in this file.

 ---

+## [0.2.29] - 2026-03-15
+
+### Added / Добавлено
+- **Upstream Authentication**: All registry proxies now support Basic Auth credentials for private upstream registries
+- **Аутентификация upstream**: Все прокси реестров теперь поддерживают Basic Auth для приватных upstream-реестров
+  - Docker: `NORA_DOCKER_UPSTREAMS="https://registry.corp.com|user:pass"`
+  - Maven: `NORA_MAVEN_PROXIES="https://nexus.corp.com/maven2|user:pass"`
+  - npm: `NORA_NPM_PROXY_AUTH="user:pass"`
+  - PyPI: `NORA_PYPI_PROXY_AUTH="user:pass"`
+- **Plaintext credential warning**: NORA logs a warning at startup if credentials are stored in config.toml instead of env vars
+- **Предупреждение о plaintext credentials**: NORA логирует предупреждение при старте, если credentials хранятся в config.toml вместо переменных окружения
+
+### Changed / Изменено
+- Extracted `basic_auth_header()` helper for consistent auth across all protocols
+- Вынесен хелпер `basic_auth_header()` для единообразной авторизации всех протоколов
+
+### Removed / Удалено
+- Removed unused `DockerAuth::fetch_with_auth()` method (dead code cleanup)
+- Удалён неиспользуемый метод `DockerAuth::fetch_with_auth()` (очистка мёртвого кода)
+
+---
+
 ## [0.2.28] - 2026-03-13

 ### Fixed / Исправлено
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1247,7 +1247,7 @@ checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"

 [[package]]
 name = "nora-cli"
-version = "0.2.28"
+version = "0.2.29"
 dependencies = [
 "clap",
 "flate2",
@@ -1261,7 +1261,7 @@ dependencies = [

 [[package]]
 name = "nora-registry"
-version = "0.2.28"
+version = "0.2.29"
 dependencies = [
 "async-trait",
 "axum",
@@ -1299,7 +1299,7 @@ dependencies = [

 [[package]]
 name = "nora-storage"
-version = "0.2.28"
+version = "0.2.29"
 dependencies = [
 "axum",
 "base64",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -7,7 +7,7 @@ members = [
 ]

 [workspace.package]
-version = "0.2.28"
+version = "0.2.29"
 edition = "2021"
 license = "MIT"
 authors = ["DevITWay <devitway@gmail.com>"]
--- a/README.md
+++ b/README.md
@@ -36,8 +36,10 @@ Fast. Organized. Feel at Home.

 - **Security**
  - Basic Auth (htpasswd + bcrypt)
-  - Revocable API tokens
+  - Revocable API tokens with RBAC
  - ENV-based configuration (12-Factor)
+  - SBOM (SPDX + CycloneDX) in every release
+  - See [SECURITY.md](SECURITY.md) for vulnerability reporting

 ## Quick Start

@@ -111,37 +113,14 @@ curl -u admin:yourpassword http://localhost:4000/v2/_catalog

 ### API Tokens (RBAC)

-Tokens support three roles: `read`, `write`, `admin`.
-
-```bash
-# Create a write token (30 days TTL)
-curl -s -X POST http://localhost:4000/api/tokens \
-  -H "Content-Type: application/json" \
-  -d '{"username":"admin","password":"yourpassword","role":"write","ttl_days":90,"description":"CI/CD"}'
-
-# Use token with Docker
-docker login localhost:4000 -u token -p nra_<token>
-
-# Use token with curl
-curl -H "Authorization: Bearer nra_<token>" http://localhost:4000/v2/_catalog
-
-# List tokens
-curl -s -X POST http://localhost:4000/api/tokens/list \
-  -H "Content-Type: application/json" \
-  -d '{"username":"admin","password":"yourpassword"}'
-
-# Revoke token by hash prefix
-curl -s -X POST http://localhost:4000/api/tokens/revoke \
-  -H "Content-Type: application/json" \
-  -d '{"username":"admin","password":"yourpassword","hash_prefix":"<first 16 chars>"}'
-```
-
 | Role | Pull/Read | Push/Write | Delete/Admin |
 |------|-----------|------------|--------------|
 | `read` | Yes | No | No |
 | `write` | Yes | Yes | No |
 | `admin` | Yes | Yes | Yes |

+See [Authentication guide](https://getnora.dev/configuration/authentication/) for token management, Docker login, and CI/CD integration.
+
 ## CLI Commands

 ```bash
@@ -161,18 +140,10 @@ nora migrate --from local --to s3
 | `NORA_HOST` | 127.0.0.1 | Bind address |
 | `NORA_PORT` | 4000 | Port |
 | `NORA_STORAGE_MODE` | local | `local` or `s3` |
-| `NORA_STORAGE_PATH` | data/storage | Local storage path |
-| `NORA_STORAGE_S3_URL` | - | S3 endpoint URL |
-| `NORA_STORAGE_BUCKET` | registry | S3 bucket name |
 | `NORA_AUTH_ENABLED` | false | Enable authentication |
-| `NORA_RATE_LIMIT_AUTH_RPS` | 1 | Auth requests per second |
-| `NORA_RATE_LIMIT_AUTH_BURST` | 5 | Auth burst size |
-| `NORA_RATE_LIMIT_UPLOAD_RPS` | 200 | Upload requests per second |
-| `NORA_RATE_LIMIT_UPLOAD_BURST` | 500 | Upload burst size |
-| `NORA_RATE_LIMIT_GENERAL_RPS` | 100 | General requests per second |
-| `NORA_RATE_LIMIT_GENERAL_BURST` | 200 | General burst size |
-| `NORA_SECRETS_PROVIDER` | env | Secrets provider (`env`) |
-| `NORA_SECRETS_CLEAR_ENV` | false | Clear env vars after reading |
+| `NORA_DOCKER_UPSTREAMS` | `https://registry-1.docker.io` | Docker upstreams (`url\|user:pass,...`) |
+
+See [full configuration reference](https://getnora.dev/configuration/settings/) for all environment variables including storage, rate limiting, proxy auth, and secrets.

 ### config.toml

@@ -189,24 +160,10 @@ path = "data/storage"
 enabled = false
 htpasswd_file = "users.htpasswd"

-[rate_limit]
-# Strict limits for authentication (brute-force protection)
-auth_rps = 1
-auth_burst = 5
-# High limits for CI/CD upload workloads
-upload_rps = 200
-upload_burst = 500
-# Balanced limits for general API endpoints
-general_rps = 100
-general_burst = 200
-
-[secrets]
-# Provider: env (default), aws-secrets, vault, k8s (coming soon)
-provider = "env"
-# Clear environment variables after reading (security hardening)
-clear_env = false
 ```

+See [full config reference](https://getnora.dev/configuration/settings/) for rate limiting, secrets, and proxy settings.
+
 ## Endpoints

 | URL | Description |
@@ -305,7 +262,7 @@ These builds are published as `-astra` and `-redos` tagged images in GitHub Rele

 **Created and maintained by [DevITWay](https://github.com/devitway)**

- Website: [getnora.io](https://getnora.io)
+- Website: [getnora.dev](https://getnora.dev)
 - Telegram: [@DevITWay](https://t.me/DevITWay)
 - GitHub: [@devitway](https://github.com/devitway)
 - Email: devitway@gmail.com
--- a/nora-registry/src/config.rs
+++ b/nora-registry/src/config.rs
@@ -1,12 +1,18 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT

+use base64::{engine::general_purpose::STANDARD, Engine};
 use serde::{Deserialize, Serialize};
 use std::env;
 use std::fs;

 pub use crate::secrets::SecretsConfig;

+/// Encode "user:pass" into a Basic Auth header value, e.g. "Basic dXNlcjpwYXNz".
+pub fn basic_auth_header(credentials: &str) -> String {
+    format!("Basic {}", STANDARD.encode(credentials))
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Config {
    pub server: ServerConfig,
@@ -93,7 +99,7 @@ fn default_bucket() -> String {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct MavenConfig {
    #[serde(default)]
-    pub proxies: Vec<String>,
+    pub proxies: Vec<MavenProxyEntry>,
    #[serde(default = "default_timeout")]
    pub proxy_timeout: u64,
 }
@@ -102,6 +108,8 @@ pub struct MavenConfig {
 pub struct NpmConfig {
    #[serde(default)]
    pub proxy: Option<String>,
+    #[serde(default)]
+    pub proxy_auth: Option<String>, // "user:pass" for basic auth
    #[serde(default = "default_timeout")]
    pub proxy_timeout: u64,
 }
@@ -110,6 +118,8 @@ pub struct NpmConfig {
 pub struct PypiConfig {
    #[serde(default)]
    pub proxy: Option<String>,
+    #[serde(default)]
+    pub proxy_auth: Option<String>, // "user:pass" for basic auth
    #[serde(default = "default_timeout")]
    pub proxy_timeout: u64,
 }
@@ -131,6 +141,37 @@ pub struct DockerUpstream {
    pub auth: Option<String>, // "user:pass" for basic auth
 }

+/// Maven upstream proxy configuration
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(untagged)]
+pub enum MavenProxyEntry {
+    Simple(String),
+    Full(MavenProxy),
+}
+
+/// Maven upstream proxy with optional auth
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct MavenProxy {
+    pub url: String,
+    #[serde(default)]
+    pub auth: Option<String>, // "user:pass" for basic auth
+}
+
+impl MavenProxyEntry {
+    pub fn url(&self) -> &str {
+        match self {
+            MavenProxyEntry::Simple(s) => s,
+            MavenProxyEntry::Full(p) => &p.url,
+        }
+    }
+    pub fn auth(&self) -> Option<&str> {
+        match self {
+            MavenProxyEntry::Simple(_) => None,
+            MavenProxyEntry::Full(p) => p.auth.as_deref(),
+        }
+    }
+}
+
 /// Raw repository configuration for simple file storage
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct RawConfig {
@@ -177,7 +218,9 @@ fn default_timeout() -> u64 {
 impl Default for MavenConfig {
    fn default() -> Self {
        Self {
-            proxies: vec!["https://repo1.maven.org/maven2".to_string()],
+            proxies: vec![MavenProxyEntry::Simple(
+                "https://repo1.maven.org/maven2".to_string(),
+            )],
            proxy_timeout: 30,
        }
    }
@@ -187,6 +230,7 @@ impl Default for NpmConfig {
    fn default() -> Self {
        Self {
            proxy: Some("https://registry.npmjs.org".to_string()),
+            proxy_auth: None,
            proxy_timeout: 30,
        }
    }
@@ -196,6 +240,7 @@ impl Default for PypiConfig {
    fn default() -> Self {
        Self {
            proxy: Some("https://pypi.org/simple/".to_string()),
+            proxy_auth: None,
            proxy_timeout: 30,
        }
    }
@@ -309,6 +354,37 @@ impl Default for RateLimitConfig {
 }

 impl Config {
+    /// Warn if credentials are configured via config.toml (not env vars)
+    pub fn warn_plaintext_credentials(&self) {
+        // Docker upstreams
+        for (i, upstream) in self.docker.upstreams.iter().enumerate() {
+            if upstream.auth.is_some() && std::env::var("NORA_DOCKER_UPSTREAMS").is_err() {
+                tracing::warn!(
+                    upstream_index = i,
+                    url = %upstream.url,
+                    "Docker upstream credentials in config.toml are plaintext — consider NORA_DOCKER_UPSTREAMS env var"
+                );
+            }
+        }
+        // Maven proxies
+        for proxy in &self.maven.proxies {
+            if proxy.auth().is_some() && std::env::var("NORA_MAVEN_PROXIES").is_err() {
+                tracing::warn!(
+                    url = %proxy.url(),
+                    "Maven proxy credentials in config.toml are plaintext — consider NORA_MAVEN_PROXIES env var"
+                );
+            }
+        }
+        // npm
+        if self.npm.proxy_auth.is_some() && std::env::var("NORA_NPM_PROXY_AUTH").is_err() {
+            tracing::warn!("npm proxy credentials in config.toml are plaintext — consider NORA_NPM_PROXY_AUTH env var");
+        }
+        // PyPI
+        if self.pypi.proxy_auth.is_some() && std::env::var("NORA_PYPI_PROXY_AUTH").is_err() {
+            tracing::warn!("PyPI proxy credentials in config.toml are plaintext — consider NORA_PYPI_PROXY_AUTH env var");
+        }
+    }
+
    /// Load configuration with priority: ENV > config.toml > defaults
    pub fn load() -> Self {
        // 1. Start with defaults
@@ -377,9 +453,23 @@ impl Config {
            self.auth.htpasswd_file = val;
        }

-        // Maven config
+        // Maven config — supports "url1,url2" or "url1|auth1,url2|auth2"
        if let Ok(val) = env::var("NORA_MAVEN_PROXIES") {
-            self.maven.proxies = val.split(',').map(|s| s.trim().to_string()).collect();
+            self.maven.proxies = val
+                .split(',')
+                .filter(|s| !s.is_empty())
+                .map(|s| {
+                    let parts: Vec<&str> = s.trim().splitn(2, '|').collect();
+                    if parts.len() > 1 {
+                        MavenProxyEntry::Full(MavenProxy {
+                            url: parts[0].to_string(),
+                            auth: Some(parts[1].to_string()),
+                        })
+                    } else {
+                        MavenProxyEntry::Simple(parts[0].to_string())
+                    }
+                })
+                .collect();
        }
        if let Ok(val) = env::var("NORA_MAVEN_PROXY_TIMEOUT") {
            if let Ok(timeout) = val.parse() {
@@ -397,6 +487,11 @@ impl Config {
            }
        }

+        // npm proxy auth
+        if let Ok(val) = env::var("NORA_NPM_PROXY_AUTH") {
+            self.npm.proxy_auth = if val.is_empty() { None } else { Some(val) };
+        }
+
        // PyPI config
        if let Ok(val) = env::var("NORA_PYPI_PROXY") {
            self.pypi.proxy = if val.is_empty() { None } else { Some(val) };
@@ -407,6 +502,11 @@ impl Config {
            }
        }

+        // PyPI proxy auth
+        if let Ok(val) = env::var("NORA_PYPI_PROXY_AUTH") {
+            self.pypi.proxy_auth = if val.is_empty() { None } else { Some(val) };
+        }
+
        // Docker config
        if let Ok(val) = env::var("NORA_DOCKER_PROXY_TIMEOUT") {
            if let Ok(timeout) = val.parse() {
--- a/nora-registry/src/main.rs
+++ b/nora-registry/src/main.rs
@@ -289,6 +289,9 @@ async fn run_server(config: Config, storage: Storage) {
    let storage_path = config.storage.path.clone();
    let rate_limit_enabled = config.rate_limit.enabled;

+    // Warn about plaintext credentials in config.toml
+    config.warn_plaintext_credentials();
+
    // Initialize Docker auth with proxy timeout
    let docker_auth = registry::DockerAuth::new(config.docker.proxy_timeout);

--- a/nora-registry/src/openapi.rs
+++ b/nora-registry/src/openapi.rs
@@ -5,7 +5,6 @@
 //!
 //! Functions in this module are stubs used only for generating OpenAPI documentation.

-
 #![allow(dead_code)] // utoipa doc stubs — not called at runtime, used by derive macros

 use axum::Router;
--- a/nora-registry/src/registry/docker.rs
+++ b/nora-registry/src/registry/docker.rs
@@ -3,6 +3,7 @@

 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::registry::docker_auth::DockerAuth;
 use crate::storage::Storage;
 use crate::validation::{validate_digest, validate_docker_name, validate_docker_reference};
@@ -181,6 +182,7 @@ async fn download_blob(
            &digest,
            &state.docker_auth,
            state.config.docker.proxy_timeout,
+            upstream.auth.as_deref(),
        )
        .await
        {
@@ -392,6 +394,7 @@ async fn get_manifest(
            &reference,
            &state.docker_auth,
            state.config.docker.proxy_timeout,
+            upstream.auth.as_deref(),
        )
        .await
        {
@@ -733,6 +736,7 @@ async fn fetch_blob_from_upstream(
    digest: &str,
    docker_auth: &DockerAuth,
    timeout: u64,
+    basic_auth: Option<&str>,
 ) -> Result<Vec<u8>, ()> {
    let url = format!(
        "{}/v2/{}/blobs/{}",
@@ -741,13 +745,12 @@ async fn fetch_blob_from_upstream(
        digest
    );

-    // First try without auth
-    let response = client
-        .get(&url)
-        .timeout(Duration::from_secs(timeout))
-        .send()
-        .await
-        .map_err(|_| ())?;
+    // First try — with basic auth if configured
+    let mut request = client.get(&url).timeout(Duration::from_secs(timeout));
+    if let Some(credentials) = basic_auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;

    let response = if response.status() == reqwest::StatusCode::UNAUTHORIZED {
        // Get Www-Authenticate header and fetch token
@@ -758,7 +761,7 @@ async fn fetch_blob_from_upstream(
            .map(String::from);

        if let Some(token) = docker_auth
-            .get_token(upstream_url, name, www_auth.as_deref())
+            .get_token(upstream_url, name, www_auth.as_deref(), basic_auth)
            .await
        {
            client
@@ -790,6 +793,7 @@ async fn fetch_manifest_from_upstream(
    reference: &str,
    docker_auth: &DockerAuth,
    timeout: u64,
+    basic_auth: Option<&str>,
 ) -> Result<(Vec<u8>, String), ()> {
    let url = format!(
        "{}/v2/{}/manifests/{}",
@@ -806,16 +810,17 @@ async fn fetch_manifest_from_upstream(
                         application/vnd.oci.image.manifest.v1+json, \
                         application/vnd.oci.image.index.v1+json";

-    // First try without auth
-    let response = client
+    // First try — with basic auth if configured
+    let mut request = client
        .get(&url)
        .timeout(Duration::from_secs(timeout))
-        .header("Accept", accept_header)
-        .send()
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, url = %url, "Failed to send request to upstream");
-        })?;
+        .header("Accept", accept_header);
+    if let Some(credentials) = basic_auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|e| {
+        tracing::error!(error = %e, url = %url, "Failed to send request to upstream");
+    })?;

    tracing::debug!(status = %response.status(), "Initial upstream response");

@@ -830,7 +835,7 @@ async fn fetch_manifest_from_upstream(
        tracing::debug!(www_auth = ?www_auth, "Got 401, fetching token");

        if let Some(token) = docker_auth
-            .get_token(upstream_url, name, www_auth.as_deref())
+            .get_token(upstream_url, name, www_auth.as_deref(), basic_auth)
            .await
        {
            tracing::debug!("Token acquired, retrying with auth");
--- a/nora-registry/src/registry/docker_auth.rs
+++ b/nora-registry/src/registry/docker_auth.rs
@@ -1,6 +1,7 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT

+use crate::config::basic_auth_header;
 use parking_lot::RwLock;
 use std::collections::HashMap;
 use std::time::{Duration, Instant};
@@ -36,6 +37,7 @@ impl DockerAuth {
        registry_url: &str,
        name: &str,
        www_authenticate: Option<&str>,
+        basic_auth: Option<&str>,
    ) -> Option<String> {
        let cache_key = format!("{}:{}", registry_url, name);

@@ -51,7 +53,7 @@ impl DockerAuth {

        // Need to fetch a new token
        let www_auth = www_authenticate?;
-        let token = self.fetch_token(www_auth, name).await?;
+        let token = self.fetch_token(www_auth, name, basic_auth).await?;

        // Cache the token (default 5 minute expiry)
        {
@@ -70,7 +72,12 @@ impl DockerAuth {

    /// Parse Www-Authenticate header and fetch token from auth server
    /// Format: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/alpine:pull"
-    async fn fetch_token(&self, www_authenticate: &str, name: &str) -> Option<String> {
+    async fn fetch_token(
+        &self,
+        www_authenticate: &str,
+        name: &str,
+        basic_auth: Option<&str>,
+    ) -> Option<String> {
        let params = parse_www_authenticate(www_authenticate)?;

        let realm = params.get("realm")?;
@@ -82,7 +89,13 @@ impl DockerAuth {

        tracing::debug!(url = %url, "Fetching auth token");

-        let response = self.client.get(&url).send().await.ok()?;
+        let mut request = self.client.get(&url);
+        if let Some(credentials) = basic_auth {
+            request = request.header("Authorization", basic_auth_header(credentials));
+            tracing::debug!("Using basic auth for token request");
+        }
+
+        let response = request.send().await.ok()?;

        if !response.status().is_success() {
            tracing::warn!(status = %response.status(), "Token request failed");
@@ -97,44 +110,6 @@ impl DockerAuth {
            .and_then(|v| v.as_str())
            .map(String::from)
    }
-
-    /// Make an authenticated request to an upstream registry
-    pub async fn fetch_with_auth(
-        &self,
-        url: &str,
-        registry_url: &str,
-        name: &str,
-    ) -> Result<reqwest::Response, ()> {
-        // First try without auth
-        let response = self.client.get(url).send().await.map_err(|_| ())?;
-
-        if response.status() == reqwest::StatusCode::UNAUTHORIZED {
-            // Extract Www-Authenticate header
-            let www_auth = response
-                .headers()
-                .get("www-authenticate")
-                .and_then(|v| v.to_str().ok())
-                .map(String::from);
-
-            // Get token and retry
-            if let Some(token) = self
-                .get_token(registry_url, name, www_auth.as_deref())
-                .await
-            {
-                return self
-                    .client
-                    .get(url)
-                    .header("Authorization", format!("Bearer {}", token))
-                    .send()
-                    .await
-                    .map_err(|_| ());
-            }
-
-            return Err(());
-        }
-
-        Ok(response)
-    }
 }

 impl Default for DockerAuth {
--- a/nora-registry/src/registry/maven.rs
+++ b/nora-registry/src/registry/maven.rs
@@ -3,6 +3,7 @@

 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
    body::Bytes,
@@ -49,10 +50,17 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
        return with_content_type(&path, data).into_response();
    }

-    for proxy_url in &state.config.maven.proxies {
-        let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
+    for proxy in &state.config.maven.proxies {
+        let url = format!("{}/{}", proxy.url().trim_end_matches('/'), path);

-        match fetch_from_proxy(&state.http_client, &url, state.config.maven.proxy_timeout).await {
+        match fetch_from_proxy(
+            &state.http_client,
+            &url,
+            state.config.maven.proxy_timeout,
+            proxy.auth(),
+        )
+        .await
+        {
            Ok(data) => {
                state.metrics.record_download("maven");
                state.metrics.record_cache_miss();
@@ -124,13 +132,13 @@ async fn fetch_from_proxy(
    client: &reqwest::Client,
    url: &str,
    timeout_secs: u64,
+    auth: Option<&str>,
 ) -> Result<Vec<u8>, ()> {
-    let response = client
-        .get(url)
-        .timeout(Duration::from_secs(timeout_secs))
-        .send()
-        .await
-        .map_err(|_| ())?;
+    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;

    if !response.status().is_success() {
        return Err(());
--- a/nora-registry/src/registry/npm.rs
+++ b/nora-registry/src/registry/npm.rs
@@ -3,6 +3,7 @@

 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
    body::Bytes,
@@ -59,8 +60,13 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
    if let Some(proxy_url) = &state.config.npm.proxy {
        let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);

-        if let Ok(data) =
-            fetch_from_proxy(&state.http_client, &url, state.config.npm.proxy_timeout).await
+        if let Ok(data) = fetch_from_proxy(
+            &state.http_client,
+            &url,
+            state.config.npm.proxy_timeout,
+            state.config.npm.proxy_auth.as_deref(),
+        )
+        .await
        {
            if is_tarball {
                state.metrics.record_download("npm");
@@ -98,13 +104,13 @@ async fn fetch_from_proxy(
    client: &reqwest::Client,
    url: &str,
    timeout_secs: u64,
+    auth: Option<&str>,
 ) -> Result<Vec<u8>, ()> {
-    let response = client
-        .get(url)
-        .timeout(Duration::from_secs(timeout_secs))
-        .send()
-        .await
-        .map_err(|_| ())?;
+    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;

    if !response.status().is_success() {
        return Err(());
--- a/nora-registry/src/registry/pypi.rs
+++ b/nora-registry/src/registry/pypi.rs
@@ -3,6 +3,7 @@

 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
    extract::{Path, State},
@@ -86,8 +87,13 @@ async fn package_versions(
    if let Some(proxy_url) = &state.config.pypi.proxy {
        let url = format!("{}/{}/", proxy_url.trim_end_matches('/'), normalized);

-        if let Ok(html) =
-            fetch_package_page(&state.http_client, &url, state.config.pypi.proxy_timeout).await
+        if let Ok(html) = fetch_package_page(
+            &state.http_client,
+            &url,
+            state.config.pypi.proxy_timeout,
+            state.config.pypi.proxy_auth.as_deref(),
+        )
+        .await
        {
            // Rewrite URLs in the HTML to point to our registry
            let rewritten = rewrite_pypi_links(&html, &normalized);
@@ -140,6 +146,7 @@ async fn download_file(
            &state.http_client,
            &page_url,
            state.config.pypi.proxy_timeout,
+            state.config.pypi.proxy_auth.as_deref(),
        )
        .await
        {
@@ -149,6 +156,7 @@ async fn download_file(
                    &state.http_client,
                    &file_url,
                    state.config.pypi.proxy_timeout,
+                    state.config.pypi.proxy_auth.as_deref(),
                )
                .await
                {
@@ -202,14 +210,16 @@ async fn fetch_package_page(
    client: &reqwest::Client,
    url: &str,
    timeout_secs: u64,
+    auth: Option<&str>,
 ) -> Result<String, ()> {
-    let response = client
+    let mut request = client
        .get(url)
        .timeout(Duration::from_secs(timeout_secs))
-        .header("Accept", "text/html")
-        .send()
-        .await
-        .map_err(|_| ())?;
+        .header("Accept", "text/html");
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;

    if !response.status().is_success() {
        return Err(());
@@ -219,13 +229,17 @@ async fn fetch_package_page(
 }

 /// Fetch file from upstream
-async fn fetch_file(client: &reqwest::Client, url: &str, timeout_secs: u64) -> Result<Vec<u8>, ()> {
-    let response = client
-        .get(url)
-        .timeout(Duration::from_secs(timeout_secs))
-        .send()
-        .await
-        .map_err(|_| ())?;
+async fn fetch_file(
+    client: &reqwest::Client,
+    url: &str,
+    timeout_secs: u64,
+    auth: Option<&str>,
+) -> Result<Vec<u8>, ()> {
+    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;

    if !response.status().is_success() {
        return Err(());
--- a/nora-registry/src/secrets/mod.rs
+++ b/nora-registry/src/secrets/mod.rs
@@ -1,7 +1,6 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT

-
 //! Secrets management for NORA
 //!
 //! Provides a trait-based architecture for secrets providers:
--- a/nora-registry/src/ui/api.rs
+++ b/nora-registry/src/ui/api.rs
@@ -205,7 +205,12 @@ pub async fn api_dashboard(State(state): State<Arc<AppState>>) -> Json<Dashboard
        MountPoint {
            registry: "Maven".to_string(),
            mount_path: "/maven2/".to_string(),
-            proxy_upstream: state.config.maven.proxies.first().cloned(),
+            proxy_upstream: state
+                .config
+                .maven
+                .proxies
+                .first()
+                .map(|p| p.url().to_string()),
        },
        MountPoint {
            registry: "npm".to_string(),
Author	SHA1	Message	Date
devitway	bbff337b4c	fix: clean up stale smoke test container before run	2026-03-15 22:25:37 +00:00
devitway	a73335c549	docs: trim README, link to docs site, fix website URL	2026-03-15 22:21:08 +00:00
devitway	ad6aba46b2	chore: remove internal release runbook from public repo	2026-03-15 21:57:05 +00:00
devitway	095270d113	fix: smoke test port mapping (4000, not 5000)	2026-03-15 21:54:13 +00:00
devitway	769f5fb01d	docs: update CHANGELOG and README for v0.2.29 upstream auth	2026-03-15 21:50:14 +00:00
devitway	53884e143b	v0.2.29: upstream auth, remove dead code, version bump - Remove unused DockerAuth::fetch_with_auth() method - Fix basic_auth_header docstring - Bump to v0.2.29	2026-03-15 21:42:49 +00:00
devitway	0eb26f24f7	refactor: extract basic_auth_header helper, add plaintext credential warnings - basic_auth_header() in config.rs replaces 6 inline STANDARD.encode calls - warn_plaintext_credentials() logs warning at startup if auth is in config.toml - All protocol handlers use shared helper instead of duplicating base64 logic	2026-03-15 21:37:51 +00:00
devitway	fa962b2d6e	feat: upstream auth for all protocols (Docker, Maven, npm, PyPI) Wire up basic auth credentials for upstream registry proxying: - Docker: pass configured auth to Bearer token requests - Maven: support url\|auth format in NORA_MAVEN_PROXIES env var - npm: add NORA_NPM_PROXY_AUTH env var - PyPI: add NORA_PYPI_PROXY_AUTH env var - Mask credentials in logs (never log plaintext passwords) Config examples: NORA_DOCKER_UPSTREAMS="https://registry.corp.com\|user:pass" NORA_MAVEN_PROXIES="https://nexus.corp.com/maven2\|user:pass" NORA_NPM_PROXY_AUTH="user:pass" NORA_PYPI_PROXY_AUTH="user:pass"	2026-03-15 21:29:20 +00:00
devitway	a1da4fff1e	fix: integration tests match actual protocol support - Docker, Maven: full push/pull (write support exists) - npm, PyPI, Cargo: endpoint checks only (read-only proxy, no publish yet)	2026-03-15 19:58:36 +00:00
devitway	868c4feca7	feat: add Maven, PyPI, Cargo integration tests - Maven: PUT artifact, GET and verify checksum - PyPI: twine upload + pip install - Cargo: API endpoint check - Now testing all 5 protocols: Docker, npm, Maven, PyPI, Cargo	2026-03-15 19:53:27 +00:00
devitway	5b4cba1392	fix: add npm auth token for integration test publish	2026-03-15 19:49:54 +00:00
devitway	ad890be56a	feat: add integration tests, release runbook, cache fallback - CI: integration job — build NORA, docker push/pull, npm publish/install, API checks - release: cache-from with ignore-error=true (no dependency on localhost:5000) - RELEASE_RUNBOOK.md: rollback procedure, deploy order, verification steps	2026-03-15 19:36:38 +00:00
devitway	3b9ea37b0e	fix: cargo fmt, add .gitleaks.toml allowlist for doc examples - remove extra blank lines in openapi.rs and secrets/mod.rs - allowlist commit 92155cf (curl -u admin:yourpassword in README)	2026-03-15 19:27:36 +00:00