Looking for a search API that will just return packages in a given scope

[hardillb]

Hello,

I'm building a private repo that will store each "users" packages in a unique scope per user, but I also need to be able to query the repo for those packages from a separate service.

I have a authentication plugin that limits access so each user can only access/publish/unpublish to their scope, but I also have a admin user that has access to everything,

I can see that making calls to /-/all with a users access token only returns packages that they have access to, but I'd rather not have have to keep an access token per user in the other service.

Calling /-/all with the admin token returns all the packages in the repo. While I could filter this list it would be really inefficient especially as things grow. (I understand the list has to be filtered somewhere and it looks like the auth plugin is already doing some of this at least for access in the repo)

/-/v1/search?text=@scope works, but is a full text search so could also find things in the README.md not just the package name.

/-/verdaccio/data/search/@scope looks promising, but I can't find any doc for it (pointer to it in the source would help if there is no doc for this API)

Is there a better search API that will just search package names/scope?

(p.s. bonus points if it also works with the web UI disabled)

[mbtools]

Using the /-/verdaccio endpoints isn't a good idea since they are internal and can change anytime.

Does your "other service" have to be real-time? Why not use the admin user with /-/all to retrieve the packages and store them offline. Due to your "@user/package" naming you can easily attribute what you get to the users again.

[hardillb]

Yes it does really need to be as close to real time as possible, as we need to show new packages if a user publishes a new one, and I'd rather not use the http callback to trigger the /-/all and have to filter all the packages on each publish.

[mbtools]

I haven't used them but maybe you can use notifications to update your service instead of querying Verdaccio.

[hardillb]

But I explicitly just said I didn't want to use http callbacks....

[mbtools]

it's not a callback. it's a one-way notification which includes the published package name. you won't need to call /-/all (assuming you collect of the package names you got via the notifications).