Oct 3, 2018

Composer Auth For Laravel Nova

I use Laravel Nova to manage the backend of this blog. Think of it as a way to create Wordpress's backend (writing blog posts, approving comments, triggering email notifications to be sent, etc...) in just a few hours. It is an incredible piece of software out of the box, saving tremendous time and effort and well worth the $99 price tag.

At Nova's launch the source code had to be included in the project but now they offer it as a private package that can be pulled in by Composer.

This is great since now it will be easier to open source my blog's backend code on GitHub without exposing proprietary Nova code.

The complication with private packages is that you have to be authenticated to access them, which means providing your Nova credentials to Composer somehow.

Locally, Composer will ask you in the command line to provide username and password as it's pulling in packages (Nova doesn't offer token based access), but this falls apart when deploying automatically on production servers because you can't interact.

Therefore, you have to store Nova credentials on the server somehow.

It's not acceptible to store the credentials in composer.json because they'd be exposed in version control.

Composer offers a secondary auth.json file where for storing sensitive credentials, it looks like this:

{
    "http-basic": {
        "nova.laravel.com": {
            "username": "user@example.com",
            "password": "password-123-fake-password"
        }
    }
}

(remember to update .gitignore so the auth file isn't committed to version control)

This is still an issue because the auth.json needs to make it's way to the production server...

Composer claims it supports storing authentication in an environment variable that should look something like this:

COMPOSER_AUTH="{"http-basic":{"nova.laravel.com":{"username":"user@example.com","password":"password-123-fake-password"}}}"

But I haven't been able to get this to work.

For now the auth.json file will be fine as I don't destroy and rebuild servers automatically, but it would be fun to figure this out.


Please Login or Register to Comment