cube-ms

# 🔐 CCN Token Management Demo Example workflow untuk mengelola CCN registry token dalam development process. ## 🚀 **Scenario 1: New Developer Onboarding** ### Developer Pertama Setup Project: ```bash # 1. Create new project npx cube-ms create my-company-api --template api cd my-company-api # 2. CLI akan otomatis prompt untuk CCN token setup: # 🔐 CCN Registry Setup Required # The project uses CCN Platform registry for dependencies like ccn-logging. # You need a valid CCN authentication token to install dependencies. # # 📋 How to get your CCN token: # 1. Go to: http://devops.ccn/ # 2. Navigate: CCN Platform Collection → _packaging → CCN.Platform # 3. Click "Connect to Feed" → Select "npm" # 4. Copy the _password value # # Setup CCN registry token now? (y/n): y # 3. Developer gets token dan setup .npmrc # Enter your CCN Platform token: cnZxbW91a3NwcWEyZ3d0YmlmdTczNW9kYnBucGJ2ZnRreWxseGpvaXF4bmoyZGFqYmhtYQ== # ✅ .npmrc created successfully # ✅ Added .npmrc to .gitignore # 4. Dependencies install successfully # 📦 Installing dependencies... # npm install sukses karena .npmrc sudah configured # 5. Start development npm run dev ``` ### Apa yang Terjadi di Background: ```bash # Files created: ├── .npmrc # ✅ Created with developer's token (not committed) ├── .npmrc.template # ✅ Template for other developers ├── .gitignore # ✅ Contains .npmrc entry ├── scripts/setup-npmrc.js # ✅ Setup script └── node_modules/ccn-logging # ✅ Installed successfully ``` ## 🤝 **Scenario 2: Team Collaboration** ### Developer Kedua Clone Project: ```bash # 1. Clone repository git clone https://github.com/company/my-company-api.git cd my-company-api # 2. Try install dependencies npm install # ❌ Error: Unable to authenticate with CCN registry # 3. Setup .npmrc dengan token sendiri npm run setup-npmrc # Follows same process as Scenario 1 # Each developer has their own .npmrc with personal token # 4. Install dependencies npm install # ✅ Success with personal token ``` ### Tim Development Best Practice: ```bash # ✅ Each developer: developer-a/ ├── .npmrc # Token A (not committed) └── src/ developer-b/ ├── .npmrc # Token B (not committed) └── src/ developer-c/ ├── .npmrc # Token C (not committed) └── src/ # ❌ Never this: shared-folder/ ├── .npmrc # ❌ Shared token (security risk) ├── git add .npmrc # ❌ Never commit tokens ``` ## ⏰ **Scenario 3: Token Expiration Handling** ### When Token Expires (After 90 Days): ```bash # 1. Developer tries to install new package npm install new-package # ❌ Error: Unable to authenticate, need: Basic realm="..." # 2. Check token status npm run validate-npmrc # ❌ .npmrc contains expired hardcoded token # This token expires on 02/10/2025 and should be updated # 3. Update with new token npm run setup-npmrc # Get new token from CCN DevOps Portal # Replace with fresh token # 4. Verify and retry npm run validate-npmrc # ✅ Registry access successful npm install new-package # ✅ Success with new token ``` ### Proactive Token Management: ```bash # Monthly token check (recommended) npm run validate-npmrc # If warning about expiration: # ⚠️ Registry access failed - token might be expired # Please check your token validity # Update before expiration npm run setup-npmrc ``` ## 🐳 **Scenario 4: Docker Deployment** ### Development Docker Build: ```dockerfile # Dockerfile.dev FROM node:18-alpine WORKDIR /app COPY package*.json ./ # For development: mount .npmrc from developer machine # docker run -v $(pwd)/.npmrc:/app/.npmrc my-app:dev RUN npm install COPY . . CMD ["npm", "run", "dev"] ``` ```bash # Build development image docker build -f Dockerfile.dev -t my-app:dev . # Run with .npmrc mount docker run -v $(pwd)/.npmrc:/app/.npmrc -p 3000:3000 my-app:dev ``` ### Production Docker Build: ```dockerfile # Dockerfile FROM node:18-alpine WORKDIR /app COPY package*.json ./ # Use build arg for token (secure) ARG CCN_NPM_TOKEN RUN echo "registry=http://devops.ccn/CCN%20Platform%20Collection/_packaging/CCN.Platform/npm/registry/" > .npmrc && \ echo "always-auth=true" >> .npmrc && \ echo "//devops.ccn/CCN%20Platform%20Collection/_packaging/CCN.Platform/npm/registry/:username=CCN.Platform" >> .npmrc && \ echo "//devops.ccn/CCN%20Platform%20Collection/_packaging/CCN.Platform/npm/registry/:_password=${CCN_NPM_TOKEN}" >> .npmrc && \ echo "//devops.ccn/CCN%20Platform%20Collection/_packaging/CCN.Platform/npm/registry/:email=docker@company.com" >> .npmrc RUN npm ci --only=production # Remove .npmrc after install (security) RUN rm .npmrc COPY . . CMD ["npm", "start"] ``` ```bash # Build production image with service account token docker build --build-arg CCN_NPM_TOKEN="$PROD_CCN_TOKEN" -t my-app:prod . ``` ## 🔄 **Scenario 5: CI/CD Pipeline** ### GitHub Actions Example: ```yaml # .github/workflows/ci.yml name: CI/CD Pipeline on: [push, pull_request] jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Setup Node.js uses: actions/setup-node@v3 with: node-version: '18' - name: Setup CCN Registry env: CCN_NPM_TOKEN: ${{ secrets.CCN_NPM_TOKEN }} run: | echo "registry=http://devops.ccn/CCN%20Platform%20Collection/_packaging/CCN.Platform/npm/registry/" > .npmrc echo "always-auth=true" >> .npmrc echo "//devops.ccn/CCN%20Platform%20Collection/_packaging/CCN.Platform/npm/registry/:username=CCN.Platform" >> .npmrc echo "//devops.ccn/CCN%20Platform%20Collection/_packaging/CCN.Platform/npm/registry/:_password=${CCN_NPM_TOKEN}" >> .npmrc echo "//devops.ccn/CCN%20Platform%20Collection/_packaging/CCN.Platform/npm/registry/:email=ci@company.com" >> .npmrc - name: Install dependencies run: npm ci - name: Run tests run: npm test - name: Validate .npmrc setup run: npm run validate-npmrc ``` ### Required GitHub Secrets: ```bash # In GitHub repository settings → Secrets: CCN_NPM_TOKEN = service-account-token-for-ci # Token should be: # 1. Service account token (not personal) # 2. Long-lived or auto-renewed # 3. Limited to read access only ``` ## ⚠️ **Common Mistakes & Solutions** ### ❌ **Mistake 1: Committing .npmrc** ```bash # What NOT to do: git add .npmrc git commit -m "add npmrc" # ❌ NEVER DO THIS # Solution: git rm --cached .npmrc # Remove from git if accidentally added echo ".npmrc" >> .gitignore # Ensure it's in gitignore ``` ### ❌ **Mistake 2: Sharing Tokens** ```bash # What NOT to do: # Team lead shares .npmrc file via Slack/email ❌ # Solution: # Each developer runs: npm run setup-npmrc ✅ # Each gets their own personal token ✅ ``` ### ❌ **Mistake 3: Hardcoded Tokens in Code** ```javascript // What NOT to do: const CCN_TOKEN = "cnZxbW91a3NwcWEyZ3d0..."; // ❌ Never in code // Solution: const CCN_TOKEN = process.env.CCN_NPM_TOKEN; // ✅ Environment variable ``` ### ❌ **Mistake 4: Ignoring Token Expiration** ```bash # What NOT to do: # Ignore expiration warnings ❌ # Wait until token expires and breaks CI ❌ # Solution: # Set calendar reminder for token renewal ✅ # Monitor token validity monthly ✅ # Update before expiration ✅ ``` ## 📊 **Token Management Checklist** ### ✅ **Setup Phase:** - [ ] Use `npm run setup-npmrc` for initial setup - [ ] Verify `.npmrc` is in `.gitignore` - [ ] Test `npm install` works - [ ] Share `.npmrc.template` with team (not `.npmrc`) ### ✅ **Development Phase:** - [ ] Each developer has personal token - [ ] Token validation runs in `postinstall` - [ ] No tokens committed to repository - [ ] CI/CD uses service account token ### ✅ **Maintenance Phase:** - [ ] Monthly token validity check - [ ] Update tokens before expiration - [ ] Monitor CI/CD token health - [ ] Document token renewal process ### ✅ **Security Phase:** - [ ] Tokens are personal (not shared) - [ ] No hardcoded tokens in code - [ ] Service account tokens for automation - [ ] Regular token rotation (quarterly) --- *This demo shows real-world token management scenarios. Framework handles the complexity, developers just need to follow the workflow.*