Allow to specify a custom registry to fetch plugins from

[nbverboven-medallia]

Is your feature request related to a problem? Please describe.
At the company I work for, we were thinking about extending Altair's functionality with some plugins for internal use. With the current implementation, they would have to be publicly accesible to be installed but, for security reasons, we may only be able to publish them to a private registry.

Describe the solution you'd like
Lets say we have a package called altair-graphql-plugin-test. We could add a fourth way of sourcing plugins called custom or custom-registry (the name is tentative) which would be used like

custom:[email protected]::[url]->[https://company.private-registry.com]

I'm not really sure on how authentication would work but I'm guessing extra options may be necessary, such as token, user and password.

Describe alternatives you've considered
The authentication options could also be added to the url source but I'm not familiar enough with the inner workings of fetching a package from a private registry to know if this would give us the expected result.

Additional context
N/A

[nbverboven-medallia]

The idea of this issue was to discuss the feasability of this feature and possible implementations. After that, I can open a PR and start working on it.

[imolorhe]

Hey, so just to check, the url plugin source will not work for your use case?

[imolorhe]

Thinking about it, one thing that will need to be addressed is the CSP for this. The CSP will block any scripts from any other domain that is not specified. One way around this will be to add a new option for the private registry when initializing Altair -- when it is hosted e.g. via the express middleware, and add the domain to the CSP.

[nbverboven-medallia]

The issues I see with using the url approach are that

1. It requires the user to manually authenticate so an authenticacion cookie is generated.
2. The definition ends up being quite verbose because the url needs to be fully specified. Something like

url:altair-graphql-plugin-my-plugin::[url]->[https://my-private-registry.company.com/api/npm/virtual-npm/altair-graphql-plugin-my-plugin@latest]

In my view, those are mainly UX things, but I'd rather tackle them if it was possible to increase the chances of people wanting to use this feature.

Apart from that, there's also what you mentioned about the CSP. From your comment, it seems that this feature would only work for a hosted version of Altair, right? It doesn't seem reasonable (or possible) to dynamically modify the CSP otherwise.

[imolorhe]

Yes. It is only possible for hosted versions of Altair, or the desktop applications. It's not possible with the browser extensions

[imolorhe]

Yours is the first request for the private registry. I'm happy to look into this more, but this is not priority for me at the moment.

If I understand what you're saying, we should define (or adopt, if there's already a standard for authentication with private registries) a proper authentication process for the private registry.

[nbverboven-medallia]

If I understand what you're saying, we should define (or adopt, if there's already a standard for authentication with private registries) a proper authentication process for the private registry.

Yes, that was what I had in mind.

Yours is the first request for the private registry. I'm happy to look into this more, but this is not priority for me at the moment.

No worries. There's still the chance that we can make the plugins public but, if we end up needing this feature, it's likely that we open a pull request and start working on it (provided there's a chance of it being merged eventually).

[imolorhe]

Before creating the PR, it would be better to discuss exactly what the authentication part will look like.

[nbverboven-medallia]

Agreed. Will keep you posted.