6

Unlike python pip, R seems to expose credentials configured for private R repositories defined in the .Rprofile. I suppose this is due to R treating the string as a URL.

local({r <- getOption("repos")
       r["Nexus"] <- "https://username:password@my-private-r-repo.com/repository/r-group"
       options(repos=r)
})

Then when I install a package:

> install.packages("shinydashboard")
trying URL 'https://username:password@my-private-r-repo.com/repository/r-group/bin/macosx/el-capitan/contrib/3.6/shinydashboard_0.7.1.tgz'
Content type 'application/x-tgz' length 326031 bytes (318 KB)
==================================================
downloaded 318 KB


The downloaded binary packages are in
    /var/folders/7_/pt_pgg2j531f2jc_n5znht600000gn/T//RtmpZkpXkN/downloaded_packages

Does R have configuration options to prevent the exposure of credentials?

RiskyMaor
  • 308
  • 2
  • 15
aidanmelen
  • 6,194
  • 1
  • 23
  • 24

1 Answers1

1

I solved this (and other issues) using renv and Authorization header.
renv helps you to create virtual environments for R projects, locking all packages (and their versions) used in the project.
You can read about authentication headers here: Web API Authentication Basic vs Bearer

You can make renv work with private repos by adding an .Rprofile file to the project like so:

source("renv/activate.R")
local({
  project_repos <- c(
    CRAN = "https://cloud.r-project.org",
    PRIVATE_CRAN = "https://your-private-cran.io"
    )

  options(repos = project_repos)
  options(
    renv.download.headers = function(url) {
      if (grepl(paste0("^", project_repos["PRIVATE_CRAN"]), url))
        return(c(Authorization = paste0("Bearer", Sys.getenv("AUTH_TOKEN"))))
    })

This will automatically add the authorization header every time you access a file from the private CRAN.
If you made all the prerequisites, installing a package will look like this:

> renv::install("private_packge@2.7.2")
Retrieving 'https://your-private-cran.io/Cran-local/src/contrib/Archive/private_packge/2.7.2/private_packge_2.7.2.tar.gz' ...
    OK [file is up to date]
Installing private_packge [2.7.2] ...
    OK [built from source]
Moving private_packge [2.7.2] into the cache ...
    OK [moved to cache in 1.3 milliseconds]

The prerequisites are:

  1. Install and configure renv for your project.
  2. Your private CRAN should be able to accept Authorization header.
  3. The authentication token is stored in an environment variable called AUTH_TOKEN.
  4. Note that I use Bearer authentication, it means I got a dedicated token from my private CRAN. If you wish to use username:password, then you need to use Basic authentication and the environment variable called AUTH_TOKEN should be a base64 encoding of username:password.
RiskyMaor
  • 308
  • 2
  • 15