Skip to content

feat: add custom Composer repository support for extension version checking#588

Open
pariweshsubedi wants to merge 6 commits intoFriendsOfShopware:mainfrom
pariweshsubedi:feature/custom-composer-repositories
Open

feat: add custom Composer repository support for extension version checking#588
pariweshsubedi wants to merge 6 commits intoFriendsOfShopware:mainfrom
pariweshsubedi:feature/custom-composer-repositories

Conversation

@pariweshsubedi
Copy link

@pariweshsubedi pariweshsubedi commented Mar 9, 2026

Closes #587

  • Add support for configuring custom Composer repositories (e.g. Packeton, Private Packagist, Satis) per shop to detect extension updates from private package sources
  • Support Composer v1 (inline) and v2 (lazy provider) repository formats with none, HTTP Basic, and Bearer token authentication
  • Credentials are encrypted at rest using the existing APP_SECRET encryption

Changes

  • Database: New composer_repositories JSONB column on shop table
  • API: Zod-validated endpoints for creating/updating shops with composer repositories; credentials encrypted before storage
  • Scrape job: After standard Store API check, queries custom repos for extensions still missing a latestVersion
  • Frontend: New "Custom Composer Repositories" section in Edit Shop with dynamic add/remove and auth type selection

Testing performed

  • make lint passes with no new warnings
  • Manually tested adding, editing, and removing custom Composer repositories in the Edit Shop UI
  • Tested all three auth types (none, HTTP Basic, Bearer token) — correct fields appear for each
  • Verified repositories persist after page reload with URLs and auth types preserved
  • Verified credentials (passwords, tokens) are not returned to the frontend after saving
  • Verified saving an empty repository list works correctly

Suggested tests

  • Verify extension versions are detected from a Composer v1 (inline) repository
  • Verify extension versions are detected from a Composer v2 (lazy provider) repository
  • Verify credentials are not returned to the frontend after saving
  • Verify scraping still works for shops with no custom repositories configured
  • Test with invalid repository URLs and verify graceful error handling

@pariweshsubedi
feat: add custom Composer repository support for extension version ch…
e8d8b38 
…ecking

Allow shops to configure private Composer repositories (e.g. Packeton,
Private Packagist, Satis) so that extension updates from custom package
sources are detected during scraping. Supports Composer v1 and v2 formats
with none, HTTP Basic, and Bearer token authentication. Credentials are
encrypted at rest.
@pariweshsubedi
chore: use generic example for custom composer repo source
f70dd10
@shyim
Copy link
Member

shyim commented Mar 11, 2026

I would like to add a proper queue before and migrate to that before, we add those things as next

@pariweshsubedi
Copy link
Author

pariweshsubedi commented Mar 11, 2026

Makes sense! Just to make sure, by "proper queue" do you mean moving the scrape jobs (both the hourly cron and the manual refresh)?

I'll hold off on this PR until the queue is in place. Is there an issue tracking the queuing feature?

@shyim
Copy link
Member

shyim commented Mar 11, 2026

I would like to parallelize using queue the scrapes. Still not sure which of those NPM packages we're gonna will use at the end: https://bullmq.io/

I expect to be done this week.

shyim
shyim requested changes Mar 11, 2026
View reviewed changes
api/src/modules/shop/jobs/shop-scrape.job.ts Outdated
return timeDifference >= 24 * 60 * 60 * 1000;
}

interface ComposerPackageVersion {
Copy link
Member

@shyim shyim Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you move this composer foo into an own typescript file.

Copy link
Author

@pariweshsubedi pariweshsubedi Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extracted all Composer repository logic to api/src/modules/shop/composer-repo.service.ts

api/src/modules/shop/jobs/shop-scrape.job.ts Outdated
const data = (await resp.json()) as ComposerPackagesJson;

// Composer v2 lazy provider: metadata-url + available-packages
if (data["metadata-url"] && data["available-packages"]?.length) {
Copy link
Member

@shyim shyim Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

available-packages is optional in composer spec and does not require it.

Copy link
Author

@pariweshsubedi pariweshsubedi Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

available-packages is now treated as optional. If it's present, we fetch only those packages. When absent, we fall through to process inline packages from packages.json.

@pariweshsubedi pariweshsubedi requested a review from shyim March 13, 2026 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shyim shyim Awaiting requested review from shyim

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support custom Composer repositories for extension version checking

2 participants

@pariweshsubedi @shyim