# Composer HTTP Basic Authentication

Many paid WordPress plugins also offer Composer support. Typically, this is accomplished by adding the plugin repository to your composer.json file:

"repositories": [
    {
        "type":"composer",
        "url":"https://example.com"
    }
]

The actual plugin download is protected behind a basic HTTP authentication layer. This allows the plugin developer to restrict access to the plugin via Composer by a username/password combination. The basic authentication credentials are stored in an auth.json file.

{
    "http-basic": {
        "example.com": {
            "username": "{COMPOSER_HTTP_USERNAME}",
            "password": "{COMPOSER_HTTP_PASSWORD}"
        }
    }
}

However, when using such plugins in a Trellis project, it is generally considered bad practice to implement this via deploy hooks (opens new window) or adding the auth.json to your version control.

Trellis now supports HTTP basic authentication for multiple Composer repositories, via the Ansible Vault (opens new window) functionality, on a per environment configuration.

# group_vars/<env>/vault.yml

vault_wordpress_sites:
  example.com:
    composer_authentications:
      - { hostname: example.com, username: COMPOSER_HTTP_USERNAME, password: COMPOSER_HTTP_USERNAME }

If the private repository doesn't use a password (because the username contains an API key for example), you'll need to omit password like this:

# group_vars/<env>/vault.yml

vault_wordpress_sites:
  example.com:
    composer_authentications:
      - { hostname: example.com, username: apikey }

Multiple private Composer repositories can be configured in this way.

This functionality does have a few requirements:

  • The passwords should not be stored as plain text, as described in the Vault (opens new window) documentation
  • Currently, only HTTP basic authentication is supported

Page authors:

Tang Rufus
Scott Walkinshaw
Ben Word
Jonathan Bossenger
Sponsor us on GitHub to help us grow 🌱