Release 1.0.1

Merge pull request #398 from cnpm/fix-auth
hot fix auth error
2014-08-01 12:00:33 +08:00 · 2014-08-01 11:58:54 +08:00 · 2014-08-01 11:58:23 +08:00 · 2014-08-01 09:26:04 +08:00 · 2014-08-01 08:55:11 +08:00 · 2014-08-01 01:43:13 +08:00
105 changed files with 6442 additions and 1483 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -16,11 +16,15 @@ results
 node_modules
 npm-debug.log
 public/dist/
+.dist
 config/config.js
 backup/*.json
 backup/*.gz
 docs/web/history.md
+docs/web/_readme.md
 view/web/_layout.html
 bin/mysql.js
 bin/test.sql
 coverage/
+config/web_readme.md
+.tmp/
--- a/.jshintrc
+++ b/.jshintrc
@@ -58,7 +58,7 @@
    "shadow"        : true,      // true: Allows re-define variables later in code e.g. `var x=1; x=2;`
    "sub"           : false,     // true: Tolerate using `[]` notation when it can still be expressed in dot notation
    "supernew"      : false,     // true: Tolerate `new function () { ... };` and `new Object;`
-    "validthis"     : false,     // true: Tolerate using this in a non-constructor function
+    "validthis"     : true,      // true: Tolerate using this in a non-constructor function

    // Environments
    "browser"       : true,     // Web Browser (window, document, etc)
--- a/.npmignore
+++ b/.npmignore
@@ -8,6 +8,8 @@ logo.png
 public/dist/
 backup/*.json
 backup/*.gz
+docs/web/history.md
+docs/web/_readme.md
 view/web/_layout.html
 bin/mysql.js
 bin/test.sql
@@ -15,3 +17,5 @@ coverage/
 .jshintrc
 .jshintignore
 .DS_Store
+config/web_readme.md
+.dist/
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,3 +1,5 @@
 language: node_js
 node_js:
  - '0.11'
+script: "make test-travis"
+after_script: "npm install coveralls@2 && cat ./coverage/lcov.info | coveralls"
--- a/History.md
+++ b/History.md
@@ -1,4 +1,181 @@

+1.0.1 / 2014-08-01
+==================
+
+  * Merge pull request #398 from cnpm/fix-auth
+  * hot fix auth error
+
+1.0.0 / 2014-08-01
+==================
+
+ * add private package list
+
+0.9.2 / 2014-07-30
+==================
+
+ * hotfix save custom user bug
+
+0.9.1 / 2014-07-30
+==================
+
+ * Handle user service auth throw custom error message
+ * add test for config private packages
+ * add config.privatePackages
+ * add more comments in config/index.js
+
+0.9.0 / 2014-07-29
+==================
+
+ * scopes init mv to services/user.js
+ * show user more profile
+ * registry show user support custom user service
+ * support custom user service for user auth
+ * remove session middleware
+ * add DefaultUserService
+ * check scopes in module.getAdapt
+ * test public mode, fix some logic, close #382
+ * move scope.js into publishable.js, add forcePublishWithScope
+ * config.scopes not exist, means do not support scope
+ * add assert scope middleware
+
+0.8.7 / 2014-07-24
+==================
+
+ * fix unpublished info missing maintainers cause TypeError
+
+0.8.6 / 2014-07-23
+==================
+
+ * show unpublished info on web package page. fixes #381
+
+0.8.5 / 2014-07-22
+==================
+
+ * Only private package support default scoped. fixed #378
+
+0.8.4 / 2014-07-22
+==================
+
+ * adapt default scpoe in /@:scope/:name/:version
+
+0.8.3 / 2014-07-22
+==================
+
+ * hot fix download
+
+0.8.2 / 2014-07-22
+==================
+
+ * fix default scope detect
+
+0.8.1 / 2014-07-21
+==================
+
+ * add more test cases
+ * support default @org. close #376
+ * hotfix redis init error
+
+0.8.0 / 2014-07-21
+==================
+
+ * support "scoped" packages. close #352
+ * use safe jsonp
+ * Stop support old publish flow. fix #368
+ * update SQLs
+ * use sync_info and sync_error categories
+ * add categories to loggers. fix #370
+ * fix get latest tag always not exists bug
+ * support `npm publish --tag beta`. fix #366
+ * use mini-logger and error-formater
+
+0.7.0 / 2014-07-07
+==================
+
+ * use module_maintainers on GET /pakcage/:name page
+ * use new module_maintainers on GET /:name
+ * admin user should never publish to other user's packages. fix #363
+ * Add a new table for module-maintainers.
+ * gravatar use https
+ * support https
+
+0.6.1 / 2014-06-18
+==================
+
+ * hot fix removeTagsByNames()
+ * fix _rev not exists
+ * sync unpublished on GET /sync/:name
+
+0.6.0 / 2014-06-16
+==================
+
+ * sync unpublished info. close #353
+ * Delete not exists versions on sync worker. #353
+
+0.5.3 / 2014-06-13
+==================
+
+  * fix sync response 204
+  * add links in History.md
+  * bump koa
+  * fix test-cov
+  * bump koa and should
+
+0.5.2 / 2014-06-04
+==================
+
+ * sync hotfix
+ * sync phantomjs downloads pkg. close [#348](https://github.com/cnpm/cnpmjs.org/issues/348)
+ * add restart, fixed [#346](https://github.com/cnpm/cnpmjs.org/issues/346)
+
+0.5.1 / 2014-05-28
+==================
+
+ * fix attack on /-/all/since?stale=update_after&startkey=2 close [#336](https://github.com/cnpm/cnpmjs.org/issues/336)
+ * bump thunkify-wrap
+ * bump koa-middlewares
+ * remove outputError
+ * bump dependencies
+ * use svg badge
+ * add package/notfound page
+ * add dist mirror link to home page
+ * fix sync listdiff and add more test cases
+
+0.5.0 / 2014-05-13
+==================
+
+ * filter /nightlies/*
+ * use koa setter instead of set()
+ * add more info on error email
+ * add sync dist to sync/index.js
+ * show dist page
+ * sync dist file and save it to database
+ * disable gzip before [#335](https://github.com/cnpm/cnpmjs.org/issues/335) has fix
+
+0.4.3 / 2014-04-18
+==================
+
+  * Merge pull request [#334](https://github.com/cnpm/cnpmjs.org/issues/334) from cnpm/fix-permission
+  * add permission check to /:name/:tag
+  * Merge pull request [#333](https://github.com/cnpm/cnpmjs.org/issues/333) from cnpm/issue332-tag
+  * fix space
+  * add put /:name/:tag, close [#332](https://github.com/cnpm/cnpmjs.org/issues/332)
+
+0.4.2 / 2014-04-17
+==================
+
+ * sync interval config
+ * fix fav ico and show pkg size on pkg info page. fix [#318](https://github.com/cnpm/cnpmjs.org/issues/318)
+ * sync work sync one done must wait for a defer.setImmediate. fix [#328](https://github.com/cnpm/cnpmjs.org/issues/328)
+ * bump dep versions
+ * if download tarball 404, throw err better than ignore it. fixed [#325](https://github.com/cnpm/cnpmjs.org/issues/325)
+ * refator sync
+ * hotfix, close [#321](https://github.com/cnpm/cnpmjs.org/issues/321)
+ * hotfix, close [#319](https://github.com/cnpm/cnpmjs.org/issues/319)
+ * support custom web home page
+ * npm get short only can read from cnpm now
+ * if using reverted proxy like nginx, only binding on local host
+ * fix redis detect logic
+
 0.4.1 / 2014-04-10
 ==================

@@ -9,18 +186,18 @@

 * fix test cases to run on local machine
 * add contribute guidelines
- * use local mysql for dev env. fix #308
+ * use local mysql for dev env. fix [#308](https://github.com/cnpm/cnpmjs.org/issues/308)
 * use copy to
 * use koa-compress and koa-conditional-get
- * maintainers is string, fix #301
+ * maintainers is string, fix [#301](https://github.com/cnpm/cnpmjs.org/issues/301)

 0.3.13 / 2014-03-27
 ==================

 * fix npm adduser update 409 bug
 * fix multiline coverage
- * show package engines. fixed #280
- * dont sync local package field. fix #295
+ * show package engines. fixed [#280](https://github.com/cnpm/cnpmjs.org/issues/280)
+ * dont sync local package field. fix [#295](https://github.com/cnpm/cnpmjs.org/issues/295)

 0.3.12 / 2014-03-26
 ==================
@@ -28,53 +205,53 @@
 * fix result.successes not exist error
 * fix search list
 * add simple request for listall
- * only return package name in /-/all and /-/all/since, fixed #291
+ * only return package name in /-/all and /-/all/since, fixed [#291](https://github.com/cnpm/cnpmjs.org/issues/291)
 * refine docs foloder
- * use module gmt_modified as etag. fix #288
+ * use module gmt_modified as etag. fix [#288](https://github.com/cnpm/cnpmjs.org/issues/288)
 * fix typo, remove unused config in package.json
 * web page only list cnpm registry related info
 * use generator in qnfs

-0.3.11 / 2014-03-20 
+0.3.11 / 2014-03-20
 ==================

-  * use common.isMaintainer, fixed #283
+  * use common.isMaintainer, fixed [#283](https://github.com/cnpm/cnpmjs.org/issues/283)
  * update dependencies
-  * use co-mocha for test, fixed #279
+  * use co-mocha for test, fixed [#279](https://github.com/cnpm/cnpmjs.org/issues/279)
  * update thunkify-wrap, breaking change in thunkify-wrap
  * refactor SQLs by using multiline
  * use multiline to refactor sqls
  * ignore contributors

-0.3.10 / 2014-03-16 
+0.3.10 / 2014-03-16
 ==================

-  * Only /_session request send the authSession. fixed #223
-  * sync npm user info when maintainers and contributors not exists. fixed #82
+  * Only /_session request send the authSession. fixed [#223](https://github.com/cnpm/cnpmjs.org/issues/223)
+  * sync npm user info when maintainers and contributors not exists. fixed [#82](https://github.com/cnpm/cnpmjs.org/issues/82)
  * save npm user to mysql
  * password salt always be randoms
-  * remove session access in /name and /name/version, fixed #274
+  * remove session access in /name and /name/version, fixed [#274](https://github.com/cnpm/cnpmjs.org/issues/274)
  * fix update maintainer session error
  * update koa-middlewares
  * fix test, fix sync_by_install
  * use defer session
-  * Support npm owner|author add [name] [pkg]. fixed #271
+  * Support npm owner|author add [name] [pkg]. fixed [#271](https://github.com/cnpm/cnpmjs.org/issues/271)

-0.3.9 / 2014-03-14 
+0.3.9 / 2014-03-14
 ==================

  * custom user-agent
  * use co-urllib instead of thunkify urllib; fix mock http.request test cases
  * request limit custom message
  * add config.redis check
-  * add koa-limit, fixed #267
+  * add koa-limit, fixed [#267](https://github.com/cnpm/cnpmjs.org/issues/267)

-0.3.8 / 2014-03-11 
+0.3.8 / 2014-03-11
 ==================

-  * update middlewares, fixed missing charset bug #264
+  * update middlewares, fixed missing charset bug [#264](https://github.com/cnpm/cnpmjs.org/issues/264)

-0.3.7 / 2014-03-11 
+0.3.7 / 2014-03-11
 ==================

  * show worker die date time
@@ -84,63 +261,63 @@
  * fix return versions
  * fix makefile, remove eventproxy
  * refactor sync_module_worker
-  * add make test-dev, fixed #259
+  * add make test-dev, fixed [#259](https://github.com/cnpm/cnpmjs.org/issues/259)
  * change npm.js to generator
  * update urllib, proxy/npm.js use generator
  * sync_all and sync_exist to generator
  * change function to generator
  * need node >= v0.11.9

-0.3.6 / 2014-03-06 
+0.3.6 / 2014-03-06
 ==================

-  * install missing package should sync it from source npm. fixed #252
+  * install missing package should sync it from source npm. fixed [#252](https://github.com/cnpm/cnpmjs.org/issues/252)
  * npm publish dont contains .jshint*
  * npm test run jshint
  * Add jshint check: $ make jshint
  * use `yield* next` instead of `yield next`
  * replace dist.u.qiniudn.com with cnpmjs.org/dist

-0.3.5 / 2014-03-05 
+0.3.5 / 2014-03-05
 ==================

-  * redirect /dist/xxx.tgz => http://dist.u.qiniudn.com/xxx.tgz fixed #249
-  * redirect /name to /package/name when /name is 404. fixed #245
-  * Add missing properies and sync missing star users. fixed #235
+  * redirect /dist/xxx.tgz => http://dist.u.qiniudn.com/xxx.tgz fixed [#249](https://github.com/cnpm/cnpmjs.org/issues/249)
+  * redirect /name to /package/name when /name is 404. fixed [#245](https://github.com/cnpm/cnpmjs.org/issues/245)
+  * Add missing properies and sync missing star users. fixed [#235](https://github.com/cnpm/cnpmjs.org/issues/235)

-0.3.4 / 2014-03-04 
+0.3.4 / 2014-03-04
 ==================

  * add cov
  * use istanbul run test coverage
-  * gzip support. fix #241
+  * gzip support. fix [#241](https://github.com/cnpm/cnpmjs.org/issues/241)
  * readme spelling patch (@stanzheng)
-  * default readme to null, fixed #233
+  * default readme to null, fixed [#233](https://github.com/cnpm/cnpmjs.org/issues/233)
  * remove readme in versions

-0.3.3 / 2014-02-28 
+0.3.3 / 2014-02-28
 ==================

-  * Merge pull request #232 from cnpm/host-hotfix
+  * Merge pull request [#232](https://github.com/cnpm/cnpmjs.org/issues/232) from cnpm/host-hotfix
  * get request host from request.headers
-  * Merge pull request #231 from cnpm/bug-fix
-  * fix deps display bug#230 and nsf.url TypeError#229
+  * Merge pull request [#231](https://github.com/cnpm/cnpmjs.org/issues/231) from cnpm/bug-fix
+  * fix deps display bug[#230](https://github.com/cnpm/cnpmjs.org/issues/230) and nsf.url TypeError[#229](https://github.com/cnpm/cnpmjs.org/issues/229)

-0.3.2 / 2014-02-28 
+0.3.2 / 2014-02-28
 ==================

  * update koa-sess and koa-redis
  * fix sync all test
  * remove nfs.downloadStream first, fix tmppath error
-  * fix fengmk2/giturl#1 bug
+  * fix fengmk2/giturl[#1](https://github.com/cnpm/cnpmjs.org/issues/1) bug

-0.3.1 / 2014-02-27 
+0.3.1 / 2014-02-27
 ==================

-  * add etag fixed #224
+  * add etag fixed [#224](https://github.com/cnpm/cnpmjs.org/issues/224)
  * travis ci install on source npm

-0.3.0 / 2014-02-27 
+0.3.0 / 2014-02-27
 ==================

  * fix typo and dont sync not exists pkgs
@@ -161,162 +338,162 @@
  * fix all the test of registry module.test.js
  * convert registry/module.js to koa type
  * fix auth middleware
-  * finish registry user controller koa and update mm to support thunkify. fixed #196
+  * finish registry user controller koa and update mm to support thunkify. fixed [#196](https://github.com/cnpm/cnpmjs.org/issues/196)
  * change controllers/user.js to koa
  * thunkify all proxy
  * convert all middlewares to koa type
  * change regsitry sync to koa
  * addd koa-jsonp, koa-bodyparser, fix / controller
  * first koa run registry home page /
-  * Merge pull request #212 from cnpm/fix-sync-404
+  * Merge pull request [#212](https://github.com/cnpm/cnpmjs.org/issues/212) from cnpm/fix-sync-404
  * return friendly 404 reason
-  * Merge pull request #211 from cnpm/bug-fix
-  * override json limit to default 10mb. fixed #209
-  * fix #210 addPackageAndDist package version detect bug
+  * Merge pull request [#211](https://github.com/cnpm/cnpmjs.org/issues/211) from cnpm/bug-fix
+  * override json limit to default 10mb. fixed [#209](https://github.com/cnpm/cnpmjs.org/issues/209)
+  * fix [#210](https://github.com/cnpm/cnpmjs.org/issues/210) addPackageAndDist package version detect bug

-0.2.27 / 2014-02-19 
+0.2.27 / 2014-02-19
 ==================

-  * support json result in search, fixed #189
+  * support json result in search, fixed [#189](https://github.com/cnpm/cnpmjs.org/issues/189)

-0.2.26 / 2014-02-19 
+0.2.26 / 2014-02-19
 ==================

  * npm publish also need to add deps

-0.2.25 / 2014-02-19 
+0.2.25 / 2014-02-19
 ==================

  * max handle number of package.json `dependencies` property
-  * Dependents support. fixed #190
+  * Dependents support. fixed [#190](https://github.com/cnpm/cnpmjs.org/issues/190)

-0.2.24 / 2014-02-13 
+0.2.24 / 2014-02-13
 ==================

  * fix if delete all the versions
-  * refactor remove module, fixed #186
+  * refactor remove module, fixed [#186](https://github.com/cnpm/cnpmjs.org/issues/186)

-0.2.23 / 2014-01-26 
+0.2.23 / 2014-01-26
 ==================

-  * system admin can add, publish, remove the packages. fixed #176
+  * system admin can add, publish, remove the packages. fixed [#176](https://github.com/cnpm/cnpmjs.org/issues/176)

-0.2.22 / 2014-01-26 
+0.2.22 / 2014-01-26
 ==================

-  * add keyword and search support keyword. #181
+  * add keyword and search support keyword. [#181](https://github.com/cnpm/cnpmjs.org/issues/181)

-0.2.21 / 2014-01-24 
+0.2.21 / 2014-01-24
 ==================

  * refactor code styles on package.html
  * nav-tabs e.preventDefault
-  * Show registry server error response. fixed #178
+  * Show registry server error response. fixed [#178](https://github.com/cnpm/cnpmjs.org/issues/178)
  * nav-tabs for package.html (@4simple)

-0.2.20 / 2014-01-23 
+0.2.20 / 2014-01-23
 ==================

  * hotfix sync missing dependencies and readmes
-  * fix sync readme error, fixed #174
+  * fix sync readme error, fixed [#174](https://github.com/cnpm/cnpmjs.org/issues/174)
  * add updateReadme in module

-0.2.19 / 2014-01-22 
+0.2.19 / 2014-01-22
 ==================

-  * npm install no need to check authorization header. fixed #171
+  * npm install no need to check authorization header. fixed [#171](https://github.com/cnpm/cnpmjs.org/issues/171)

-0.2.18 / 2014-01-20 
+0.2.18 / 2014-01-20
 ==================

-  * Support gitlab git url to display and click. fixed #160
+  * Support gitlab git url to display and click. fixed [#160](https://github.com/cnpm/cnpmjs.org/issues/160)
  * fix redis crash

-0.2.17 / 2014-01-17 
+0.2.17 / 2014-01-17
 ==================

  * custom logo url
  * hotfix layout bug

-0.2.16 / 2014-01-16 
+0.2.16 / 2014-01-16
 ==================

  * fix publish-time bug

-0.2.15 / 2014-01-16 
+0.2.15 / 2014-01-16
 ==================

  * add publish_time to debug

-0.2.14 / 2014-01-16 
+0.2.14 / 2014-01-16
 ==================

  * add make autod
-  * update publish_time, fixed #163
+  * update publish_time, fixed [#163](https://github.com/cnpm/cnpmjs.org/issues/163)

-0.2.13 / 2014-01-15 
+0.2.13 / 2014-01-15
 ==================

  * markdown tmpl not support footer, need to wrap on app start

-0.2.12 / 2014-01-15 
+0.2.12 / 2014-01-15
 ==================

  * add footer and npm client name customable

-0.2.11 / 2014-01-15 
+0.2.11 / 2014-01-15
 ==================

  * package page contributor link to search, default is true

-0.2.10 / 2014-01-14 
+0.2.10 / 2014-01-14
 ==================

-  * fix #155 Content-Disposition wrong.
+  * fix [#155](https://github.com/cnpm/cnpmjs.org/issues/155) Content-Disposition wrong.

-0.2.9 / 2014-01-14 
+0.2.9 / 2014-01-14
 ==================

  * support startkey=c and startkey="c"
-  * support couch db search api. fixed #153
+  * support couch db search api. fixed [#153](https://github.com/cnpm/cnpmjs.org/issues/153)
  * fix fork me image link
  * support sync by query.name

-0.2.8 / 2014-01-14 
+0.2.8 / 2014-01-14
 ==================

  * dont show err stack on test env
  * add download link for package page

-0.2.7 / 2014-01-13 
+0.2.7 / 2014-01-13
 ==================

-  * add shasum when nfs.upload and hfs.uploadBuffer, fixed #148
+  * add shasum when nfs.upload and hfs.uploadBuffer, fixed [#148](https://github.com/cnpm/cnpmjs.org/issues/148)

-0.2.6 / 2014-01-13 
+0.2.6 / 2014-01-13
 ==================

-  * support custom session store, fixed #146
+  * support custom session store, fixed [#146](https://github.com/cnpm/cnpmjs.org/issues/146)

-0.2.5 / 2014-01-13 
+0.2.5 / 2014-01-13
 ==================

  * add download timeout and unit test
  * use downloadStream() first
  * nfs download to a writeable stream.

-0.2.4 / 2014-01-10 
+0.2.4 / 2014-01-10
 ==================

-  * set main script to  index.js, fixed #142
+  * set main script to  index.js, fixed [#142](https://github.com/cnpm/cnpmjs.org/issues/142)

-0.2.3 / 2014-01-10 
+0.2.3 / 2014-01-10
 ==================

  * Dont show sync button on private package
-  * Sync package as publish with no deps. fixed #138
+  * Sync package as publish with no deps. fixed [#138](https://github.com/cnpm/cnpmjs.org/issues/138)

-0.2.2 / 2014-01-10 
+0.2.2 / 2014-01-10
 ==================

  * keep compatibility
@@ -326,23 +503,23 @@
  * new npm publish in one request, add _publish_in_cnpm
  * support unsure name ufs
  * contributors maybe a object
-  * Object #<Object> has no method 'forEach' fixed #134
-  * support custom config as a module, fixed issue #132
-  * support npm new publish flow. fixed #129
+  * Object #<Object> has no method 'forEach' fixed [#134](https://github.com/cnpm/cnpmjs.org/issues/134)
+  * support custom config as a module, fixed issue [#132](https://github.com/cnpm/cnpmjs.org/issues/132)
+  * support npm new publish flow. fixed [#129](https://github.com/cnpm/cnpmjs.org/issues/129)
  * add toString and constructor to test admin
-  * fix #119 hasOwnProperty check admin bug.
+  * fix [#119](https://github.com/cnpm/cnpmjs.org/issues/119) hasOwnProperty check admin bug.

-0.2.0 / 2013-12-27 
+0.2.0 / 2013-12-27
 ==================

  * remove to lower case
-  * fix #127 execSync and execsync.
+  * fix [#127](https://github.com/cnpm/cnpmjs.org/issues/127) execSync and execsync.
  * add contributors list on package page
  * mv blanket to config
  * sync typeerror fix #statusCode
  * add disturl
-  * fix #122 admin security bug
-  * fixed #121, let pkg 404 as success
+  * fix [#122](https://github.com/cnpm/cnpmjs.org/issues/122) admin security bug
+  * fixed [#121](https://github.com/cnpm/cnpmjs.org/issues/121), let pkg 404 as success
  * fix sql insert error
  * fix typos

@@ -354,78 +531,78 @@
  * make sure all packages name are lower case
  * select ids from tag
  * fix nodejsctl
-  * fix #112 missing versions and time no sync
+  * fix [#112](https://github.com/cnpm/cnpmjs.org/issues/112) missing versions and time no sync
  * remove restart command
  * fix sync missing packages error
  * fix web/readme.md, add install
-  * fix #109 pkg no times and no versions bug.
+  * fix [#109](https://github.com/cnpm/cnpmjs.org/issues/109) pkg no times and no versions bug.

 0.1.2 / 2013-12-19
 ==================

-  * fix times not exists canot sync bug. fixed #101
+  * fix times not exists canot sync bug. fixed [#101](https://github.com/cnpm/cnpmjs.org/issues/101)
  * support npm run command
-  * remove before_install and install in travis, fixed #102
-  * split all sub queries, fixed #104
-  * fix doc, fixed #103
+  * remove before_install and install in travis, fixed [#102](https://github.com/cnpm/cnpmjs.org/issues/102)
+  * split all sub queries, fixed [#104](https://github.com/cnpm/cnpmjs.org/issues/104)
+  * fix doc, fixed [#103](https://github.com/cnpm/cnpmjs.org/issues/103)
  * fix search too slow.
  * dont email sync log level info
  * only sync missing packages at first time
  * update dependencies
-  * sync all will sync all the missing packages, fixed #97
+  * sync all will sync all the missing packages, fixed [#97](https://github.com/cnpm/cnpmjs.org/issues/97)

 0.1.0 / 2013-12-12
 ==================

  * add sync title
-  * add favicon. fixed #69
-  * refine sync page, fiexd #70
+  * add favicon. fixed [#69](https://github.com/cnpm/cnpmjs.org/issues/69)
+  * refine sync page, fiexd [#70](https://github.com/cnpm/cnpmjs.org/issues/70)
  * add app version
  * add test for sync
  * refine sync page
  * registry and web all use controllers/sync.js
-  * sync from web, fixed #58
+  * sync from web, fixed [#58](https://github.com/cnpm/cnpmjs.org/issues/58)
  * saving missing descriptions
-  * add package download info. fixed #63
+  * add package download info. fixed [#63](https://github.com/cnpm/cnpmjs.org/issues/63)
  * add avatar
  * use dependecies, fixed #issue62
-  * support open search, fixed #60
-  * make sure publish_time and author is same to source npm registry. fixed #56
+  * support open search, fixed [#60](https://github.com/cnpm/cnpmjs.org/issues/60)
+  * make sure publish_time and author is same to source npm registry. fixed [#56](https://github.com/cnpm/cnpmjs.org/issues/56)
  * add test for search
  * add a simple search by mysql like
-  * fix This version of MySQL doesn't yet support 'LIMIT & IN/ALL/ANY/SOME subquery. fixed #54
+  * fix This version of MySQL doesn't yet support 'LIMIT & IN/ALL/ANY/SOME subquery. fixed [#54](https://github.com/cnpm/cnpmjs.org/issues/54)
  * update install doc, use nodejsctl to start
  * must add limit on list by author sql
-  * fix sql, change test to fit my local database, fixed #46
+  * fix sql, change test to fit my local database, fixed [#46](https://github.com/cnpm/cnpmjs.org/issues/46)
  * use registry.cnpmjs.org
-  * add install document and total package info on home page. fix #42
-  * add module_id to tag table. #46
-  * skip error version. fixed #43
+  * add install document and total package info on home page. fix [#42](https://github.com/cnpm/cnpmjs.org/issues/42)
+  * add module_id to tag table. [#46](https://github.com/cnpm/cnpmjs.org/issues/46)
+  * skip error version. fixed [#43](https://github.com/cnpm/cnpmjs.org/issues/43)
  * sync may make a user do not exist in database, but have modules in registry
  * add user page
  * fix set license
-  * ignore 404 on sync. fixed #39
+  * ignore 404 on sync. fixed [#39](https://github.com/cnpm/cnpmjs.org/issues/39)
  * fix module page, add test
  * update urllib to 0.5.5
  * version and tag
  * add module page
  * fix download url
  * first get tag, then try version
-  * support sync triggle by install, finish #31
+  * support sync triggle by install, finish [#31](https://github.com/cnpm/cnpmjs.org/issues/31)
  * addTag error return 500
  * just one download field
  * add download total info on home page
  * add download count
  * versions empty and also check missing tags
  * remove tags on unpublish
-  * add module tag. fix #6
+  * add module tag. fix [#6](https://github.com/cnpm/cnpmjs.org/issues/6)
  * add [done] flag to check sync done on client
-  * get sync log #29
+  * get sync log [#29](https://github.com/cnpm/cnpmjs.org/issues/29)
  * fix test in module
  * rm tmp file on down request error
  * add time for debug str
  * fix pkg not exists null bug
-  * use sync module woker to handle sync process. fixed #19
+  * use sync module woker to handle sync process. fixed [#19](https://github.com/cnpm/cnpmjs.org/issues/19)
  * if private mode enable, only admin can publish module
  * add alias in readme
  * fix sql, add sort by name
@@ -434,15 +611,15 @@
  * add npm and cnpm image
  * add registry total info on home page
  * fix mods bug in module.removeAll, change module.update => module.removeWithVersions
-  * add test, fix bug. fixed #18
+  * add test, fix bug. fixed [#18](https://github.com/cnpm/cnpmjs.org/issues/18)
  * spoort unpublish
  * add web page index readme
-  * switchable nfs #21
+  * switchable nfs [#21](https://github.com/cnpm/cnpmjs.org/issues/21)
  * change file path to match npm file path
-  * use qn cdn to store tarball file fixed #16
-  * add GET /:name/:version, fixed #3
+  * use qn cdn to store tarball file fixed [#16](https://github.com/cnpm/cnpmjs.org/issues/16)
+  * add GET /:name/:version, fixed [#3](https://github.com/cnpm/cnpmjs.org/issues/3)
  * add module controller test cases; fix next module not exists logic bug.
-  * publish module flow finish #11
+  * publish module flow finish [#11](https://github.com/cnpm/cnpmjs.org/issues/11)
  * add test for controllers/registry/user.js
  * add test for middleware/auth
  * add test for proxy/user
@@ -453,9 +630,9 @@
  * add start time
  * add home page
  * remove session controller
-  * adduser() finish fixed #5
+  * adduser() finish fixed [#5](https://github.com/cnpm/cnpmjs.org/issues/5)
  * rm app.js and routes.js
-  * Mock npm adduser server response, fixing #5
+  * Mock npm adduser server response, fixing [#5](https://github.com/cnpm/cnpmjs.org/issues/5)
  * adjust project dir, separate registry and web server
  * Init rest frame for cnpmjs.org
  * init
--- a/29
+++ b/29
@@ -1,12 +1,12 @@
 TESTS = $(shell ls -S `find test -type f -name "*.test.js" -print`)
-REPORTER = tap
+REPORTER = spec
 TIMEOUT = 30000
 MOCHA_OPTS =
-REGISTRY = --registry=http://r.cnpmjs.org
+REGISTRY = --registry=https://registry.npm.taobao.org

 install:
 	@npm install $(REGISTRY) \
-		--disturl=http://dist.cnpmjs.org
+		--disturl=https://npm.taobao.org/dist

 jshint: install
 	@-./node_modules/.bin/jshint ./
@@ -19,16 +19,17 @@ pretest:

 test: install pretest
 	@NODE_ENV=test ./node_modules/.bin/mocha \
-		--harmony-generators \
+		--harmony \
 		--reporter $(REPORTER) \
 		--timeout $(TIMEOUT) \
 		--require should \
+		--require should-http \
 		--require co-mocha \
 		--require ./test/init.js \
 		$(MOCHA_OPTS) \
 		$(TESTS)

-test-cov cov: install
+test-cov cov: install pretest
 	@NODE_ENV=test node --harmony \
 		node_modules/.bin/istanbul cover --preserve-comments \
 		./node_modules/.bin/_mocha \
@@ -36,17 +37,33 @@ test-cov cov: install
 		--reporter $(REPORTER) \
 		--timeout $(TIMEOUT) \
 		--require should \
+		--require should-http \
 		--require co-mocha \
 		--require ./test/init.js \
 		$(MOCHA_OPTS) \
 		$(TESTS)
 	@./node_modules/.bin/cov coverage

+test-travis: install pretest
+	@NODE_ENV=test node --harmony \
+		node_modules/.bin/istanbul cover --preserve-comments \
+		./node_modules/.bin/_mocha \
+		--report lcovonly \
+		-- \
+		--reporter dot \
+		--timeout $(TIMEOUT) \
+		--require should \
+		--require should-http \
+		--require co-mocha \
+		--require ./test/init.js \
+		$(MOCHA_OPTS) \
+		$(TESTS)
+
 contributors: install
 	@./node_modules/.bin/contributors -f plain -o AUTHORS

 autod: install
-	@./node_modules/.bin/autod -w -e public,view,docs,backup,coverage
+	@./node_modules/.bin/autod -w -e public,view,docs,backup,coverage -k nodemailer
 	@$(MAKE) install

 .PHONY: test
--- a/README.md
+++ b/README.md
@@ -1,9 +1,22 @@
 cnpmjs.org
 =======

-[![Build Status](https://secure.travis-ci.org/cnpm/cnpmjs.org.png)](http://travis-ci.org/cnpm/cnpmjs.org) [![Dependency Status](https://gemnasium.com/cnpm/cnpmjs.org.png)](https://gemnasium.com/cnpm/cnpmjs.org)
+[![NPM version][npm-image]][npm-url]
+[![build status][travis-image]][travis-url]
+[![Test coverage][coveralls-image]][coveralls-url]
+[![Gittip][gittip-image]][gittip-url]
+[![David deps][david-image]][david-url]

-[![NPM](https://nodei.co/npm/cnpmjs.org.png?downloads=true&stars=true)](https://nodei.co/npm/cnpmjs.org/)
+[npm-image]: https://img.shields.io/npm/v/cnpmjs.org.svg?style=flat
+[npm-url]: https://npmjs.org/package/cnpmjs.org
+[travis-image]: https://img.shields.io/travis/cnpm/cnpmjs.org.svg?style=flat
+[travis-url]: https://travis-ci.org/cnpm/cnpmjs.org
+[coveralls-image]: https://img.shields.io/coveralls/cnpm/cnpmjs.org.svg?style=flat
+[coveralls-url]: https://coveralls.io/r/cnpm/cnpmjs.org?branch=master
+[gittip-image]: https://img.shields.io/gittip/fengmk2.svg?style=flat
+[gittip-url]: https://www.gittip.com/fengmk2/
+[david-image]: https://img.shields.io/david/cnpm/cnpmjs.org.svg?style=flat
+[david-url]: https://david-dm.org/cnpm/cnpmjs.org

 ![logo](https://raw.github.com/cnpm/cnpmjs.org/master/logo.png)

@@ -22,6 +35,7 @@ Our goal is to provide a low cost maintenance and easy to use solution for priva

 ### Features

+* **Support "scoped" packages**: [npm/npm#5239](https://github.com/npm/npm/issues/5239)
 * **Simple to deploy**: only need `mysql` and a [simple store system](https://github.com/cnpm/cnpmjs.org/wiki/NFS-Guide).
 You can get the source code through `npm` or `git`.
 * **Low cost and easy maintenance**: `package.json` info store in MySQL, tarball(tgz file) store in CDN or other store systems.
@@ -50,7 +64,7 @@ only need to change the registry in config. Even include manual synchronization

 ### Dependencies

-* [node](http://nodejs.org) >=0.11.9
+* [node](http://nodejs.org) =0.11.12
 * [mysql](http://dev.mysql.com/downloads/) >= 0.5.0, include `mysqld` and `mysql cli`. I test on `mysql@5.6.16`.

 ### Start MySQL
@@ -78,7 +92,7 @@ $ make test-cov
 $ make autod

 # start server
-$ node --harmony dispatch.js
+$ node --harmony_generators dispatch.js
 ```

 ## How to contribute
--- a/bin/nodejsctl
+++ b/bin/nodejsctl
@@ -7,7 +7,7 @@ export NODE_ENV='production'
 ulimit -c unlimited

 cd `dirname $0`/..
-NODEJS='node --harmony-generators'
+NODEJS='node --harmony'
 BASE_HOME=`pwd`
 PROJECT_NAME=`basename ${BASE_HOME}`
 STDOUT_LOG=`$NODEJS -e "console.log(require('path').join(require('$BASE_HOME/config').logdir, 'nodejs_stdout.log'));\
--- a/common/logger.js
+++ b/common/logger.js
@@ -15,73 +15,48 @@
 * Module dependencies.
 */

-var util = require('util');
-var moment = require('moment');
-var logstream = require('logfilestream');
-var ms = require('ms');
+var formater = require('error-formater');
+var Logger = require('mini-logger');
 var config = require('../config');
+var utility = require('utility');
 var mail = require('./mail');
+var util = require('util');

 var isTEST = process.env.NODE_ENV === 'test';
-var ONE_DAY = ms('1d');
-var levels = ['info', 'warn', 'error'];
+var categories = ['sync_info', 'sync_error'];

-levels.forEach(function (catetory) {
-  var options = {
-    logdir: config.logdir,
-    duration: ONE_DAY,
-    nameformat: '[' + catetory + '.]YYYY-MM-DD[.log]'
-  };
-  var stream = logstream(options);
-  function write(msg) {
-    var time = moment().format('YYYY-MM-DD HH:mm:ss.SSS');
-    var subject = null;
-    if (msg instanceof Error) {
-      subject = msg.name;
-      var err = {
-        name: msg.name,
-        code: msg.code,
-        message: msg.message,
-        stack: msg.stack,
-        host: msg.host,
-        url: msg.url,
-        data: msg.data
-      };
-      if (err.name === 'Error' && typeof err.code === 'string') {
-        err.name = err.code + err.name;
-      }
-      err.name += 'Exception';
-      if (err.host) {
-        err.message += ' (' + err.host + ')';
-      }
-      msg = util.format('%s nodejs.%s: %s\nURL: %s\nData: %j\n%s\n\n',
-        time,
-        err.name,
-        err.stack,
-        err.url,
-        err.data,
-        time
-      );
-    } else {
-      msg = time + ' ' + util.format.apply(util, arguments) + '\n';
-    }
-
-    if (!isTEST) {
-      stream.write(msg);
-      if (config.debug) {
-        var level = catetory;
-        console.log('[' + level + '] ' + msg);
-      } else {
-        if (catetory === 'error' && subject) {
-          // send error email
-          var to = [];
-          for (var name in config.admins) {
-            to.push(config.admins[name]);
-          }
-          mail.error(to, subject, msg);
-        }
-      }
-    }
-  }
-  exports[catetory] = write;
+var logger = module.exports = Logger({
+  categories: categories,
+  dir: config.logdir,
+  duration: '1d',
+  format: '[{category}.]YYYY-MM-DD[.log]',
+  stdout: config.debug && !isTEST,
+  errorFormater: errorFormater
 });
+
+var to = [];
+for (var user in config.admins) {
+  to.push(config.admins[user]);
+}
+
+function errorFormater(err) {
+  var msg = formater.both(err);
+  mail.error(to, msg.json.name, msg.text);
+  return msg.text;
+}
+
+logger.syncInfo = function () {
+  var args = [].slice.call(arguments);
+  if (typeof args[0] === 'string') {
+    args[0] = util.format('[%s][%s] ', utility.logDate(), process.pid) + args[0];
+  }
+  logger.sync_info.apply(logger, args);
+};
+
+logger.syncError =function () {
+  var args = [].slice.call(arguments);
+  if (typeof args[0] === 'string') {
+    args[0] = util.format('[%s][%s] ', utility.logDate(), process.pid) + args[0];
+  }
+  logger.sync_error.apply(logger, arguments);
+};
--- a/common/qnfs.js
+++ b/common/qnfs.js
@@ -16,10 +16,11 @@

 var thunkify = require('thunkify-wrap');
 var qn = require('qn');
+var fs = require('fs');
 var config = require('../config');
 var client = qn.create(config.qn);

-thunkify(client, ['delete', 'uploadFile', 'upload']);
+thunkify(client, ['delete', 'uploadFile', 'upload', 'download']);

 exports._client = client;

@@ -62,6 +63,14 @@ exports.url = function (key) {
  return client.resourceURL(key);
 };

+exports.download = function* (key, filepath, options) {
+  var writeStream = fs.createWriteStream(filepath);
+  yield client.download(key, {
+    timeout: options.timeout,
+    writeStream: writeStream
+  });
+};
+
 exports.remove = function *(key) {
  try {
    return yield client.delete(key);
--- a/common/redis.js
+++ b/common/redis.js
@@ -17,13 +17,12 @@
 var config = require('../config');

 // close redis by set config.redis to `null` or `{}`
-if (!config.redis || !config.redis.host || !config.redis.port) {
+if (config.redis && config.redis.host && config.redis.port) {

  var redis = require('redis');
  var wrapper = require('co-redis');
  var logger = require('./logger');
-
-  var _client = redis.createClient(config.redis);
+  var _client = redis.createClient(config.redis.port, config.redis.host);

  _client.on('error', function (err) {
    logger.error(err);
--- a/common/session.js
+++ b/common/session.js
@@ -1,34 +0,0 @@
-/*!
- * cnpmjs.org - common/session.js
- *
- * Copyright(c) cnpmjs.org and other contributors.
- * MIT Licensed
- *
- * Authors:
- *  fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
- *  dead_horse <dead_horse@qq.com> (http://deadhorse.me)
- */
-
-'use strict';
-
-/**
- * Module dependencies.
- */
-
-var middlewares = require('koa-middlewares');
-var config = require('../config');
-
-var key = 'AuthSession';
-var cookie = { path: '/', httpOnly: true, maxAge: 3600000 * 24 * 365, signed: false };
-var options = {
-  key: key,
-  cookie: cookie,
-  defer: true,
-  rolling: false
-};
-
-if (!config.debug) {
-  options.store = config.sessionStore || middlewares.RedisStore(config.redis);
-}
-
-module.exports = middlewares.session(options);
--- a/config/index.js
+++ b/config/index.js
@@ -27,15 +27,88 @@ var version = require('../package.json').version;
 var root = path.dirname(__dirname);

 var config = {
+
  version: version,
-  registryPort: 7001,
-  webPort: 7002,
+
+  /**
+   * Cluster mode
+   */
  enableCluster: false,
  numCPUs: os.cpus().length,
-  debug: true, // if debug
+
+  /*
+   * server configure
+   */
+  registryPort: 7001,
+  webPort: 7002,
+  bindingHost: '127.0.0.1', // only binding on 127.0.0.1 for local access
+
+  // debug mode
+  // if in debug mode, some middleware like limit wont load
+  // logger module will print to stdout
+  debug: true,
+  // session secret
+  sessionSecret: 'cnpmjs.org test session secret',
+  // max request json body size
+  jsonLimit: '10mb',
+  // log dir name
  logdir: path.join(root, '.tmp', 'logs'),
+  // update file template dir
+  uploadDir: path.join(root, '.dist'),
+  // web page viewCache
  viewCache: false,
-  // mysql config
+
+  // config for koa-limit middleware
+  // for limit download rates
+  limit: {
+    enable: false,
+    token: 'koa-limit:download',
+    limit: 1000,
+    interval: 1000 * 60 * 60 * 24,
+    whiteList: [],
+    blackList: [],
+    message: 'request frequency limited, any question, please contact fengmk2@gmail.com',
+  },
+
+  enableCompress: false, // enable gzip response or not
+
+  // default system admins
+  admins: {
+    // name: email
+    fengmk2: 'fengmk2@gmail.com',
+    admin: 'admin@cnpmjs.org',
+    dead_horse: 'dead_horse@qq.com',
+    cnpmjstest10: 'cnpmjstest10@cnpmjs.org',
+  },
+
+  // email notification for errors
+  mail: {
+    appname: 'cnpmjs.org',
+    sender: 'cnpmjs.org mail sender <adderss@gmail.com>',
+    host: 'smtp.gmail.com',
+    port: 465,
+    user: 'address@gmail.com',
+    pass: 'your password',
+    ssl: true,
+    debug: false
+  },
+
+
+  logoURL: '//ww4.sinaimg.cn/large/69c1d4acgw1ebfly5kjlij208202oglr.jpg', // cnpm logo image url
+  customReadmeFile: '', // you can use your custom readme file instead the cnpm one
+  customFooter: '', // you can add copyright and site total script html here
+  npmClientName: 'cnpm', // use `${name} install package`
+  packagePageContributorSearch: true, // package page contributor link to search, default is true
+
+  // max handle number of package.json `dependencies` property
+  maxDependencies: 200,
+  // backup filepath prefix
+  backupFilePrefix: '/cnpm/backup/',
+
+  /**
+   * mysql config
+   */
+
  mysqlServers: [
    {
      host: '127.0.0.1',
@@ -48,62 +121,75 @@ var config = {
  mysqlMaxConnections: 4,
  mysqlQueryTimeout: 5000,

-  sessionSecret: 'cnpmjs.org test session secret',
-  redis: {
-    host: 'pub-redis-19533.us-east-1-4.3.ec2.garantiadata.com',
-    port: 19533,
-    pass: 'cnpmjs_dev'
-  },
-  jsonLimit: '10mb', // max request json body size
-  uploadDir: path.join(root, 'public', 'dist'),
+
+  // redis config
+  // use for koa-limit module as storage
+  redis: null,
+
+  // package tarball store in qn by default
  // qiniu cdn: http://www.qiniu.com/, it free for dev.
  qn: {
-    accessKey: "iN7NgwM31j4-BZacMjPrOQBs34UG1maYCAQmhdCV",
-    secretKey: "6QTOr2Jg1gcZEWDQXKOGZh5PziC2MCV5KsntT70j",
-    bucket: "qtestbucket",
-    domain: "http://qtestbucket.qiniudn.com"
+    accessKey: "5UyUq-l6jsWqZMU6tuQ85Msehrs3Dr58G-mCZ9rE",
+    secretKey: "YaRsPKiYm4nGUt8mdz2QxeV5Q_yaUzVxagRuWTfM",
+    bucket: "qiniu-sdk-test",
+    domain: "http://qiniu-sdk-test.qiniudn.com",
  },

-  mail: {
-    appname: 'cnpmjs.org',
-    sender: 'cnpmjs.org mail sender <adderss@gmail.com>',
-    host: 'smtp.gmail.com',
-    port: 465,
-    user: 'address@gmail.com',
-    pass: 'your password',
-    ssl: true,
-    debug: false
-  },
-
-  disturl: 'http://dist.u.qiniudn.com',
-  logoURL: 'http://ww4.sinaimg.cn/large/69c1d4acgw1ebfly5kjlij208202oglr.jpg',
+  // registry url name
  registryHost: 'r.cnpmjs.org',
-  customFooter: '', // you can add copyright and site total script html here
-  npmClientName: 'cnpm', // use `${name} install package`
-  packagePageContributorSearch: true, // package page contributor link to search, default is true
-  sourceNpmRegistry: 'http://registry.npmjs.org',
-  enablePrivate: true, // enable private mode, only admin can publish, other use just can sync package from source npm
-  admins: {
-    fengmk2: 'fengmk2@gmail.com',
-    admin: 'admin@cnpmjs.org',
-    dead_horse: 'dead_horse@qq.com',
-    cnpmjstest10: 'cnpmjstest10@cnpmjs.org',
-  },
-  syncByInstall: true,
-  backupFilePrefix: '/cnpm/backup/', // backup filepath prefix
-  syncModel: 'none', // 'none', 'all', 'exist'
-  syncConcurrency: 1,
-  maxDependencies: 200, // max handle number of package.json `dependencies` property

-  limit: {
-    enable: false,
-    token: 'koa-limit:download',
-    limit: 1000,
-    interval: 1000 * 60 * 60 * 24,
-    whiteList: [],
-    blackList: [],
-    message: 'request frequency limited, any question, please contact fengmk2@gmail.com',
-  }
+
+  /**
+   * registry mode config
+   */
+
+  // enable private mode, only admin can publish, other use just can sync package from source npm
+  enablePrivate: true,
+
+  // registry scopes, if don't set, means do not support scopes
+  scopes: [
+    '@cnpm',
+    '@cnpmtest'
+  ],
+
+  // redirect @cnpm/private-package => private-package
+  // forward compatbility for update from lower version cnpmjs.org
+  adaptScope: true,
+
+  // force user publish with scope
+  // but admins still can publish without scope
+  forcePublishWithScope: true,
+
+  // some registry already have some private packages in global scope
+  // but we want to treat them as scoped private packages,
+  // so you can use this white list.
+  privatePackages: ['private-package'],
+
+  /**
+   * sync configs
+   */
+
+  // sync dist config
+  // sync node.js dist from nodejs.org
+  noticeSyncDistError: true,
+  disturl: 'http://nodejs.org/dist',
+  syncDist: false,
+
+  // sync source
+  sourceNpmRegistry: 'http://registry.npmjs.org',
+
+  // if install return 404, try to sync from source registry
+  syncByInstall: true,
+
+  // sync mode select
+  // none: do not sync any module
+  // exist: only sync exist modules
+  // all: sync all modules
+  syncModel: 'none', // 'none', 'all', 'exist'
+
+  syncConcurrency: 1,
+  // sync interval, default is 10 minutes
+  syncInterval: '10m',
 };

 // load config/config.js, everything in config.js will cover the same key in index.js
--- a/controllers/registry/module.js
+++ b/controllers/registry/module.js
@@ -18,6 +18,7 @@
 var debug = require('debug')('cnpmjs.org:controllers:registry:module');
 var path = require('path');
 var fs = require('fs');
+var util = require('util');
 var crypto = require('crypto');
 var utility = require('utility');
 var coRead = require('co-read');
@@ -36,15 +37,52 @@ var SyncModuleWorker = require('../../proxy/sync_module_worker');
 var logger = require('../../common/logger');
 var ModuleDeps = require('../../proxy/module_deps');
 var ModuleStar = require('../../proxy/module_star');
+var ModuleUnpublished = require('../../proxy/module_unpublished');
+var packageService = require('../../services/package');
+var UserService = require('../../services/user');
+var downloadAsReadStream = require('../utils').downloadAsReadStream;

 /**
 * show all version of a module
+ * GET /:name
 */
-exports.show = function *(next) {
-  var name = this.params.name;
-  var modifiedTime = yield *Module.getLastModified(name);
-  debug('show %s, last modified: %s', name, modifiedTime);
+exports.show = function* (next) {
+  var orginalName = this.params.name || this.params[0];
+  var name = orginalName;
+  var rs = yield [
+    Module.getLastModified(name),
+    Module.listTags(name)
+  ];
+  var modifiedTime = rs[0];
+  var tags = rs[1];
+  var adaptDefaultScope = false;
+
+  if (tags.length === 0) {
+    var adaptName = yield* Module.getAdaptName(name);
+    if (adaptName) {
+      adaptDefaultScope = true;
+      // remove default scope name and retry
+      name = adaptName;
+      rs = yield [
+        Module.getLastModified(name),
+        Module.listTags(name),
+      ];
+      modifiedTime = rs[0];
+      tags = rs[1];
+    }
+  }
+
+  debug('show %s(%s), last modified: %s, tags: %j', name, orginalName, modifiedTime, tags);
  if (modifiedTime) {
+    // find out the latest modfied time
+    // because update tags only modfied tag, wont change module gmt_modified
+    for (var i = 0; i < tags.length; i++) {
+      var tag = tags[i];
+      if (tag.gmt_modified > modifiedTime) {
+        modifiedTime = tag.gmt_modified;
+      }
+    }
+
    // use modifiedTime as etag
    this.set('ETag', '"' + modifiedTime.getTime() + '"');

@@ -58,22 +96,46 @@ exports.show = function *(next) {
  }

  var r = yield [
-    Module.listTags(name),
    Module.listByName(name),
-    ModuleStar.listUsers(name)
+    ModuleStar.listUsers(name),
+    packageService.listMaintainers(name),
  ];
-  var tags = r[0];
-  var rows = r[1];
-  var users = r[2];
+  var rows = r[0];
+  var users = r[1];
+  var maintainers = r[2];
+
+  debug('show %s got %d rows, %d tags, %d star users, maintainers: %j',
+    name, rows.length, tags.length, users.length, maintainers);
+
  var userMap = {};
  for (var i = 0; i < users.length; i++) {
    userMap[users[i]] = true;
  }
  users = userMap;
+
+  if (rows.length === 0) {
+    // check if unpublished
+    var unpublishedInfo = yield* ModuleUnpublished.get(name);
+    debug('show unpublished %j', unpublishedInfo);
+    if (unpublishedInfo) {
+      this.status = 404;
+      this.body = {
+        _id: orginalName,
+        name: orginalName,
+        time: {
+          modified: unpublishedInfo.package.time,
+          unpublished: unpublishedInfo.package,
+        },
+        _attachments: {}
+      };
+      return;
+    }
+  }
+
  // if module not exist in this registry,
  // sync the module backend and return package info from official registry
  if (rows.length === 0) {
-    if (!this.allowSync) {
+    if (!this.allowSync || adaptDefaultScope) {
      this.status = 404;
      this.body = {
        error: 'not_found',
@@ -82,8 +144,8 @@ exports.show = function *(next) {
      return;
    }
    var result = yield SyncModuleWorker.sync(name, 'sync-by-install');
-    this.status = result.ok ? 200 : result.statusCode;
    this.body = result.pkg;
+    this.status = result.ok ? 200 : (result.statusCode || 500);
    return;
  }

@@ -118,10 +180,20 @@ exports.show = function *(next) {
      readme = pkg.readme;
    }
    delete pkg.readme;
+    if (maintainers.length > 0) {
+      // TODO: need to use newer maintainers
+      pkg.maintainers = maintainers;
+    }

    if (!createdTime || t < createdTime) {
      createdTime = t;
    }
+
+    if (adaptDefaultScope) {
+      // change to orginal name for default scope was removed above
+      pkg.name = orginalName;
+      pkg._id = orginalName + '@' + pkg.version;
+    }
  }

  if (modifiedTime && createdTime) {
@@ -150,10 +222,16 @@ exports.show = function *(next) {

  var pkg = latestMod.package;

+  if (tags.length === 0 && pkg.version !== 'next') {
+    // some sync error reason, will cause tags missing
+    // set latest tag at least
+    distTags.latest = pkg.version;
+  }
+
  var info = {
-    _id: name,
+    _id: orginalName,
    _rev: rev,
-    name: name,
+    name: orginalName,
    description: pkg.description,
    "dist-tags": distTags,
    maintainers: pkg.maintainers,
@@ -171,29 +249,52 @@ exports.show = function *(next) {
  info.bugs = pkg.bugs;
  info.license = pkg.license;

-  debug('show module %s: %s, latest: %s', name, rev, latestMod.version);
+  debug('show module %s: %s, latest: %s', orginalName, rev, latestMod.version);
  this.body = info;
 };

 /**
 * get the special version or tag of a module
+ *
+ * GET /:name/:version
+ * GET /:name/:tag
 */
-exports.get = function *(next) {
-  var name = this.params.name;
-  var tag = this.params.version;
+exports.get = function* (next) {
+  var name = this.params.name || this.params[0];
+  var tag = this.params.version || this.params[1];
  var version = semver.valid(tag);
  var method = version ? 'get' : 'getByTag';
  var queryLabel = version ? version : tag;
+  var orginalName = name;
+  var adaptDefaultScope = false;
+  debug('%s %s with %j', method, name, this.params);

  var mod = yield Module[method](name, queryLabel);
+  if (!mod) {
+    var adaptName = yield* Module.getAdaptName(name);
+    if (adaptName) {
+      name = adaptName;
+      mod = yield Module[method](name, queryLabel);
+      adaptDefaultScope = true;
+    }
+  }
+
  if (mod) {
    common.setDownloadURL(mod.package, this);
    mod.package._cnpm_publish_time = mod.publish_time;
+    var maintainers = yield* packageService.listMaintainers(name);
+    if (maintainers.length > 0) {
+      mod.package.maintainers = maintainers;
+    }
+    if (adaptDefaultScope) {
+      mod.package.name = orginalName;
+      mod.package._id = orginalName + '@' + mod.package.version;
+    }
    this.body = mod.package;
    return;
  }
  // if not fond, sync from source registry
-  if (!this.allowSync) {
+  if (!this.allowSync || adaptDefaultScope) {
    this.status = 404;
    this.body = {
      error: 'not exist',
@@ -217,11 +318,9 @@ exports.get = function *(next) {

 var _downloads = {};

-var DOWNLOAD_TIMEOUT = ms('10m');
-
 exports.download = function *(next) {
-  var name = this.params.name;
-  var filename = this.params.filename;
+  var name = this.params.name || this.params[0];
+  var filename = this.params.filename || this.params[1];
  var version = filename.slice(name.length + 1, -4);
  var row = yield Module.get(name, version);
  // can not get dist
@@ -231,6 +330,8 @@ exports.download = function *(next) {
    url = nfs.url(common.getCDNKey(name, filename));
  }

+  debug('download %s %s %s %s', name, filename, version, url);
+
  if (!row || !row.package || !row.package.dist) {
    if (!url) {
      return yield* next;
@@ -258,28 +359,13 @@ exports.download = function *(next) {
  _downloads[name] = (_downloads[name] || 0) + 1;

  if (typeof dist.size === 'number') {
-    this.set('Content-Length', dist.size);
+    this.length = dist.size;
  }
-  this.set('Content-Type', mime.lookup(dist.key));
-  this.set('Content-Disposition', 'attachment; filename="' + filename + '"');
-  this.set('ETag', dist.shasum);
+  this.type = mime.lookup(dist.key);
+  this.attachment = filename;
+  this.etag = dist.shasum;

-  // use download file api
-  var tmpPath = path.join(config.uploadDir,
-    utility.randomString() + dist.key.replace(/\//g, '-'));
-  function cleanup() {
-    fs.unlink(tmpPath, utility.noop);
-  }
-  try {
-    yield nfs.download(dist.key, tmpPath, {timeout: DOWNLOAD_TIMEOUT});
-  } catch (err) {
-    cleanup();
-    this.throw(err);
-  }
-  var tarball = fs.createReadStream(tmpPath);
-  tarball.once('error', cleanup);
-  tarball.once('end', cleanup);
-  this.body = tarball;
+  this.body = yield* downloadAsReadStream(dist.key);
 };

 setInterval(function () {
@@ -326,104 +412,6 @@ setInterval(function () {
  next();
 }, 5000);

-exports.upload = function *(next) {
-  var length = Number(this.get('content-length')) || 0;
-  if (!length || !this.is('application/octet-stream')) {
-    debug('request length or type error');
-    return yield *next;
-  }
-  var username = this.user.name;
-  var name = this.params.name;
-  var id = Number(this.params.rev);
-  var filename = this.params.filename;
-  var version = filename.substring(name.length + 1);
-  version = version.replace(/\.tgz$/, '');
-  // save version on pkg upload
-
-  debug('%s: upload %s, file size: %d', username, this.url, length);
-  var mod = yield Module.getById(id);
-  if (!mod) {
-    debug('can not get this module');
-    return yield* next;
-  }
-  if (!common.isMaintainer(this.user, mod.package.maintainers) || mod.name !== name) {
-    this.status = 403;
-    this.body = {
-      error: 'no_perms',
-      reason: 'Current user can not publish this module'
-    };
-    return;
-  }
-
-  if (mod.version !== 'next') {
-    // rev wrong
-    this.status = 403;
-    this.body = {
-      error: 'rev_wrong',
-      reason: 'rev not match next module'
-    };
-    return;
-  }
-  var filepath = common.getTarballFilepath(filename);
-  var ws = fs.createWriteStream(filepath);
-  var shasum = crypto.createHash('sha1');
-  var dataSize = 0;
-
-  var buf;
-  while (buf = yield coRead(this.req)) {
-    shasum.update(buf);
-    dataSize += buf.length;
-    yield coWrite(ws, buf);
-  }
-  ws.end();
-  if (dataSize !== length) {
-    this.status = 403;
-    this.body = {
-      error: 'size_wrong',
-      reason: 'Header size ' + length + ' not match download size ' + dataSize,
-    };
-    return;
-  }
-  shasum = shasum.digest('hex');
-
-  var options = {
-    key: common.getCDNKey(name, filename),
-    size: length,
-    shasum: shasum
-  };
-  var result;
-  try {
-    result = yield nfs.upload(filepath, options);
-  } catch (err) {
-    fs.unlink(filepath, utility.noop);
-    this.throw(err);
-  }
-  fs.unlink(filepath, utility.noop);
-  var dist = {
-    shasum: shasum,
-    size: length
-  };
-
-  // if nfs upload return a key, record it
-  if (result.url) {
-    dist.tarball = result.url;
-  } else if (result.key) {
-    dist.key = result.key;
-    dist.tarball = result.key;
-  }
-
-  mod.package.dist = dist;
-  mod.package.version = version;
-  debug('%s module: save file to %s, size: %d, sha1: %s, dist: %j, version: %s',
-    id, filepath, length, shasum, dist, version);
-  var updateResult = yield Module.update(mod);
-  this.status = 201;
-  this.body = {
-    ok: true,
-    rev: String(updateResult.id)
-  };
-};
-
 function _addDepsRelations(pkg) {
  var dependencies = Object.keys(pkg.dependencies || {});
  if (dependencies.length > config.maxDependencies) {
@@ -436,77 +424,13 @@ function _addDepsRelations(pkg) {
  });
 }

-exports.updateLatest = function *(next) {
-  var username = this.user.name;
-  var name = this.params.name;
-  var version = semver.valid(this.params.version);
-  if (!version) {
-    this.status = 400;
-    this.body = {
-      error: 'Params Invalid',
-      reason: 'Invalid version: ' + this.params.version,
-    };
-    return;
-  }
-
-  var nextMod = yield Module.get(name, 'next');
-  if (!nextMod) {
-    debug('can not get nextMod');
-    return yield* next;
-  }
-  if (!common.isMaintainer(this.user, nextMod.package.maintainers)) {
-    this.status = 401;
-    this.body = {
-      error: 'noperms',
-      reason: 'Current user can not publish this module'
-    };
-    return;
-  }
-
-  // check version if not match pkg upload
-  if (nextMod.package.version !== version) {
-    this.status = 403;
-    this.body = {
-      error: 'version_wrong',
-      reason: 'version not match'
-    };
-    return;
-  }
-
-  var body = this.request.body;
-  nextMod.version = version;
-  nextMod.author = username;
-  body.dist = nextMod.package.dist;
-  body.maintainers = nextMod.package.maintainers;
-  if (!body.author) {
-    body.author = {
-      name: username,
-    };
-  }
-  body._publish_on_cnpm = true;
-  nextMod.package = body;
-  _addDepsRelations(body);
-
-  // reset publish time
-  nextMod.publish_time = Date.now();
-  debug('update %s:%s %j', nextMod.package.name, nextMod.package.version, nextMod.package.dist);
-  // change latest to version
-  try {
-    yield Module.update(nextMod);
-  } catch (err) {
-    debug('update nextMod %s error: %s', name, err);
-    return this.throw(err);
-  }
-  yield Module.addTag(name, 'latest', version);
-  nextMod.version = 'next';
-  var addResult = yield Module.add(nextMod);
-  this.status = 201;
-  this.body = {
-    ok: true,
-    rev: String(addResult.id)
-  };
-};
-
+// old flows:
+// 1. add()
+// 2. upload()
+// 3. updateLatest()
+//
+// new flows: only one request
+// PUT /:name
 exports.addPackageAndDist = function *(next) {
  // 'dist-tags': { latest: '0.0.2' },
  //  _attachments:
@@ -517,7 +441,7 @@ exports.addPackageAndDist = function *(next) {

  var pkg = this.request.body;
  var username = this.user.name;
-  var name = this.params.name;
+  var name = this.params.name || this.params[0];
  var filename = Object.keys(pkg._attachments || {})[0];
  var version = Object.keys(pkg.versions || {})[0];
  if (!version || !filename) {
@@ -531,6 +455,34 @@ exports.addPackageAndDist = function *(next) {

  var attachment = pkg._attachments[filename];
  var versionPackage = pkg.versions[version];
+
+  // should never happened in normal request
+  if (!versionPackage.maintainers) {
+    this.status = 400;
+    this.body = {
+      error: 'maintainers error',
+      reason: 'request body need maintainers'
+    };
+    return;
+  }
+
+  // notice that admins can not publish to all modules
+  // (but admins can add self to maintainers first)
+
+  // make sure user in auth is in maintainers
+  // should never happened in normal request
+  var m = versionPackage.maintainers.filter(function (maintainer) {
+    return maintainer.name === username;
+  });
+  if (!m.length) {
+    this.status = 403;
+    this.body = {
+      error: 'maintainers error',
+      reason: username + ' does not in maintainer list'
+    };
+    return;
+  }
+
  versionPackage._publish_on_cnpm = true;
  var distTags = pkg['dist-tags'] || {};
  var tags = []; // tag, version
@@ -538,16 +490,36 @@ exports.addPackageAndDist = function *(next) {
    tags.push([t, distTags[t]]);
  }

-  debug('addPackageAndDist %s:%s, attachment size: %s', name, version, attachment.length);
+  if (tags.length === 0) {
+    this.status = 400;
+    this.body = {
+      error: 'invalid',
+      reason: 'dist-tags should not be empty'
+    };
+    return;
+  }

+  debug('%s addPackageAndDist %s:%s, attachment size: %s, maintainers: %j, distTags: %j',
+    username, name, version, attachment.length, versionPackage.maintainers, distTags);

  var exists = yield Module.get(name, version);
  var shasum;
  if (exists) {
-    this.status = 409;
+    this.status = 403;
    this.body = {
-      error: 'conflict',
-      reason: 'Document update conflict.'
+      error: 'forbidden',
+      reason: 'cannot modify pre-existing version: ' + version
+    };
+    return;
+  }
+
+  // check maintainers
+  var isMaintainer = yield* packageService.isMaintainer(name, username);
+  if (!isMaintainer) {
+    this.status = 403;
+    this.body = {
+      error: 'forbidden user',
+      reason: username + ' not authorized to modify ' + name
    };
    return;
  }
@@ -560,11 +532,22 @@ exports.addPackageAndDist = function *(next) {
    this.status = 403;
    this.body = {
      error: 'size_wrong',
-      reason: 'Attachment size ' + attachment.length + ' not match download size ' + tarballBuffer.length,
+      reason: 'Attachment size ' + attachment.length
+        + ' not match download size ' + tarballBuffer.length,
    };
    return;
  }

+  if (!distTags.latest) {
+    // need to check if latest tag exists or not
+    var latest = yield Module.getByTag(name, 'latest');
+    if (!latest) {
+      // auto add latest
+      tags.push(['latest', tags[0][1]]);
+      debug('auto add latest tag: %j', tags);
+    }
+  }
+
  shasum = crypto.createHash('sha1');
  shasum.update(tarballBuffer);
  shasum = shasum.digest('hex');
@@ -616,141 +599,122 @@ exports.addPackageAndDist = function *(next) {
  };
 };

-exports.add = function *(next) {
-  var username = this.user.name;
-  var name = this.params.name;
-  var pkg = this.request.body || {};
+// PUT /:name/-rev/:rev
+exports.updateOrRemove = function* (next) {
+  var name = this.params.name || this.params[0];
+  debug('updateOrRemove module %s, %s, %j', this.url, name, this.request.body);

-  if (!common.isMaintainer(this.user, pkg.maintainers)) {
-    this.status = 403;
-    this.body = {
-      error: 'no_perms',
-      reason: 'Current user can not publish this module'
-    };
-    return;
-  }
-
-  if (pkg._attachments && Object.keys(pkg._attachments).length > 0) {
-    return yield exports.addPackageAndDist.call(this, next);
-  }
-
-  var r = yield [Module.getLatest(name), Module.get(name, 'next')];
-  var latestMod = r[0];
-  var nextMod = r[1];
-
-  if (nextMod) {
-    nextMod.exists = true;
-  } else {
-    nextMod = {
-      name: name,
-      version: 'next',
-      author: username,
-      package: {
-        name: name,
-        version: 'next',
-        description: pkg.description,
-        readme: pkg.readme,
-        maintainers: pkg.maintainers,
-      }
-    };
-    debug('add next module: %s', name);
-    var result = yield Module.add(nextMod);
-    nextMod.id = result.id;
-  }
-
-  var maintainers = latestMod && latestMod.package.maintainers.length > 0 ?
-    latestMod.package.maintainers : nextMod.package.maintainers;
-
-  if (!common.isMaintainer(this.user, maintainers)) {
-    this.status = 403;
-    this.body = {
-      error: 'no_perms',
-      reason: 'Current user can not publish this module'
-    };
-    return;
-  }
-
-  debug('add %s rev: %s, version: %s', name, nextMod.id, nextMod.version);
-
-  if (latestMod || nextMod.version !== 'next') {
-    this.status = 409;
-    this.body = {
-      error: 'conflict',
-      reason: 'Document update conflict.'
-    };
-    return;
-  }
-  this.status = 201;
-  this.body = {
-    ok: true,
-    id: name,
-    rev: String(nextMod.id),
-  };
-};
-
-exports.updateOrRemove = function *(next) {
-  debug('updateOrRemove module %s, %j', this.params.name, this.request.body);
  var body = this.request.body;
  if (body.versions) {
-    yield *exports.removeWithVersions.call(this, next);
-  } else if (body.maintainers && body.maintainers.length > 0) {
-    yield *exports.updateMaintainers.call(this, next);
+    yield* exports.removeWithVersions.call(this, next);
+  } else if (body.maintainers) {
+    yield* exports.updateMaintainers.call(this, next);
  } else {
-    yield *next;
+    yield* next;
  }
 };

-exports.updateMaintainers = function *(next) {
-  var name = this.params.name;
+exports.updateMaintainers = function* (next) {
+  var name = this.params.name || this.params[0];
  var body = this.request.body;
  debug('updateMaintainers module %s, %j', name, body);

-  var latestMod = yield Module.getLatest(name);
+  var isMaintainer = yield* packageService.isMaintainer(name, this.user.name);

-  if (!latestMod || !latestMod.package) {
-    return yield *next;
-  }
-  if (!common.isMaintainer(this.user, latestMod.package.maintainers)) {
+  if (!isMaintainer && !this.user.isAdmin) {
    this.status = 403;
    this.body = {
-      error: 'no_perms',
-      reason: 'Current user can not publish this module'
+      error: 'forbidden user',
+      reason: this.user.name + ' not authorized to modify ' + name
    };
    return;
  }

-  var r = yield *Module.updateMaintainers(latestMod.id, body.maintainers);
+  var usernames = body.maintainers.map(function (user) {
+    return user.name;
+  });
+
+  if (usernames.length === 0) {
+    this.status = 403;
+    this.body = {
+      error: 'invalid operation',
+      reason: 'Can not remove all maintainers'
+    };
+    return;
+  }
+
+  if (config.customUserService) {
+    // ensure new authors are vaild
+    var maintainers = yield* packageService.listMaintainerNamesOnly(name);
+    var map = {};
+    var newNames = [];
+    for (var i = 0; i < maintainers.length; i++) {
+      map[maintainers[i]] = 1;
+    }
+    for (var i = 0; i < usernames.length; i++) {
+      var username = usernames[i];
+      if (map[username] !== 1) {
+        newNames.push(username);
+      }
+    }
+    if (newNames.length > 0) {
+      var users = yield* UserService.list(newNames);
+      var map = {};
+      for (var i = 0; i < users.length; i++) {
+        var user = users[i];
+        map[user.login] = 1;
+      }
+      var invailds = [];
+      for (var i = 0; i < newNames.length; i++) {
+        var username = newNames[i];
+        if (map[username] !== 1) {
+          invailds.push(username);
+        }
+      }
+      if (invailds.length > 0) {
+        this.status = 403;
+        this.body = {
+          error: 'invalid user name',
+          reason: 'User: ' + invailds.join(', ') + ' not exists'
+        };
+        return;
+      }
+    }
+  }
+
+  var r = yield* packageService.updateMaintainers(name, usernames);
  debug('result: %j', r);

  this.status = 201;
  this.body = {
    ok: true,
    id: name,
-    rev: String(latestMod.id),
+    rev: this.params.rev || this.params[1],
  };
 };

-exports.removeWithVersions = function *(next) {
-  debug('removeWithVersions module %s, with info %j', this.params.name, this.request.body);
+exports.removeWithVersions = function* (next) {
  var username = this.user.name;
-  var name = this.params.name;
+  var name = this.params.name || this.params[0];
+  // left versions
  var versions = this.request.body.versions || {};

-  debug('removeWithVersions module %s, with versions %j', name, Object.keys(versions));
-
  // step1: list all the versions
  var mods = yield Module.listByName(name);
+  debug('removeWithVersions module %s, left versions %j, %s mods',
+    name, Object.keys(versions), mods && mods.length);
  if (!mods || !mods.length) {
-    return yield *next;
+    return yield* next;
  }

  // step2: check permission
-  var firstMod = mods[0];
-  if (!common.isMaintainer(this.user, firstMod.package.maintainers) || firstMod.name !== name) {
+  var isMaintainer = yield* packageService.isMaintainer(name, username);
+  // admin can delete the module
+  if (!isMaintainer && !this.user.isAdmin) {
    this.status = 403;
    this.body = {
-      error: 'no_perms',
-      reason: 'Current user can not update this module'
+      error: 'forbidden user',
+      reason: username + ' not authorized to modify ' + name
    };
    return;
  }
@@ -810,27 +774,36 @@ exports.removeWithVersions = function *(next) {
  } else {
    debug('no tag need to be remove');
  }
+  // step 7: update last modified, make sure etag change
+  yield* Module.updateLastModified(name);
+
  this.status = 201;
  this.body = { ok: true };
 };

-exports.removeTar = function *(next) {
-  debug('remove tarball with filename: %s, id: %s', this.params.filename, this.params.rev);
-  var id = Number(this.params.rev);
-  var filename = this.params.filename;
-  var name = this.params.name;
-  var username = this.user.name;
+exports.removeTar = function* (next) {
+  var name = this.params.name || this.params[0];
+  var filename = this.params.filename || this.params[1];
+  var id = Number(this.params.rev || this.params[2]);
+  debug('remove tarball with filename: %s, id: %s', filename, id);

-  var mod = yield Module.getById(id);
-  if (!mod) {
+  var username = this.user.name;
+  if (isNaN(id)) {
    return yield* next;
  }

-  if (!common.isMaintainer(this.user, mod.package.maintainers) || mod.name !== name) {
+  var mod = yield Module.getById(id);
+  if (!mod || mod.name !== name) {
+    return yield* next;
+  }
+
+  var isMaintainer = yield* packageService.isMaintainer(name, username);
+
+  if (!isMaintainer && !this.user.isAdmin) {
    this.status = 403;
    this.body = {
-      error: 'no_perms',
-      reason: 'Current user can not delete this tarball'
+      error: 'forbidden user',
+      reason: username + ' not authorized to modify ' + name
    };
    return;
  }
@@ -840,10 +813,11 @@ exports.removeTar = function *(next) {
  this.body = { ok: true };
 };

-exports.removeAll = function *(next) {
-  debug('remove all the module with name: %s, id: %s', this.params.name, this.params.rev);
-  // var id = Number(this.params.rev);
-  var name = this.params.name;
+exports.removeAll = function* (next) {
+  var name = this.params.name || this.params[0];
+  var username = this.user.name;
+  var rev = this.params.rev || this.params[1];
+  debug('remove all the module with name: %s, id: %s', name, rev);

  var mods = yield Module.listByName(name);
  debug('removeAll module %s: %d', name, mods.length);
@@ -852,11 +826,13 @@ exports.removeAll = function *(next) {
    return yield* next;
  }

-  if (!common.isMaintainer(this.user, mod.package.maintainers) || mod.name !== name) {
+  var isMaintainer = yield* packageService.isMaintainer(name, username);
+  // admin can delete the module
+  if (!isMaintainer && !this.user.isAdmin) {
    this.status = 403;
    this.body = {
-      error: 'no_perms',
-      reason: 'Current user can not delete this tarball'
+      error: 'forbidden user',
+      reason: username + ' not authorized to modify ' + name
    };
    return;
  }
@@ -864,16 +840,24 @@ exports.removeAll = function *(next) {
  yield [Module.removeByName(name), Module.removeTags(name)];
  var keys = [];
  for (var i = 0; i < mods.length; i++) {
-    var key = urlparse(mods[i].dist_tarball).path;
+    var row = mods[i];
+    var dist = row.package.dist;
+    var key = dist.key;
+    if (!key) {
+      key = urlparse(dist.tarball).pathname;
+    }
    key && keys.push(key);
  }
-  try {
-    yield keys.map(function (key) {
-      return nfs.remove(key);
-    });
-  } catch (err) {
-    // ignore error here
+  if (keys.length > 0) {
+    try {
+      yield keys.map(function (key) {
+        return nfs.remove(key);
+      });
+    } catch (err) {
+      // ignore error here
+    }
  }
+
  this.body = { ok: true };
 };

@@ -938,3 +922,60 @@ exports.listAllModuleNames = function *() {
    return m.name;
  });
 };
+
+// PUT /:name/:tag
+exports.updateTag = function* () {
+  var version = this.request.body;
+  var name = this.params.name || this.params[0];
+  var tag = this.params.tag || this.params[1];
+  debug('updateTag: %s %s to %s', name, version, tag);
+
+  if (!version) {
+    this.status = 400;
+    this.body = {
+      error: 'version_missed',
+      reason: 'version not found'
+    };
+    return;
+  }
+
+  if (!semver.valid(version)) {
+    this.status = 403;
+    var reason = util.format('setting tag %s to invalid version: %s: %s/%s',
+      tag, version, name, tag);
+    this.body = {
+      error: 'forbidden',
+      reason: reason
+    };
+    return;
+  }
+
+  var mod = yield Module.get(name, version);
+  if (!mod) {
+    this.status = 403;
+    var reason = util.format('setting tag %s to unknown version: %s: %s/%s',
+      tag, version, name, tag);
+    this.body = {
+      error: 'forbidden',
+      reason: reason
+    };
+    return;
+  }
+
+  // check permission
+  var isMaintainer = yield* packageService.isMaintainer(name, this.user.name);
+  if (!isMaintainer && !this.user.isAdmin) {
+    this.status = 403;
+    this.body = {
+      error: 'forbidden user',
+      reason: this.user.name + ' not authorized to modify ' + name
+    };
+    return;
+  }
+
+  yield Module.addTag(name, tag, version);
+  this.status = 201;
+  this.body = {
+    ok: true
+  };
+};
--- a/controllers/registry/user.js
+++ b/controllers/registry/user.js
@@ -18,14 +18,31 @@
 var debug = require('debug')('cnpmjs.org:controllers:registry:user');
 var utility = require('utility');
 var crypto = require('crypto');
+var UserService = require('../../services/user');
 var User = require('../../proxy/user');
 var config = require('../../config');
+var common = require('../../lib/common');

-exports.show = function *(next) {
+exports.show = function* (next) {
  var name = this.params.name;
-  var user = yield User.get(name);
+  var isAdmin = common.isAdmin(name);
+  var scopes = config.scopes || [];
+  if (config.customUserService) {
+    var customUser = yield* UserService.get(name);
+    if (customUser) {
+      isAdmin = !!customUser.site_admin;
+      scopes = customUser.scopes;
+
+      var data = {
+        user: customUser
+      };
+      yield* User.saveCustomUser(data);
+    }
+  }
+
+  var user = yield* User.get(name);
  if (!user) {
-    return yield *next;
+    return yield* next;
  }

  var data = user.json;
@@ -40,12 +57,32 @@ exports.show = function *(next) {
      date: user.gmt_modified,
    };
  }
+
+  if (data.login) {
+    // custom user format
+    // convert to npm user format
+    data = {
+      _id: 'org.couchdb.user:' + user.name,
+      _rev: user.rev,
+      name: user.name,
+      email: user.email,
+      type: 'user',
+      roles: [],
+      date: user.gmt_modified,
+      avatar: data.avatar_url,
+      fullname: data.name || data.login,
+      homepage: data.html_url,
+    };
+  }
+
  data._cnpm_meta = {
    id: user.id,
-    npm_user: user.npm_user,
+    npm_user: user.npm_user === 1,
+    custom_user: user.npm_user === 2,
    gmt_create: user.gmt_create,
    gmt_modified: user.gmt_modified,
-    admin: !!config.admins[user.name],
+    admin: isAdmin,
+    scopes: scopes,
  };

  this.body = data;
@@ -85,20 +122,20 @@ function ensurePasswordSalt(user, body) {
 //   'content-length': '258',
 //   connection: 'keep-alive' }
 // { name: 'mk2',
-//   salt: '18d8d51936478446a5466d4fb1633b80f3838b4caaa03649a885ac722cd6',
-//   password_sha: '8f4408912a6db1d96b132a90856d99db029cef3d',
+//   salt: '12351936478446a5466d4fb1633b80f3838b4caaa03649a885ac722cd6',
+//   password_sha: '123408912a6db1d96b132a90856d99db029cef3d',
 //   email: 'fengmk2@gmail.com',
 //   _id: 'org.couchdb.user:mk2',
 //   type: 'user',
 //   roles: [],
 //   date: '2014-03-15T02:39:25.696Z' }
-exports.add = function *() {
+exports.add = function* () {
  var name = this.params.name;
  var body = this.request.body || {};
  var user = {
    name: body.name,
-    salt: body.salt,
-    password_sha: body.password_sha,
+    // salt: body.salt,
+    // password_sha: body.password_sha,
    email: body.email,
    ip: this.ip || '0.0.0.0',
    // roles: body.roles || [],
@@ -106,7 +143,7 @@ exports.add = function *() {

  ensurePasswordSalt(user, body);

-  if (!user.name || !user.salt || !user.password_sha || !user.email) {
+  if (!body.password || !user.name || !user.salt || !user.password_sha || !user.email) {
    this.status = 422;
    this.body = {
      error: 'paramError',
@@ -114,7 +151,47 @@ exports.add = function *() {
    };
    return;
  }
-  debug('add user: %j', user);
+
+  debug('add user: %j', body);
+
+  var loginedUser;
+  try {
+    loginedUser = yield UserService.auth(body.name, body.password);
+  } catch (err) {
+    this.status = err.status || 500;
+    this.body = {
+      error: err.name,
+      reason: err.message
+    };
+    return;
+  }
+  if (loginedUser) {
+    var rev = Date.now() + '-' + loginedUser.login;
+    if (config.customUserService) {
+      // make sure sync user meta to cnpm database
+      var data = user;
+      data.rev = rev;
+      data.user = loginedUser;
+      yield* User.saveCustomUser(data);
+    }
+    this.status = 201;
+    this.body = {
+      ok: true,
+      id: 'org.couchdb.user:' + loginedUser.login,
+      rev: rev,
+    };
+    return;
+  }
+
+  if (config.customUserService) {
+    // user login fail, not allow to add new user
+    this.status = 401;
+    this.body = {
+      error: 'unauthorized',
+      reason: 'Login fail, please check your login name and password'
+    };
+    return;
+  }

  var existUser = yield User.get(name);
  if (existUser) {
@@ -136,24 +213,7 @@ exports.add = function *() {
  };
 };

-exports.authSession = function *() {
-  // body: {"name":"foo","password":"****"}
-  var body = this.request.body || {};
-  var name = body.name;
-  var password = body.password;
-  var user = yield User.auth(name, password);
-  debug('authSession %s: %j', name, user);
-
-  if (!user) {
-    this.status = 401;
-    this.body = {ok: false, name: null, roles: []};
-    return;
-  }
-  var session = yield *this.session;
-  session.name = user.name;
-  this.body = {ok: true, name: user.name, roles: []};
-};
-
+// logined before update, no need to auth user again
 exports.update = function *(next) {
  var name = this.params.name;
  var rev = this.params.rev;
@@ -175,17 +235,19 @@ exports.update = function *(next) {
  var body = this.request.body || {};
  var user = {
    name: body.name,
-    salt: body.salt,
-    password_sha: body.password_sha,
+    // salt: body.salt,
+    // password_sha: body.password_sha,
    email: body.email,
    ip: this.ip || '0.0.0.0',
    rev: body.rev || body._rev,
    // roles: body.roles || [],
  };

+  debug('update user %j', body);
+
  ensurePasswordSalt(user, body);

-  if (!user.name || !user.salt || !user.password_sha || !user.email) {
+  if (!body.password || !user.name || !user.salt || !user.password_sha || !user.email) {
    this.status = 422;
    this.body = {
      error: 'paramError',
--- a/controllers/sync.js
+++ b/controllers/sync.js
@@ -1,5 +1,5 @@
 /**!
- * cnpmjs.org - controllers/download.js
+ * cnpmjs.org - controllers/sync.js
 *
 * Copyright(c) cnpmjs.org and other contributors.
 * MIT Licensed
@@ -14,14 +14,16 @@
 * Module dependencies.
 */

+var debug = require('debug')('cnpmjs.org:controllers:sync');
 var Log = require('../proxy/module_log');
 var SyncModuleWorker = require('../proxy/sync_module_worker');

-exports.sync = function *() {
+exports.sync = function* () {
  var username = this.user.name || 'anonymous';
-  var name = this.params.name;
+  var name = this.params.name || this.params[0];
  var publish = this.query.publish === 'true';
  var noDep = this.query.nodeps === 'true';
+  debug('sync %s with query: %j', name, this.query);
  if (publish && !this.user.isAdmin) {
    this.status = 403;
    this.body = {
@@ -37,6 +39,7 @@ exports.sync = function *() {
  };

  var result = yield SyncModuleWorker.sync(name, username, options);
+  debug('sync %s got %j', name, result);

  // friendly 404 reason info
  if (result.statusCode === 404) {
@@ -59,8 +62,9 @@ exports.sync = function *() {
  };
 };

-exports.getSyncLog = function *(next) {
-  var logId = this.params.id;
+exports.getSyncLog = function* (next) {
+  // params: [$name, $id] on scope package
+  var logId = this.params.id || this.params[1];
  var offset = Number(this.query.offset) || 0;
  var row = yield Log.get(logId);
  if (!row) {
--- a/controllers/total.js
+++ b/controllers/total.js
@@ -15,13 +15,12 @@
 * Module dependencies.
 */

-var microtime = require('microtime');
 var Total = require('../proxy/total');
 var Download = require('./download');
 var version = require('../package.json').version;
 var config = require('../config');

-var startTime = '' + microtime.now();
+var startTime = '' + Date.now();

 exports.show = function *() {
  var r = yield [Total.get(), Download.total()];
--- a/controllers/utils.js
+++ b/controllers/utils.js
@@ -0,0 +1,46 @@
+/**!
+ * cnpmjs.org - controllers/utils.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var debug = require('debug')('cnpmjs.org:controllers:utils');
+var path = require('path');
+var fs = require('fs');
+var utility = require('utility');
+var ms = require('ms');
+var nfs = require('../common/nfs');
+var config = require('../config');
+
+var DOWNLOAD_TIMEOUT = ms('10m');
+
+exports.downloadAsReadStream = function* (key) {
+  var tmpPath = path.join(config.uploadDir,
+    utility.randomString() + key.replace(/\//g, '-'));
+  function cleanup() {
+    debug('cleanup %s', tmpPath);
+    fs.unlink(tmpPath, utility.noop);
+  }
+  debug('downloadAsReadStream() %s to %s', key, tmpPath);
+  try {
+    yield nfs.download(key, tmpPath, {timeout: DOWNLOAD_TIMEOUT});
+  } catch (err) {
+    debug('downloadAsReadStream() %s to %s error: %s', key, tmpPath, err.stack);
+    cleanup();
+    throw err;
+  }
+  var tarball = fs.createReadStream(tmpPath);
+  tarball.once('error', cleanup);
+  tarball.once('end', cleanup);
+  return tarball;
+};
--- a/controllers/web/dist.js
+++ b/controllers/web/dist.js
@@ -14,10 +14,72 @@
 * Module dependencies.
 */

+var debug = require('debug')('cnpmjs.org:controllers:web:dist');
+var mime = require('mime');
+var Dist = require('../../proxy/dist');
 var config = require('../../config');
+var downloadAsReadStream = require('../utils').downloadAsReadStream;

-exports.redirect = function *(next) {
+function padding(max, current, pad) {
+  pad = pad || ' ';
+  var left = max - current;
+  var str = '';
+  for (var i = 0; i < left; i++) {
+    str += pad;
+  }
+  return str;
+}
+
+exports.list = function* (next) {
  var params = this.params;
-  var url = config.disturl + (params[0] || '/');
-  this.redirect(url);
+  var url = params[0];
+  if (!url) {
+    // GET /dist => /dist/
+    return this.redirect('/dist/');
+  }
+
+  var isDir = url[url.length - 1] === '/';
+  if (!isDir) {
+    return yield* download.call(this, next);
+  }
+
+  var items = yield* Dist.listdir(url);
+  if (url === '/') {
+    // phantomjs/
+    items.push({
+      name: 'phantomjs/',
+      date: '',
+    });
+  }
+
+  yield this.render('dist', {
+    title: 'Mirror index of ' + config.disturl + url,
+    disturl: config.disturl,
+    dirname: url,
+    items: items,
+    padding: padding
+  });
 };
+
+ function* download(next) {
+  var fullname = this.params[0];
+  var info = yield* Dist.getfile(fullname);
+  debug('download %s got %j', fullname, info);
+  if (!info || !info.url) {
+    return yield* next;
+  }
+
+  if (info.url.indexOf('http') === 0) {
+    return this.redirect(info.url);
+  }
+
+  // download it from nfs
+  if (typeof info.size === 'number') {
+    this.length = info.size;
+  }
+  this.type = mime.lookup(info.url);
+  this.attachment = info.name;
+  this.etag = info.sha1;
+
+  this.body = yield* downloadAsReadStream(info.url);
+}
--- a/controllers/web/package.js
+++ b/controllers/web/package.js
@@ -14,6 +14,8 @@
 * Module dependencies.
 */

+var debug = require('debug')('cnpmjs.org:controllers:web:package');
+var bytes = require('bytes');
 var giturl = require('giturl');
 var moment = require('moment');
 var eventproxy = require('eventproxy');
@@ -29,11 +31,17 @@ var Log = require('../../proxy/module_log');
 var ModuleDeps = require('../../proxy/module_deps');
 var setDownloadURL = require('../../lib/common').setDownloadURL;
 var ModuleStar = require('../../proxy/module_star');
+var packageService = require('../../services/package');
+var ModuleUnpublished = require('../../proxy/module_unpublished');

-exports.display = function *(next) {
+exports.display = function* (next) {
  var params = this.params;
-  var name = params.name;
-  var tag = params.version;
+  // normal: {name: $name, version: $version}
+  // scope: [$name, $version]
+  var orginalName = params.name || params[0];
+  var name = orginalName;
+  var tag = params.version || params[1];
+  debug('display %s with %j', name, params);

  var getPackageMethod;
  var getPackageArgs;
@@ -45,22 +53,55 @@ exports.display = function *(next) {
    getPackageMethod = 'getByTag';
    getPackageArgs = [name, tag || 'latest'];
  }
+
+  var pkg = yield Module[getPackageMethod].apply(Module, getPackageArgs);
+  if (!pkg) {
+    var adaptName = yield* Module.getAdaptName(name);
+    if (adaptName) {
+      name = adaptName;
+      pkg = yield Module[getPackageMethod].apply(Module, [name, getPackageArgs[1]]);
+    }
+  }
+
+  if (!pkg || !pkg.package) {
+    // check if unpublished
+    var unpublishedInfo = yield* ModuleUnpublished.get(name);
+    debug('show unpublished %j', unpublishedInfo);
+    if (unpublishedInfo) {
+      var data = {
+        name: name,
+        unpublished: unpublishedInfo.package
+      };
+      data.unpublished.time = new Date(data.unpublished.time);
+      if (data.unpublished.maintainers) {
+        for (var i = 0; i < data.unpublished.maintainers.length; i++) {
+          var maintainer = data.unpublished.maintainers[i];
+          if (maintainer.email) {
+            maintainer.gravatar = gravatar.url(maintainer.email, {s: '50', d: 'retro'}, true);
+          }
+        }
+      }
+      yield this.render('package_unpublished', {
+        package: data
+      });
+      return;
+    }
+
+    return yield* next;
+  }
+
  var r = yield [
-    Module[getPackageMethod].apply(Module, getPackageArgs),
    down.total(name),
    ModuleDeps.list(name),
    ModuleStar.listUsers(name),
+    packageService.listMaintainers(name)
  ];
-  var pkg = r[0];
-  var download = r[1];
-  var dependents = (r[2] || []).map(function (item) {
+  var download = r[0];
+  var dependents = (r[1] || []).map(function (item) {
    return item.deps;
  });
-  var users = r[3];
-
-  if (!pkg || !pkg.package) {
-    return yield* next;
-  }
+  var users = r[2];
+  var maintainers = r[3];

  pkg.package.fromNow = moment(pkg.publish_time).fromNow();
  pkg = pkg.package;
@@ -70,11 +111,15 @@ exports.display = function *(next) {
    pkg.readme = pkg.description || '';
  }

+  if (maintainers.length > 0) {
+    pkg.maintainers = maintainers;
+  }
+
  if (pkg.maintainers) {
    for (var i = 0; i < pkg.maintainers.length; i++) {
      var maintainer = pkg.maintainers[i];
      if (maintainer.email) {
-        maintainer.gravatar = gravatar.url(maintainer.email, {s: '50', d: 'retro'}, false);
+        maintainer.gravatar = gravatar.url(maintainer.email, {s: '50', d: 'retro'}, true);
      }
    }
  }
@@ -87,7 +132,7 @@ exports.display = function *(next) {
    for (var i = 0; i < pkg.contributors.length; i++) {
      var contributor = pkg.contributors[i];
      if (contributor.email) {
-        contributor.gravatar = gravatar.url(contributor.email, {s: '50', d: 'retro'}, false);
+        contributor.gravatar = gravatar.url(contributor.email, {s: '50', d: 'retro'}, true);
      }
      if (config.packagePageContributorSearch || !contributor.url) {
        contributor.url = '/~' + encodeURIComponent(contributor.name);
@@ -108,6 +153,14 @@ exports.display = function *(next) {

  pkg.dependents = dependents;

+  if (pkg.dist) {
+    pkg.dist.size = bytes(pkg.dist.size || 0);
+  }
+
+  if (pkg.name !== orginalName) {
+    pkg.name = orginalName;
+  }
+
  yield this.render('package', {
    title: 'Package - ' + pkg.name,
    package: pkg,
@@ -117,7 +170,8 @@ exports.display = function *(next) {

 exports.search = function *(next) {
  var params = this.params;
-  var word = params.word;
+  var word = params.word || params[0];
+  debug('search %j', word);
  var result = yield Module.search(word);

  var match = null;
@@ -180,14 +234,22 @@ exports.rangeSearch = function *(next) {
  };
 };

-exports.displaySync = function *(next) {
-  var name = this.params.name || this.query.name;
+exports.displaySync = function* (next) {
+  var name = this.params.name || this.params[0] || this.query.name;
  yield this.render('sync', {
    name: name,
    title: 'Sync - ' + name
  });
 };

+exports.listPrivates = function* () {
+  var packages = yield Module.listPrivates();
+  yield this.render('private', {
+      title: 'private packages',
+      packages: packages
+    });
+};
+
 function setLicense(pkg) {
  var license;
  license = pkg.license || pkg.licenses || pkg.licence || pkg.licences;
--- a/controllers/web/user.js
+++ b/controllers/web/user.js
@@ -1,4 +1,4 @@
-/*!
+/**!
 * cnpmjs.org - controllers/web/package.js
 *
 * Copyright(c) cnpmjs.org and other contributors.
@@ -6,6 +6,7 @@
 *
 * Authors:
 *  dead_horse <dead_horse@qq.com> (http://deadhorse.me)
+ *  fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
 */

 'use strict';
@@ -13,26 +14,66 @@
 /**
 * Module dependencies.
 */
+
+var config = require('../../config');
 var Module = require('../../proxy/module');
 var User = require('../../proxy/user');
+var UserService = require('../../services/user');
+var common = require('../../lib/common');

-exports.display = function *(next) {
+exports.display = function* (next) {
  var name = this.params.name;
+  var isAdmin = common.isAdmin(name);
+  var scopes = config.scopes || [];
+  if (config.customUserService) {
+    var customUser = yield* UserService.get(name);
+    if (customUser) {
+      isAdmin = !!customUser.site_admin;
+      scopes = customUser.scopes;
+      var data = {
+        user: customUser
+      };
+      yield* User.saveCustomUser(data);
+    }
+  }

  var r = yield [Module.listByAuthor(name), User.get(name)];
-  var packages = r[0];
+  var packages = r[0] || [];
  var user = r[1];
  if (!user && !packages.length) {
    return yield* next;
  }
-  user = {
+
+  var data = {
    name: name,
-    email: user && user.email
+    email: user && user.email,
+    json: user && user.json || {}
  };

+  if (data.json.login) {
+    // custom user format
+    // convert to npm user format
+    var json = data.json;
+    data.json = {
+      _id: 'org.couchdb.user:' + user.name,
+      _rev: user.rev,
+      name: user.name,
+      email: user.email,
+      type: 'user',
+      roles: [],
+      date: user.gmt_modified,
+      avatar: json.avatar_url,
+      fullname: json.name || json.login,
+      homepage: json.html_url,
+    };
+  }
+
  yield this.render('profile', {
    title: 'User - ' + name,
-    packages: packages || [],
-    user: user
+    packages: packages,
+    user: data,
+    lastModified: user.gmt_modified,
+    isAdmin: isAdmin,
+    scopes: scopes
  });
 };
--- a/dispatch.js
+++ b/dispatch.js
@@ -24,6 +24,18 @@ var childProcess = require('child_process');
 var syncPath = path.join(__dirname, 'sync');

 if (config.enableCluster) {
+  forkWorker();
+  if (config.syncModel !== 'none') {
+    forkSyncer();
+  }
+} else {
+  require(workerPath);
+  if (config.syncModel !== 'none') {
+    require(syncPath);
+  }
+}
+
+function forkWorker() {
  cluster.setupMaster({
    exec: workerPath
  });
@@ -50,9 +62,16 @@ if (config.enableCluster) {
  for (var i = 0; i < config.numCPUs; i++) {
    cluster.fork();
  }
-
-  childProcess.fork(syncPath);
-} else {
-  require(workerPath);
-  require(syncPath);
+}
+
+function forkSyncer() {
+  var syncer = childProcess.fork(syncPath);
+  syncer.on('exit', function (code, signal) {
+    var err = new Error(util.format('syncer %s died (code: %s, signal: %s, stdout: %s, stderr: %s)',
+      syncer.pid, code, signal, syncer.stdout, syncer.stderr));
+    err.name = 'SyncerWorkerDiedError';
+    console.error('[%s] [master:%s] syncer exit: %s: %s',
+      Date(), process.pid, err.name, err.message);
+    setTimeout(forkSyncer, 1000);
+  });
 }
--- a/docs/db.sql
+++ b/docs/db.sql
@@ -40,6 +40,16 @@ CREATE TABLE `module_star` (
 KEY `name` (`name`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='module star';

+CREATE TABLE `module_maintainer` (
+ `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'primary key',
+ `gmt_create` datetime NOT NULL COMMENT 'create time',
+ `user` varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT 'user name',
+ `name` varchar(100) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'module name',
+ PRIMARY KEY (`id`),
+ UNIQUE KEY `user_module_name` (`user`,`name`),
+ KEY `name` (`name`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='module maintainers';
+
 CREATE TABLE `module` (
 `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'primary key',
 `gmt_create` datetime NOT NULL COMMENT 'create time',
@@ -87,10 +97,23 @@ CREATE TABLE `tag` (
 `version` varchar(30) NOT NULL COMMENT 'module version',
 `module_id` bigint(20) unsigned NOT NULL COMMENT 'module id',
 PRIMARY KEY (`id`),
- UNIQUE KEY `name` (`name`, `tag`)
+ UNIQUE KEY `name` (`name`, `tag`),
+ KEY `gmt_modified` (`gmt_modified`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='module tag';
 -- ALTER TABLE  `tag` ADD  `module_id` BIGINT( 20 ) UNSIGNED NOT NULL;
 -- ALTER TABLE  `tag` CHANGE  `name`  `name` VARCHAR( 100 ) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT  'module name';
+-- ALTER TABLE `tag` ADD KEY `gmt_modified` (`gmt_modified`);
+
+CREATE TABLE `module_unpublished` (
+ `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'primary key',
+ `gmt_create` datetime NOT NULL COMMENT 'create time',
+ `gmt_modified` datetime NOT NULL COMMENT 'modified time',
+ `name` varchar(100) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'module name',
+ `package` longtext CHARACTER SET utf8 COLLATE utf8_general_ci COMMENT 'base info: tags, time, maintainers, description, versions',
+ PRIMARY KEY (`id`),
+ UNIQUE KEY `name` (`name`),
+ KEY `gmt_modified` (`gmt_modified`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='module unpublished info';

 CREATE TABLE `total` (
 `name` varchar(100) NOT NULL COMMENT 'total name',
@@ -137,3 +160,30 @@ CREATE TABLE `module_deps` (
 UNIQUE KEY `name_deps` (`name`,`deps`),
 KEY `name` (`name`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='module deps';
+
+CREATE TABLE `dist_dir` (
+ `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'primary key',
+ `gmt_create` datetime NOT NULL COMMENT 'create time',
+ `gmt_modified` datetime NOT NULL COMMENT 'modified time',
+ `name` varchar(200) NOT NULL COMMENT 'user name',
+ `parent` varchar(200) NOT NULL COMMENT 'parent dir' DEFAULT '/',
+ `date` varchar(20) COMMENT '02-May-2014 01:06',
+ PRIMARY KEY (`id`),
+ UNIQUE KEY `name` (`parent`, `name`),
+ KEY `gmt_modified` (`gmt_modified`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='dist dir info';
+
+CREATE TABLE `dist_file` (
+ `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'primary key',
+ `gmt_create` datetime NOT NULL COMMENT 'create time',
+ `gmt_modified` datetime NOT NULL COMMENT 'modified time',
+ `name` varchar(100) NOT NULL COMMENT 'user name',
+ `parent` varchar(200) NOT NULL COMMENT 'parent dir' DEFAULT '/',
+ `date` varchar(20) COMMENT '02-May-2014 01:06',
+ `size` int(10) unsigned NOT NULL COMMENT 'file size' DEFAULT '0',
+ `sha1` varchar(40) COMMENT 'sha1 hex value',
+ `url` varchar(2048),
+ PRIMARY KEY (`id`),
+ UNIQUE KEY `fullname` (`parent`, `name`),
+ KEY `gmt_modified` (`gmt_modified`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='dist file info';
--- a/docs/new.sql
+++ b/docs/new.sql
@@ -0,0 +1,9 @@
+CREATE TABLE `module_maintainer` (
+ `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'primary key',
+ `gmt_create` datetime NOT NULL COMMENT 'create time',
+ `user` varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT 'user name',
+ `name` varchar(100) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'module name',
+ PRIMARY KEY (`id`),
+ UNIQUE KEY `user_module_name` (`user`,`name`),
+ KEY `name` (`name`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='module maintainers';
--- a/docs/web/readme.md
+++ b/docs/web/readme.md
@@ -1,9 +1,13 @@
-# cnpmjs.org: Private npm registry and web for Enterprise
+# cnpmjs.org: Private npm registry and web for Company
+
+So `cnpm` is meaning: **Company npm**.

 ## Registry

 * Our public registry: [r.cnpmjs.org](http://r.cnpmjs.org), syncing from [registry.npmjs.org](http://registry.npmjs.org)
 * Current [cnpmjs.org](/) version: <span id="app-version"></span>
+* Mirror of [nodejs.org/dist](http://nodejs.org/dist): [/dist mirror](/dist)
+* Mirror of [phantomjs downloads](https://bitbucket.org/ariya/phantomjs/downloads): [phantomjs mirror](/dist/phantomjs/)

 <table class="downloads">
  <tbody>
@@ -166,34 +170,10 @@ $ cnpm info cnpm

@see Github [Issues](https://github.com/cnpm/cnpmjs.org/issues)

-## Authors
+## Histories

 Release [History](/history).

-```bash
-$ git summary
-
- project  : cnpmjs.org
- repo age : 4 months ago
- commits  : 472
- active   : 167 days
- files    : 104
- authors  :
-   272  fengmk2                 57.6%
-   195  dead_horse              41.3%
-     2  4simple                 0.4%
-     2  Stanley Zheng           0.4%
-     1  Alsotang                0.2%
-```
-
 ## npm and cnpm relation

 ![npm&cnpm](https://docs.google.com/drawings/d/12QeQfGalqjsB77mRnf5Iq5oSXHCIUTvZTwECMonqCmw/pub?w=383&h=284)
-
-## 捐赠 Donate
-如果您觉得 [cnpmjs.org] 对您有帮助，欢迎请作者一杯咖啡.
-
-[![Donate](https://img.alipay.com/sys/personalprod/style/mc/btn-index.png)](https://me.alipay.com/imk2)
-
- [cnpmjs.org]: http://cnpmjs.org/
- [registry.cnpmjs.org]: http://registry.cnpmjs.org/
--- a/lib/common.js
+++ b/lib/common.js
@@ -21,6 +21,7 @@ var util = require('util');

 exports.getTarballFilepath = function (filename) {
  // ensure download file path unique
+  // TODO: not only .tgz, and also other extname
  var name = filename.replace(/\.tgz$/, '.' + crypto.randomBytes(16).toString('hex') + '.tgz');
  return path.join(config.uploadDir, name);
 };
--- a/middleware/auth.js
+++ b/middleware/auth.js
@@ -15,46 +15,50 @@
 */

 var debug = require('debug')('cnpmjs.org:middleware:auth');
-var User = require('../proxy/user');
-var config = require('../config');
-var common = require('../lib/common');
+var UserService = require('../services/user');
+
+/**
+ * Parse the request authorization
+ * get the real user
+ */

 module.exports = function (options) {
-  return function *auth(next) {
-    var session = yield *this.session;
-    debug('%s, %s, %j', this.url, this.sessionId, session);
+  return function* auth(next) {
    this.user = {};

-    if (session.name) {
-      this.user.name = session.name;
-      this.user.isAdmin = common.isAdmin(session.name);
-      debug('auth exists user: %j, headers: %j', this.user, this.header);
-      return yield *next;
-    }
-
    var authorization = (this.get('authorization') || '').split(' ')[1] || '';
    authorization = authorization.trim();
+    debug('%s %s with %j', this.method, this.url, authorization);
    if (!authorization) {
-      return yield *next;
+      return yield* next;
    }

    authorization = new Buffer(authorization, 'base64').toString().split(':');
    if (authorization.length !== 2) {
-      return yield *next;
+      return yield* next;
    }

    var username = authorization[0];
    var password = authorization[1];

-    var row = yield User.auth(username, password);
-    if (!row) {
-      debug('auth fail user: %j, headers: %j', row, this.header);
-      return yield *next;
+    var row;
+    try {
+      row = yield* UserService.auth(username, password);
+    } catch (err) {
+      // do not response error here
+      // many request do not need login
+      this.user.error = err;
    }

-    this.user.name = row.name;
-    this.user.isAdmin = common.isAdmin(row.name);
+    if (!row) {
+      debug('auth fail user: %j, headers: %j', row, this.header);
+      return yield* next;
+    }
+
+    this.user.name = row.login;
+    this.user.isAdmin = row.site_admin;
+    this.user.scopes = row.scopes;
    debug('auth pass user: %j, headers: %j', this.user, this.header);
-    yield *next;
+    yield* next;
  };
 };
--- a/middleware/login.js
+++ b/middleware/login.js
@@ -15,7 +15,16 @@
 */

 module.exports = function *login(next) {
+  if (this.user.error) {
+    this.status = this.user.error.status || 500;
+    this.body = {
+      error: this.user.error.name,
+      reason: this.user.error.message
+    };
+  }
+
  if (!this.user.name) {
+
    this.status = 401;
    this.body = {
      error: 'unauthorized',
--- a/middleware/publishable.js
+++ b/middleware/publishable.js
@@ -14,11 +14,14 @@
 * Module dependencies.
 */

+var util = require('util');
 var config = require('../config');
+var debug = require('debug')('cnpmjs.org:middlewares/publishable');

 module.exports = function *publishable(next) {
+  // private mode, only admin user can publish
  if (config.enablePrivate && !this.user.isAdmin) {
-    // private mode, only admin user can publish
+
    this.status = 403;
    this.body = {
      error: 'no_perms',
@@ -26,5 +29,75 @@ module.exports = function *publishable(next) {
    };
    return;
  }
-  yield *next;
+
+  // public mode, all user have permission to publish
+  // but if `config.scopes` exist, only can publish with scopes in `config.scope`
+  // if `config.forcePublishWithScope` set to true, only admins can publish without scope
+
+  var name = this.params.name || this.params[0];
+
+  // check if is private package list in config
+  if (config.privatePackages && config.privatePackages.indexOf(name) !== -1) {
+    return yield* next;
+  }
+
+  // scope
+  if (name[0] === '@') {
+    if (checkScope(name, this)) {
+      return yield* next;
+    }
+    return;
+  }
+
+  // none-scope
+  if (checkNoneScope(this)) {
+    return yield* next;
+  }
 };
+
+/**
+ * check module's scope legal
+ */
+
+function checkScope(name, ctx) {
+  if (!ctx.user.scopes || !ctx.user.scopes.length) {
+    ctx.status = 404;
+    return false;
+  }
+
+  var scope = name.split('/')[0];
+  if (ctx.user.scopes.indexOf(scope) === -1) {
+    debug('assert scope  %s error', name);
+    ctx.status = 400;
+    ctx.body = {
+      error: 'invalid scope',
+      reason: util.format('scope %s not match legal scopes %j', scope, ctx.user.scopes)
+    };
+    return false;
+  }
+
+  return true;
+}
+
+/**
+ * check if user have permission to publish without scope
+ */
+
+function checkNoneScope(ctx) {
+  if (!config.scopes
+    || !config.scopes.length
+    || !config.forcePublishWithScope) {
+    return true;
+  }
+
+  // only admins can publish or unpublish non-scope modules
+  if (ctx.user.isAdmin) {
+    return true;
+  }
+
+  ctx.status = 403;
+  ctx.body = {
+    error: 'no_perms',
+    reason: 'only allow publish with ' + ctx.user.scopes.join(',') + ' scope(s)'
+  };
+}
--- a/middleware/registry_not_found.js
+++ b/middleware/registry_not_found.js
@@ -17,9 +17,13 @@
 module.exports = function *notFound(next) {
  yield *next;

-  if (this.status) {
+  if (this.status && this.status !== 404) {
    return;
  }
+  if (this.body && this.body.name) {
+    return;
+  }
+
  this.status = 404;
  this.body = {
    error: 'not_found',
--- a/middleware/static.js
+++ b/middleware/static.js
@@ -0,0 +1,29 @@
+/**!
+ * cnpmjs.org - middleware/static.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var path = require('path');
+var middlewares = require('koa-middlewares');
+var config = require('../config');
+
+var staticDir = path.join(path.dirname(__dirname), 'public');
+
+module.exports = middlewares.staticCache(staticDir, {
+  buffer: config.debug ? false : true,
+  maxAge: config.debug ? 0 : 60 * 60 * 24 * 7,
+  alas: {
+    '/favicon.ico': '/favicon.png'
+  }
+});
--- a/middleware/sync_by_install.js
+++ b/middleware/sync_by_install.js
@@ -20,21 +20,22 @@ var config = require('../config');
 * this.allowSync  -  allow sync triggle by cnpm install
 */

-module.exports = function *syncByInstall(next) {
+module.exports = function* syncByInstall(next) {
  if (!config.syncByInstall || !config.enablePrivate) {
    // only config.enablePrivate should enable sync on install
-    return yield *next;
+    return yield* next;
  }
  // request not by node, consider it request from web
  var ua = this.get('user-agent');
  if (!ua || ua.indexOf('node') < 0) {
-    return yield *next;
+    return yield* next;
  }

+  // if request with `/xxx?write=true`, meaning the read request using for write
  if (this.query.write) {
-    return yield *next;
+    return yield* next;
  }

  this.allowSync = true;
-  yield *next;
+  yield* next;
 };
--- a/middleware/web_not_found.js
+++ b/middleware/web_not_found.js
@@ -14,20 +14,40 @@
 * Module dependencies.
 */

+var debug = require('debug')('cnpmjs.org:middleware:web_not_found');
+
 module.exports = function *notFound(next) {
  yield *next;

-  if (this.status) {
+  if (this.status && this.status !== 404) {
+    return;
+  }
+  if (this.body) {
    return;
  }

-  var m = /^\/([\w\-\_\.]+)\/?$/.exec(this.url);
+  var m = /^\/([\w\-\.]+)\/?$/.exec(this.path);
+  if (!m) {
+    // scoped packages
+    m = /^\/(@[\w\-\.]+\/[\w\-\.]+)$/.exec(this.path);
+  }
+  debug('%s match %j', this.url, m);
  if (m) {
    return this.redirect('/package/' + m[1]);
  }

+  // package not found
+  m = /\/package\/([\w\-\_\.]+)\/?$/.exec(this.url);
+  if (m) {
+    var name = m[1];
+    this.status = 404;
+    yield* this.render('404', {
+      title: 'Package - ' + name,
+      name: name
+    });
+    return;
+  }
+
  this.status = 404;
-  this.type = 'text/html';
-  this.charset = 'utf-8';
  this.body = 'Cannot GET ' + this.path;
 };
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "cnpmjs.org",
-  "version": "0.4.1",
+  "version": "1.0.1",
  "description": "Private npm registry and web for Enterprise, base on MySQL and Simple Store Service",
  "main": "index.js",
  "scripts": {
@@ -10,42 +10,45 @@
    "stop": "./bin/nodejsctl stop"
  },
  "dependencies": {
-    "co": "3.0.5",
+    "bytes": "1.0.0",
+    "cheerio": "0.17.0",
+    "co": "3.0.6",
+    "co-defer": "0.1.0",
    "co-gather": "0.0.1",
-    "co-read": "0.0.2",
+    "co-read": "0.1.0",
    "co-redis": "1.1.0",
-    "co-urllib": "0.2.0",
+    "co-urllib": "0.2.3",
    "co-write": "0.3.0",
-    "copy-to": "0.0.3",
-    "debug": "0.8.0",
+    "copy-to": "1.0.1",
+    "debug": "1.0.4",
+    "error-formater": "1.0.3",
    "eventproxy": "0.3.1",
-    "giturl": "0.0.2",
-    "graceful": "0.0.6",
+    "giturl": "0.0.3",
+    "graceful": "0.1.0",
    "gravatar": "1.0.6",
    "humanize-number": "0.0.2",
-    "koa": "0.5.2",
-    "koa-limit": "1.0.0",
+    "koa": "0.8.1",
+    "koa-limit": "1.0.2",
    "koa-markdown": "0.0.3",
-    "koa-middlewares": "0.1.3",
-    "logfilestream": "0.1.0",
+    "koa-middlewares": "1.2.0",
    "marked": "0.3.2",
-    "microtime": "0.5.1",
    "mime": "1.2.11",
-    "mkdirp": "0.3.5",
-    "moment": "2.5.1",
+    "mini-logger": "0.3.0",
+    "mkdirp": "0.5.0",
+    "moment": "2.7.0",
    "ms": "0.6.2",
-    "multiline": "0.3.2",
-    "mysql": "2.1.1",
-    "nodemailer": "0.6.1",
-    "qn": "0.2.1",
+    "multiline": "0.3.4",
+    "mysql": "2.4.1",
+    "nodemailer": "0.7.1",
+    "qn": "0.2.2",
    "ready": "0.1.1",
-    "redis": "0.10.1",
-    "semver": "2.2.1",
-    "thunkify-wrap": "0.1.1",
-    "utility": "0.1.12"
+    "redis": "0.11.0",
+    "semver": "3.0.1",
+    "thunkify-wrap": "1.0.1",
+    "utility": "0.1.16"
  },
  "devDependencies": {
-    "autod": ">=0.0.13",
+    "autod": "~0.2.0",
    "chunkstream": "0.0.1",
    "co-mocha": "0.0.2",
    "contributors": "*",
@@ -54,9 +57,10 @@
    "jshint": "*",
    "mm": "0.2.1",
    "mocha": "*",
-    "pedding": "0.0.3",
-    "should": "3.3.0",
-    "supertest": "0.10.0"
+    "pedding": "1.0.0",
+    "should": "4.0.4",
+    "should-http": "0.0.1",
+    "supertest": "0.13.0"
  },
  "homepage": "https://github.com/cnpm/cnpmjs.org",
  "repository": {
--- a/proxy/dist.js
+++ b/proxy/dist.js
@@ -0,0 +1,86 @@
+/**!
+ * cnpmjs.org - proxy/dist.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+/* jshint -W032 */
+
+/**
+ * Module dependencies.
+ */
+
+var path = require('path');
+var multiline = require('multiline');
+var mysql = require('../common/mysql');
+
+var SAVE_FILE_SQL = multiline(function () {;/*
+  INSERT INTO
+    dist_file(gmt_create, gmt_modified, name, parent, date, size, url, sha1)
+  VALUES
+    (now(), now(), ?, ?, ?, ?, ?, ?)
+  ON DUPLICATE KEY UPDATE
+    name=VALUES(name),
+    parent=VALUES(parent),
+    date=VALUES(date),
+    size=VALUES(size),
+    url=VALUES(url),
+    sha1=VALUES(sha1);
+*/});
+
+exports.savefile = function* (info) {
+  return yield mysql.query(SAVE_FILE_SQL, [
+    info.name, info.parent, info.date, info.size, info.url, info.sha1
+  ]);
+};
+
+var SAVE_DIR_SQL = multiline(function () {;/*
+  INSERT INTO
+    dist_dir(gmt_create, gmt_modified, name, parent, date)
+  VALUES
+    (now(), now(), ?, ?, ?)
+  ON DUPLICATE KEY UPDATE
+    name=VALUES(name),
+    parent=VALUES(parent),
+    date=VALUES(date);
+*/});
+
+exports.savedir = function* (info) {
+  return yield mysql.query(SAVE_DIR_SQL, [
+    info.name, info.parent, info.date
+  ]);
+};
+
+var LIST_DIRS_SQL = multiline(function () {;/*
+  SELECT name, parent, date FROM dist_dir WHERE parent = ?;
+*/});
+var LIST_FILES_SQL = multiline(function () {;/*
+  SELECT name, parent, date, size, url, sha1
+  FROM dist_file WHERE parent = ?;
+*/});
+
+exports.listdir = function* (name) {
+  var rs = yield [
+    mysql.query(LIST_DIRS_SQL, [name]),
+    mysql.query(LIST_FILES_SQL, [name]),
+  ];
+  return rs[0].concat(rs[1]);
+};
+
+var GET_FILE_SQL = multiline(function () {;/*
+  SELECT name, parent, date, url, size, sha1 FROM dist_file WHERE parent = ? AND name = ?;
+*/});
+
+exports.getfile = function* (fullname) {
+  var name = path.basename(fullname);
+  var parent = path.dirname(fullname);
+  if (parent !== '/') {
+    parent += '/';
+  }
+  return yield mysql.queryOne(GET_FILE_SQL, [parent, name]);
+};
--- a/proxy/download.js
+++ b/proxy/download.js
@@ -9,6 +9,8 @@
 */

 'use strict';
+/* jshint -W032 */
+

 /**
 * Module dependencies.
--- a/proxy/module.js
+++ b/proxy/module.js
@@ -9,6 +9,7 @@
 */

 'use strict';
+/* jshint -W032 */

 /**
 * Module dependencies.
@@ -21,9 +22,6 @@ var config = require('../config');
 var mysql = require('../common/mysql');
 var multiline = require('multiline');

-var MODULE_COLUMNS = 'id, publish_time, gmt_create, gmt_modified, author, name, \
-  version, description, package, dist_tarball, dist_shasum, dist_size';
-
 var INSERT_MODULE_SQL = multiline(function () {;/*
  INSERT INTO
    module(gmt_create, gmt_modified, publish_time, author, name, version,
@@ -184,19 +182,7 @@ exports.updateReadme = function (id, readme, callback) {
  });
 };

-var UPDATE_DIST_SQL = multiline(function () {;/*
-  UPDATE
-    module
-  SET
-    publish_time=?,
-    version=?,
-    package=?,
-    dist_tarball=?,
-    dist_shasum=?,
-    dist_size=?
-  WHERE
-    id=?;
-*/});
+var UPDATE_DIST_SQL = 'UPDATE module SET ? WHERE id=?';
 exports.update = function (mod, callback) {
  var pkg;
  try {
@@ -205,8 +191,18 @@ exports.update = function (mod, callback) {
    return callback(e);
  }
  var dist = mod.package.dist;
+
+  var arg = {
+    publish_time: mod.publish_time,
+    version: mod.version,
+    package: pkg,
+    dist_tarball: dist.tarball,
+    dist_shasum: dist.shasum,
+    dist_size: dist.size
+  };
+
  mysql.query(UPDATE_DIST_SQL,
-    [mod.publish_time, mod.version, pkg, dist.tarball, dist.shasum, dist.size, mod.id],
+    [arg, mod.id],
  function (err, result) {
    if (err) {
      return callback(err);
@@ -350,7 +346,7 @@ var DELETE_TAGS_BY_IDS_SQL = multiline(function () {;/*
  DELETE FROM
    tag
  WHERE
-    id in (?);
+    id IN (?);
 */});
 exports.removeTagsByIds = function (ids, callback) {
  mysql.query(DELETE_TAGS_BY_IDS_SQL, [ids], callback);
@@ -433,38 +429,16 @@ exports.listByName = function (name, callback) {
  });
 };

-var LIST_SINCE_SQLS = [];
-LIST_SINCE_SQLS.push(multiline(function () {;/*
-  SELECT
-    module_id
-  FROM
-    tag
-  WHERE
-    tag="latest" AND gmt_modified>?;
-*/}));
-LIST_SINCE_SQLS.push(multiline(function () {;/*
+var LIST_SINCE_SQL = multiline(function () {;/*
  SELECT
    distinct(name)
  FROM
-    module
+    tag
  WHERE
-    id IN (?);
-*/}));
+    gmt_modified > ?;
+*/});
 exports.listSince = function (start, callback) {
-  var ep = eventproxy.create();
-  ep.fail(callback);
-  mysql.query(LIST_SINCE_SQLS[0], [new Date(start)], ep.done(function (rows) {
-    if (!rows || rows.length === 0) {
-      return callback(null, []);
-    }
-    ep.emit('ids', rows.map(function (r) {
-      return r.module_id;
-    }));
-  }));
-
-  ep.once('ids', function (ids) {
-    mysql.query(LIST_SINCE_SQLS[1], [ids], callback);
-  });
+  mysql.query(LIST_SINCE_SQL, [new Date(start)], callback);
 };

 var LIST_ALL_NAME_SQL = multiline(function () {;/*
@@ -675,13 +649,6 @@ exports.search = function (word, options, callback) {

 thunkify(exports);

-exports.updateMaintainers = function *(id, maintainers) {
-  var mod = yield exports.getById(id);
-  mod.package.maintainers = maintainers;
-  var pkg = stringifyPackage(mod.package);
-  return yield mysql.query(UPDATE_PACKAGE_SQL, [pkg, id]);
-};
-
 var GET_LAST_MODIFIED_MODULE_SQL = multiline(function () {;/*
  SELECT
    id, gmt_modified
@@ -690,9 +657,85 @@ var GET_LAST_MODIFIED_MODULE_SQL = multiline(function () {;/*
  WHERE
    name=?
  ORDER BY
-    gmt_modified DESC;
+    gmt_modified DESC
+  LIMIT 1;
 */});
-exports.getLastModified = function *(name) {
+exports.getLastModified = function* (name) {
  var row = yield mysql.queryOne(GET_LAST_MODIFIED_MODULE_SQL, [name]);
  return row && row.gmt_modified;
 };
+
+var UPDATE_LAST_MODIFIED_SQL = 'UPDATE module SET gmt_modified=now() WHERE id=?;';
+exports.updateLastModified = function* (name) {
+  var row = yield mysql.queryOne(GET_LAST_MODIFIED_MODULE_SQL, [name]);
+  if (row) {
+    yield mysql.query(UPDATE_LAST_MODIFIED_SQL, [row.id]);
+  }
+};
+
+var DELETE_TAGS_BY_NAMES_SQL = 'DELETE FROM tag WHERE name=? AND tag IN (?);';
+exports.removeTagsByNames = function* (moduleName, tagNames) {
+  return yield mysql.query(DELETE_TAGS_BY_NAMES_SQL, [moduleName, tagNames]);
+};
+
+/**
+ * forward compatbility for update from lower version cnpmjs.org
+ * redirect @scope/name => name
+ */
+exports.getAdaptName = function* (name) {
+  if (!config.scopes
+    || !config.scopes.length
+    || !config.adaptScope) {
+    return;
+  }
+
+  var tmp = name.split('/');
+  var scope = tmp[0];
+  name = tmp[1];
+
+  if (config.scopes.indexOf(scope) === -1) {
+    return;
+  }
+
+  var pkg = yield exports.getByTag(name, 'latest');
+  // only private module can adapt
+  if (pkg && pkg.package._publish_on_cnpm) {
+    return name;
+  }
+  return;
+};
+
+exports.listPrivates = function* () {
+  var scopes = config.scopes;
+  if (!scopes || !scopes.length) {
+    return [];
+  }
+  var privatePackages = config.privatePackages || [];
+
+  var args = [];
+  var sql = 'SELECT module_id AS id FROM tag WHERE tag="latest" AND (';
+  var wheres = [];
+
+  scopes.forEach(function (scope) {
+    wheres.push('name LIKE ?');
+    args.push(scope + '%');
+  });
+
+  if (privatePackages.length) {
+    wheres.push('name in (?)');
+    args.push(privatePackages);
+  }
+
+  sql = sql + wheres.join(' OR ') + ')';
+
+  var ids = yield mysql.query(sql, args);
+  ids = ids.map(function (row) {
+    return row.id;
+  });
+
+  if (!ids.length) {
+    return [];
+  }
+
+  return yield mysql.query(QUERY_MODULES_BY_ID_SQL, [ids]);
+};
--- a/proxy/module_deps.js
+++ b/proxy/module_deps.js
@@ -9,6 +9,7 @@
 */

 "use strict";
+/* jshint -W032 */

 /**
 * Module dependencies.
--- a/proxy/module_log.js
+++ b/proxy/module_log.js
@@ -9,6 +9,7 @@
 */

 'use strict';
+/* jshint -W032 */

 /**
 * Module dependencies.
@@ -16,16 +17,18 @@

 var thunkify = require('thunkify-wrap');
 var mysql = require('../common/mysql');
-var multiline = require('multiline');

-var INSERT_LOG_SQL = multiline(function () {;/*
-  INSERT INTO
-    module_log(gmt_create, gmt_modified, name, username, log)
-  VALUES
-    (now(), now(), ?, ?, "");
-*/});
+var INSERT_LOG_SQL = 'INSERT INTO module_log SET ?';
 exports.create = function (data, callback) {
-  mysql.query(INSERT_LOG_SQL, [data.name, data.username], function (err, result) {
+  var now = new Date();
+  var args = {
+    gmt_create: now,
+    gmt_modified: now,
+    name: data.name,
+    username: data.username,
+    log: ''
+  };
+  mysql.query(INSERT_LOG_SQL, [args], function (err, result) {
    if (err) {
      return callback(err);
    }
@@ -33,15 +36,7 @@ exports.create = function (data, callback) {
  });
 };

-var APPEND_SQL = multiline(function () {;/*
-  UPDATE
-    module_log
-  SET
-    log=CONCAT(log, ?),
-    gmt_modified=now()
-  WHERE
-    id=?;
-*/});
+var APPEND_SQL = 'UPDATE module_log SET log=CONCAT(log, ?), gmt_modified=now() WHERE id=?';
 exports.append = function (id, log, callback) {
  log = '\n' + log;
  mysql.query(APPEND_SQL, [log, id], function (err) {
@@ -49,14 +44,7 @@ exports.append = function (id, log, callback) {
  });
 };

-var SELECT_SQL = multiline(function () {;/*
-  SELECT
-    *
-  FROM
-    module_log
-  WHERE
-    id=?;
-*/});
+var SELECT_SQL = 'SELECT * FROM module_log WHERE id=?';
 exports.get = function (id, callback) {
  mysql.queryOne(SELECT_SQL, [id], callback);
 };
--- a/proxy/module_maintainer.js
+++ b/proxy/module_maintainer.js
@@ -0,0 +1,81 @@
+/**!
+ * cnpmjs.org - proxy/module_maintainer.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var debug = require('debug')('cnpmjs.org:proxy:module_maintainer');
+var mysql = require('../common/mysql');
+var Module = require('./module');
+
+var GET_MAINTANINERS_SQL = 'SELECT user FROM module_maintainer WHERE name = ?;';
+
+exports.get = function* (name) {
+  var users = yield mysql.query(GET_MAINTANINERS_SQL, [name]);
+  return users.map(function (row) {
+    return row.user;
+  });
+};
+
+var ADD_SQL = 'INSERT INTO module_maintainer(name, user, gmt_create) \
+  VALUES (?, ?, now());';
+function* add(name, username) {
+  try {
+    yield mysql.query(ADD_SQL, [name, username]);
+  } catch (err) {
+    if (err.code !== 'ER_DUP_ENTRY') {
+      throw err;
+    }
+  }
+}
+
+var REMOVE_SQL = 'DELETE FROM module_maintainer WHERE name = ? AND user IN (?);';
+function* remove(name, usernames) {
+  return yield mysql.query(REMOVE_SQL, [name, usernames]);
+}
+
+exports.update = function* (name, maintainers) {
+  // maintainers should be [name1, name2, ...] format
+  // find out the exists maintainers then remove the deletes and add the left
+  if (maintainers.length === 0) {
+    return {
+      add: [],
+      remove: []
+    };
+  }
+  var exists = yield* exports.get(name);
+  var addUsers = maintainers;
+  var removeUsers = [];
+  if (exists.length > 0) {
+    for (var i = 0; i < exists.length; i++) {
+      var username = exists[i];
+      if (addUsers.indexOf(username) === -1) {
+        removeUsers.push(username);
+      }
+    }
+  }
+  var tasks = [];
+  for (var i = 0; i < addUsers.length; i++) {
+    tasks.push(add(name, addUsers[i]));
+  }
+  yield tasks;
+  // make sure all add users success then remove users
+  if (removeUsers.length > 0) {
+    yield* remove(name, removeUsers);
+  }
+  debug('add %d users, remove %d users', addUsers.length, removeUsers.length);
+  return {
+    add: addUsers,
+    remove: removeUsers
+  };
+};
--- a/proxy/module_star.js
+++ b/proxy/module_star.js
@@ -9,6 +9,7 @@
 */

 'use strict';
+/* jshint -W032 */

 /**
 * Module dependencies.
@@ -18,10 +19,10 @@ var mysql = require('../common/mysql');
 var multiline = require('multiline');

 var ADD_SQL = multiline(function () {;/*
-  INSERT iNTO
-    module_star(name, user)
+  INSERT INTO
+    module_star(name, user, gmt_create)
  VALUES
-    (?, ?);
+    (?, ?, now());
 */});
 exports.add = function *add(name, user) {
  try {
--- a/proxy/module_unpublished.js
+++ b/proxy/module_unpublished.js
@@ -0,0 +1,44 @@
+/**!
+ * cnpmjs.org - proxy/module_unpublished.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+/* jshint -W032 */
+
+/**
+ * Module dependencies.
+ */
+
+var multiline = require('multiline');
+var mysql = require('../common/mysql');
+
+var SAVE_SQL = multiline(function () {;/*
+  INSERT INTO
+    module_unpublished(gmt_create, gmt_modified, name, package)
+  VALUES
+    (now(), now(), ?, ?)
+  ON DUPLICATE KEY UPDATE
+    gmt_modified=now(),
+    name=VALUES(name),
+    package=VALUES(package);
+*/});
+
+exports.add = function* (name, pkg) {
+  return yield mysql.query(SAVE_SQL, [name, JSON.stringify(pkg)]);
+};
+
+var GET_SQL = 'SELECT gmt_modified, name, package FROM module_unpublished WHERE name=?;';
+
+exports.get = function* (name) {
+  var row = yield mysql.queryOne(GET_SQL, [name]);
+  if (row) {
+    row.package = JSON.parse(row.package);
+  }
+  return row;
+};
--- a/proxy/npm.js
+++ b/proxy/npm.js
@@ -19,17 +19,18 @@ var config = require('../config');

 var USER_AGENT = 'cnpmjs.org/' + config.version + ' ' + urllib.USER_AGENT;

-function *request(url, options) {
+function* request(url, options) {
  options = options || {};
  options.dataType = options.dataType || 'json';
  options.timeout = options.timeout || 120000;
  options.headers = {
    'user-agent': USER_AGENT
  };
-  url = config.sourceNpmRegistry + url;
+  var registry = options.registry || config.sourceNpmRegistry;
+  url = registry + url;
  var r;
  try {
-    r = yield *urllib.request(url, options);
+    r = yield* urllib.request(url, options);
  } catch (err) {
    var statusCode = err.status || -1;
    var data = err.data || '[empty]';
@@ -42,6 +43,8 @@ function *request(url, options) {
  return r;
 }

+exports.request = request;
+
 exports.getUser = function *(name) {
  var url = '/-/user/org.couchdb.user:' + name;
  var r = yield *request(url);
@@ -70,7 +73,8 @@ exports.getAllSince = function *(startkey) {

 exports.getShort = function *() {
  var r = yield *request('/-/short', {
-    timeout: 300000
+    timeout: 300000,
+    registry: 'http://r.cnpmjs.org', // registry.npmjs.org/-/short is 404 now.
  });
  return r.data;
 };
--- a/proxy/sync_module_worker.js
+++ b/proxy/sync_module_worker.js
@@ -17,6 +17,7 @@

 var co = require('co');
 var gather = require('co-gather');
+var defer = require('co-defer');
 var thunkify = require('thunkify-wrap');
 var debug = require('debug')('cnpmjs.org:proxy:sync_module_worker');
 var EventEmitter = require('events').EventEmitter;
@@ -27,6 +28,7 @@ var crypto = require('crypto');
 var urllib = require('co-urllib');
 var utility = require('utility');
 var ms = require('ms');
+var urlparse = require('url').parse;
 var nfs = require('../common/nfs');
 var npm = require('./npm');
 var common = require('../lib/common');
@@ -36,22 +38,19 @@ var Log = require('./module_log');
 var config = require('../config');
 var ModuleStar = require('./module_star');
 var User = require('./user');
+var ModuleUnpublished = require('./module_unpublished');

 var USER_AGENT = 'sync.cnpmjs.org/' + config.version + ' ' + urllib.USER_AGENT;

 function SyncModuleWorker(options) {
  EventEmitter.call(this);
  this._logId = options.logId;
-  this.startName = options.name;
  if (!Array.isArray(options.name)) {
    options.name = [options.name];
  }

-  this.names = options.name;
-  // for (var i = 0; i < this.names.length; i++) {
-  //   // ensure package name is lower case
-  //   this.names[i] = this.names[i].toLowerCase();
-  // }
+  this.names = options.name || [];
+  this.startName = this.names[0];

  this.username = options.username;
  this.concurrency = options.concurrency || 1;
@@ -124,53 +123,89 @@ SyncModuleWorker.prototype.add = function (name) {
  this.log('    add dependencies: %s', name);
 };

+SyncModuleWorker.prototype._doneOne = function* (concurrencyId, name, success) {
+  if (success) {
+    this.pushSuccess(name);
+  } else {
+    this.pushFail(name);
+  }
+  delete this.syncingNames[name];
+  var that = this;
+  // relase the stack: https://github.com/cnpm/cnpmjs.org/issues/328
+  defer.setImmediate(function *() {
+    that.log('[c#%s] setImmediate after, %s done, start next...', concurrencyId, name);
+    yield *that.next(concurrencyId);
+  });
+};
+
 SyncModuleWorker.prototype.next = function *(concurrencyId) {
  var name = this.names.shift();
  if (!name) {
-    return process.nextTick(this.finish.bind(this));
+    return setImmediate(this.finish.bind(this));
  }

  var that = this;
  that.syncingNames[name] = true;
-  var pkg;
+  var pkg = null;
+  var status = 0;
  // get from npm
  try {
-    pkg = yield npm.get(name);
+    var result = yield npm.request('/' + name);
+    pkg = result.data;
+    status = result.status;
  } catch (err) {
    // if 404
-    if (err.res && err.res.statusCode === 404) {
-      that.pushSuccess(name);
-    } else {
-      that.pushFail(name);
+    if (!err.res || err.res.statusCode !== 404) {
+      var errMessage = err.name + ': ' + err.message;
+      that.log('[c#%s] [error] [%s] get package error: %s, status: %s',
+        concurrencyId, name, errMessage, status);
+      yield *that._doneOne(concurrencyId, name, false);
+      return;
    }
-    that.log('[error] [%s] get package error: %s', name, err.stack);
-    delete that.syncingNames[name];
-    yield *that.next(concurrencyId);
-    return;
  }
+
+  var unpublishedInfo = null;
+  if (status === 404) {
+    // check if it's unpublished
+    if (pkg.time && pkg.time.unpublished && pkg.time.unpublished.time) {
+      unpublishedInfo = pkg.time.unpublished;
+    } else {
+      pkg = null;
+    }
+  }
+
  if (!pkg) {
-    that.log('[error] [%s] get package error: package not exist', name);
-    delete that.syncingNames[name];
-    yield that.next(concurrencyId);
+    that.log('[c#%s] [error] [%s] get package error: package not exists, status: %s',
+      concurrencyId, name, status);
+    yield* that._doneOne(concurrencyId, name, true);
    return;
  }

-  that.log('[c#%d] [%s] start...', concurrencyId, name);
+  that.log('[c#%d] [%s] pkg status: %d, start...', concurrencyId, name, status);
+
+  if (unpublishedInfo) {
+    try {
+      yield* that._unpublished(name, unpublishedInfo);
+    } catch (err) {
+      that.log('[c#%s] [error] [%s] sync error: %s', concurrencyId, name, err.stack);
+      yield* that._doneOne(concurrencyId, name, false);
+      return;
+    }
+    return yield* that._doneOne(concurrencyId, name, true);
+  }
+
  var versions;
  try {
-    versions = yield that._sync(name, pkg);
+    versions = yield* that._sync(name, pkg);
  } catch (err) {
-    that.pushFail(name);
-    that.log('[error] [%s] sync error: %s', name, err.stack);
-    delete that.syncingNames[name];
-    yield *that.next(concurrencyId);
+    that.log('[c#%s] [error] [%s] sync error: %s', concurrencyId, name, err.stack);
+    yield* that._doneOne(concurrencyId, name, false);
    return;
  }
-  that.log('[%s] synced success, %d versions: %s',
-    name, versions.length, versions.join(', '));
-  that.pushSuccess(name);
-  delete that.syncingNames[name];
-  yield that.next(concurrencyId);
+
+  that.log('[c#%d] [%s] synced success, %d versions: %s',
+    concurrencyId, name, versions.length, versions.join(', '));
+  yield* that._doneOne(concurrencyId, name, true);
 };

 function *_listStarUsers(modName) {
@@ -194,7 +229,61 @@ function *_saveNpmUser(username) {
  yield User.saveNpmUser(user);
 }

-SyncModuleWorker.prototype._sync = function *(name, pkg) {
+SyncModuleWorker.prototype._unpublished = function* (name, unpublishedInfo) {
+  var mods = yield Module.listByName(name);
+  this.log('  [%s] start unpublished %d versions from local cnpm registry',
+    name, mods.length);
+  if (this._isLocalModule(mods)) {
+    // publish on cnpm, dont sync this version package
+    this.log('  [%s] publish on local cnpm registry, don\'t sync', name);
+    return [];
+  }
+
+  var r = yield* ModuleUnpublished.add(name, unpublishedInfo);
+  this.log('    [%s] save unpublished info: %j to row#%s',
+    name, unpublishedInfo, r.insertId);
+  if (mods.length === 0) {
+    return;
+  }
+  yield [Module.removeByName(name), Module.removeTags(name)];
+  var keys = [];
+  for (var i = 0; i < mods.length; i++) {
+    var row = mods[i];
+    var dist = row.package.dist;
+    var key = dist.key;
+    if (!key) {
+      key = urlparse(dist.tarball).pathname;
+    }
+    key && keys.push(key);
+  }
+
+  if (keys.length === 0) {
+    return;
+  }
+
+  try {
+    yield keys.map(function (key) {
+      return nfs.remove(key);
+    });
+  } catch (err) {
+    // ignore error here
+    this.log('    [%s] delete nfs files: %j error: %s: %s',
+      name, keys, err.name, err.message);
+  }
+  this.log('    [%s] delete nfs files: %j success', name, keys);
+};
+
+SyncModuleWorker.prototype._isLocalModule = function (mods) {
+  for (var i = 0; i < mods.length; i++) {
+    var r = mods[i];
+    if (r.package && r.package._publish_on_cnpm) {
+      return true;
+    }
+  }
+  return false;
+};
+
+SyncModuleWorker.prototype._sync = function* (name, pkg) {
  var username = this.username;
  var that = this;

@@ -208,8 +297,15 @@ SyncModuleWorker.prototype._sync = function *(name, pkg) {
  var tagRows = result[1];
  var existsStarUsers = result[2];

+  if (that._isLocalModule(moduleRows)) {
+    // publish on cnpm, dont sync this version package
+    that.log('  [%s] publish on local cnpm registry, don\'t sync', name);
+    return [];
+  }
+
  hasModules = moduleRows.length > 0;
  var map = {};
+  var localVersionNames = [];
  for (var i = 0; i < moduleRows.length; i++) {
    var r = moduleRows[i];
    if (!r.package || !r.package.dist) {
@@ -217,12 +313,6 @@ SyncModuleWorker.prototype._sync = function *(name, pkg) {
      continue;
    }

-    if (r.package && r.package._publish_on_cnpm) {
-      // publish on cnpm, dont sync this version package
-      that.log('  [%s] publish on local cnpm, don\'t sync', name);
-      return [];
-    }
-
    if (r.version === 'next') {
      continue;
    }
@@ -230,6 +320,7 @@ SyncModuleWorker.prototype._sync = function *(name, pkg) {
      map.latest = r;
    }
    map[r.version] = r;
+    localVersionNames.push(r.version);
  }

  var tags = {};
@@ -256,17 +347,17 @@ SyncModuleWorker.prototype._sync = function *(name, pkg) {
    var maintainers = p.maintainers || [];
    if (maintainers && !Array.isArray(maintainers)) {
      // http://r.cnpmjs.org/jasmine-node
-      // TODO: "maintainers": "Martin HĂ¤ger <martin.haeger@gmail.com>",
+      // TODO: "maintainers": "Martin H膫陇ger <martin.haeger@gmail.com>",
      maintainers = [maintainers];
    }

-    maintainers.forEach(function (m) {
-      if (m.name) {
-        npmUsernames[m.name.toLowerCase()] = 1;
-      }
-    });
+    maintainers.forEach(pushName);
+  }
+  function pushName(m) {
+    if (m.name) {
+      npmUsernames[m.name.toLowerCase()] = 1;
+    }
  }
-
  // get the missing star users
  var starUsers = pkg.users || {};
  for (var k in starUsers) {
@@ -279,11 +370,8 @@ SyncModuleWorker.prototype._sync = function *(name, pkg) {

  var times = pkg.time || {};
  pkg.versions = pkg.versions || {};
-  var versionNames = Object.keys(times);
-  if (versionNames.length === 0) {
-    versionNames = Object.keys(pkg.versions);
-  }
-  if (versionNames.length === 0) {
+  var remoteVersionNames = Object.keys(pkg.versions);
+  if (remoteVersionNames.length === 0) {
    that.log('  [%s] no times and no versions, hasModules: %s', name, hasModules);
    if (!hasModules) {
      // save a next module
@@ -317,9 +405,12 @@ SyncModuleWorker.prototype._sync = function *(name, pkg) {
    }
  }

-  var versions = [];
-  for (var i = 0; i < versionNames.length; i++) {
-    var v = versionNames[i];
+  var remoteVersionNameMap = {};
+
+  // find out missing versions
+  for (var i = 0; i < remoteVersionNames.length; i++) {
+    var v = remoteVersionNames[i];
+    remoteVersionNameMap[v] = v;
    var exists = map[v] || {};
    var version = pkg.versions[v];
    if (!version || !version.dist || !version.dist.tarball) {
@@ -364,9 +455,19 @@ SyncModuleWorker.prototype._sync = function *(name, pkg) {
        continue;
      }
    }
-    versions.push(version);
+    missingVersions.push(version);
  }

+  // find out deleted versions
+  var deletedVersionNames = [];
+  for (var i = 0; i < localVersionNames.length; i++) {
+    var v = localVersionNames[i];
+    if (!remoteVersionNameMap[v]) {
+      deletedVersionNames.push(v);
+    }
+  }
+
+  // find out missing tags
  var sourceTags = pkg['dist-tags'] || {};
  for (var t in sourceTags) {
    var sourceTagVersion = sourceTags[t];
@@ -374,18 +475,25 @@ SyncModuleWorker.prototype._sync = function *(name, pkg) {
      missingTags.push([t, sourceTagVersion]);
    }
  }
-
-  if (versions.length === 0) {
-    that.log('  [%s] all versions are exists', name);
-  } else {
-    versions.sort(function (a, b) {
-      return a.publish_time - b.publish_time;
-    });
-    that.log('  [%s] %d versions need to sync', name, versions.length);
+  // find out deleted tags
+  var deletedTags = [];
+  for (var t in tags) {
+    if (!sourceTags[t]) {
+      // not in remote tags, delete it from local registry
+      deletedTags.push(t);
+    }
  }

-  missingVersions = versions;
-  var versionNames = [];
+  if (missingVersions.length === 0) {
+    that.log('  [%s] all versions are exists', name);
+  } else {
+    missingVersions.sort(function (a, b) {
+      return a.publish_time - b.publish_time;
+    });
+    that.log('  [%s] %d versions need to sync', name, missingVersions.length);
+  }
+
+  var syncedVersionNames = [];
  var syncIndex = 0;

  // sync missing versions
@@ -397,13 +505,27 @@ SyncModuleWorker.prototype._sync = function *(name, pkg) {
    }
    try {
      var result = yield that._syncOneVersion(index, syncModule);
-      versionNames.push(syncModule.version);
+      syncedVersionNames.push(syncModule.version);
    } catch (err) {
-      that.log('    [%s:%d] error, version: %s, %s: %s',
+      that.log('    [%s:%d] sync error, version: %s, %s: %s',
        syncModule.name, index, syncModule.version, err.name, err.message);
    }
  }

+
+  if (deletedVersionNames.length === 0) {
+    that.log('  [%s] no versions need to deleted', name);
+  } else {
+    that.log('  [%s] %d versions: %j need to deleted',
+      name, deletedVersionNames.length, deletedVersionNames);
+
+    try {
+      yield Module.removeByNameAndVersions(name, deletedVersionNames);
+    } catch (err) {
+      that.log('    [%s] delete error, %s: %s', name, err.name, err.message);
+    }
+  }
+
  // sync missing descriptions
  function *syncDes() {
    if (missingDescriptions.length === 0) {
@@ -428,7 +550,13 @@ SyncModuleWorker.prototype._sync = function *(name, pkg) {
  }

  // sync missing tags
-  function *syncTag() {
+  function* syncTag() {
+    if (deletedTags.length > 0) {
+      yield* Module.removeTagsByNames(name, deletedTags);
+      that.log('  [%s] deleted %d tags: %j',
+        name, deletedTags.length, deletedTags);
+    }
+
    if (missingTags.length === 0) {
      return;
    }
@@ -531,7 +659,7 @@ SyncModuleWorker.prototype._sync = function *(name, pkg) {
  }

  yield [syncDes(), syncTag(), syncReadme(), syncMissingStarUsers(), syncMissingUsers()];
-  return versionNames;
+  return syncedVersionNames;
 };

 SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePackage) {
@@ -594,12 +722,14 @@ SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePack
    // get tarball
    var r = yield *urllib.request(downurl, options);
    var statusCode = r.status || -1;
-    if (statusCode === 404) {
-      shasum = sourcePackage.dist.shasum;
-      return yield afterUpload({
-        url: downurl
-      });
-    }
+    // https://github.com/cnpm/cnpmjs.org/issues/325
+    // if (statusCode === 404) {
+    //   shasum = sourcePackage.dist.shasum;
+    //   return yield *afterUpload({
+    //     url: downurl
+    //   });
+    // }
+
    if (statusCode !== 200) {
      var err = new Error('Download ' + downurl + ' fail, status: ' + statusCode);
      err.name = 'DownloadTarballError';
@@ -616,6 +746,13 @@ SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePack
    var end = thunkify.event(rs);
    yield end(); // after end event emit

+    if (dataSize === 0) {
+      var err = new Error('Download ' + downurl + ' file size is zero');
+      err.name = 'DownloadTarballSizeZeroError';
+      err.data = sourcePackage;
+      throw err;
+    }
+
    // check shasum
    shasum = shasum.digest('hex');
    if (shasum !== sourcePackage.dist.shasum) {
@@ -633,7 +770,7 @@ SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePack
    };
    // upload to NFS
    var result = yield nfs.upload(filepath, options);
-    return yield afterUpload(result);
+    return yield *afterUpload(result);
  } finally {
    // remove tmp file whatever
    fs.unlink(filepath, utility.noop);
@@ -678,27 +815,35 @@ SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePack
    mod.package.dist = dist;
    var r = yield Module.add(mod);

-    that.log('    [%s:%s] done, insertId: %s, author: %s, version: %s, ' +
-    'size: %d, publish_time: %j, publish on cnpm: %s',
-    sourcePackage.name, versionIndex,
-    r.id,
-    author, mod.version, dataSize,
-    new Date(mod.publish_time),
-    that._publish);
+    that.log('    [%s:%s] done, insertId: %s, author: %s, version: %s, '
+      + 'size: %d, publish_time: %j, publish on cnpm: %s',
+      sourcePackage.name, versionIndex,
+      r.id,
+      author, mod.version, dataSize,
+      new Date(mod.publish_time),
+      that._publish);

    return r;
  }
 };

-SyncModuleWorker.sync = function *(name, username, options) {
+SyncModuleWorker.sync = function* (name, username, options) {
  options = options || {};
-  var pkg = yield npm.get(name);
-  if (!pkg || !pkg._rev) {
+  var result = yield npm.request('/' + name);
+  var pkg = result.data;
+  if (result.status === 404 &&
+      (!pkg.time || !pkg.time.unpublished || !pkg.time.unpublished.time)) {
+    pkg = null;
+  }
+
+  if (!pkg || !pkg._id) {
    return {
      ok: false,
-      pkg: pkg
+      pkg: pkg,
+      statusCode: 404
    };
  }
+
  var result = yield Log.create({name: name, username: username});
  var worker = new SyncModuleWorker({
    logId: result.id,
--- a/proxy/total.js
+++ b/proxy/total.js
@@ -9,6 +9,7 @@
 */

 'use strict';
+/* jshint -W032 */

 /**
 * Module dependencies.
@@ -149,22 +150,21 @@ var UPDATE_SYNC_NUM_SQL = multiline(function () {;/*
  UPDATE
    total
  SET
-    sync_status = ?,
-    need_sync_num = ?,
-    success_sync_num = ?,
-    fail_sync_num = ?,
-    left_sync_num = ?,
-    last_sync_module = ?
+    ?
  WHERE
    name="total";
 */});
 exports.updateSyncNum = function (params, callback) {
-  var query = [
-    params.syncStatus, params.need || 0,
-    params.success || 0, params.fail || 0, params.left || 0,
-    params.lastSyncModule,
-  ];
-  mysql.query(UPDATE_SYNC_NUM_SQL, query, callback);
+  var arg = {
+    sync_status: params.syncStatus,
+    need_sync_num: params.need || 0,
+    success_sync_num: params.success || 0,
+    fail_sync_num: params.fail || 0,
+    left_sync_num: params.left || 0,
+    last_sync_module: params.lastSyncModule
+  };
+
+  mysql.query(UPDATE_SYNC_NUM_SQL, [arg], callback);
 };

 thunkify(exports);
--- a/proxy/user.js
+++ b/proxy/user.js
@@ -9,6 +9,7 @@
 */

 'use strict';
+/* jshint -W032 */

 /**
 * Module dependencies.
@@ -20,59 +21,11 @@ var config = require('../config');
 var mysql = require('../common/mysql');
 var multiline = require('multiline');

-var SELECT_USER_SQL = multiline(function () {;/*
-  SELECT
-    id, rev, name, email, salt, password_sha, ip,
-    roles, json, npm_user, gmt_create, gmt_modified
-  FROM
-    user
-  WHERE
-    name=?;
-*/});
-exports.get = function (name, callback) {
-  mysql.queryOne(SELECT_USER_SQL, [name], function (err, row) {
-    if (row) {
-      try {
-        row.roles = row.roles ? JSON.parse(row.roles) : [];
-      } catch (e) {
-        row.roles = [];
-      }
-      try {
-        row.json = row.json ? JSON.parse(row.json) : null;
-      } catch (e) {
-        row.json = null;
-      }
-    }
-    callback(err, row);
-  });
-};
-
 function passwordSha(password, salt) {
  return utility.sha1(password + salt);
 }

-exports.auth = function (name, password, callback) {
-  exports.get(name, function (err, row) {
-    if (err || !row) {
-      return callback(err, row);
-    }
-
-    var sha = passwordSha(password, row.salt);
-    if (row.password_sha !== sha) {
-      row = null;
-    }
-    callback(null, row);
-  });
-};
-
-
-var INSERT_USER_SQL = multiline(function () {;/*
-  INSERT INTO
-    user(rev, name, email, salt, password_sha,
-    ip, roles, gmt_create, gmt_modified)
-  VALUES
-    (?, ?, ?, ?, ?, ?, ?, now(), now());
-*/});
+var INSERT_USER_SQL = 'INSERT INTO user SET ?';
 exports.add = function (user, callback) {
  var roles = user.roles || [];
  try {
@@ -81,8 +34,22 @@ exports.add = function (user, callback) {
    roles = '[]';
  }
  var rev = '1-' + utility.md5(JSON.stringify(user));
-  var values = [rev, user.name, user.email, user.salt, user.password_sha, user.ip, roles];
-  mysql.query(INSERT_USER_SQL, values, function (err) {
+
+  var now = new Date();
+
+  var arg = {
+    rev: rev,
+    name: user.name,
+    email: user.email,
+    salt: user.salt,
+    password_sha: user.password_sha,
+    ip: user.ip,
+    roles: roles,
+    gmt_create: now,
+    gmt_modified: now
+  };
+
+  mysql.query(INSERT_USER_SQL, [arg], function (err) {
    callback(err, {rev: rev});
  });
 };
@@ -91,13 +58,7 @@ var UPDATE_USER_SQL = multiline(function () {;/*
  UPDATE
    user
  SET
-    rev=?,
-    email=?,
-    salt=?,
-    password_sha=?,
-    ip=?,
-    roles=?,
-    gmt_modified=now()
+    ?
  WHERE
    name=? AND rev=?;
 */});
@@ -119,8 +80,17 @@ exports.update = function (user, callback) {
    roles = '[]';
  }

-  var values = [newRev, user.email, user.salt, user.password_sha, user.ip, roles, user.name, rev];
-  mysql.query(UPDATE_USER_SQL, values, function (err, data) {
+  var arg = {
+    rev: newRev,
+    email: user.email,
+    salt: user.salt,
+    password_sha: user.password_sha,
+    ip: user.ip,
+    roles: roles,
+    gmt_modified: new Date()
+  };
+
+  mysql.query(UPDATE_USER_SQL, [arg, user.name, rev], function (err, data) {
    if (err) {
      return callback(err);
    }
@@ -132,7 +102,42 @@ thunkify(exports);

 exports.passwordSha = passwordSha;

-exports.saveNpmUser = function *(user) {
+var SELECT_USER_SQL = 'SELECT \
+    id, rev, name, email, salt, password_sha, ip, \
+    roles, json, npm_user, gmt_create, gmt_modified \
+  FROM \
+    user \
+  WHERE \
+    name=?;';
+exports.get = function* (name) {
+  var row = yield mysql.queryOne(SELECT_USER_SQL, [name]);
+  if (row) {
+    try {
+      row.roles = row.roles ? JSON.parse(row.roles) : [];
+    } catch (e) {
+      row.roles = [];
+    }
+    try {
+      row.json = row.json ? JSON.parse(row.json) : null;
+    } catch (e) {
+      row.json = null;
+    }
+  }
+  return row;
+};
+
+exports.auth = function* (name, password) {
+  var row = yield* exports.get(name);
+  if (row) {
+    var sha = passwordSha(password, row.salt);
+    if (row.password_sha !== sha) {
+      row = null;
+    }
+  }
+  return row;
+};
+
+exports.saveNpmUser = function* (user) {
  var sql = 'SELECT id, json FROM user WHERE name=?;';
  var row = yield mysql.queryOne(sql, [user.name]);
  if (!row) {
@@ -145,17 +150,47 @@ exports.saveNpmUser = function *(user) {
  }
 };

-var LIST_BY_NAMES_SQL = multiline(function () {;/*
-  SELECT
-    id, name, email, json
-  FROM
-    user
-  WHERE
-    name in (?);
-*/});
-exports.listByNames = function *(names) {
+exports.saveCustomUser = function* (data) {
+  var sql = 'SELECT id, json FROM user WHERE name=?;';
+  var row = yield mysql.queryOne(sql, [data.user.login]);
+  var salt = data.salt || '0';
+  var password_sha = data.password_sha || '0';
+  var ip = data.ip || '0';
+  var rev = rev || '1-' + data.user.login;
+  var json = JSON.stringify(data.user);
+  if (!row) {
+    sql = 'INSERT INTO user(npm_user, json, rev, name, email, salt, password_sha, ip, gmt_create, gmt_modified) \
+      VALUES(2, ?, ?, ?, ?, ?, ?, ?, now(), now());';
+    yield mysql.query(sql, [
+      json, rev, data.user.login, data.user.email,
+      salt, password_sha, ip
+    ]);
+  } else {
+    sql = 'UPDATE user SET json=?, rev=?, salt=?, password_sha=?, ip=? WHERE id=?;';
+    yield mysql.query(sql, [
+      json, rev,
+      salt, password_sha, ip,
+      row.id
+    ]);
+  }
+};
+
+var LIST_BY_NAMES_SQL = 'SELECT \
+    id, name, email, json \
+  FROM \
+    user \
+  WHERE \
+    name in (?);';
+exports.listByNames = function* (names) {
  if (names.length === 0) {
    return [];
  }
  return yield mysql.query(LIST_BY_NAMES_SQL, [names]);
 };
+
+var SEARCH_SQL = 'SELECT id, name, email, json FROM user WHERE name LIKE ? LIMIT ?;';
+exports.search = function* (query, options) {
+  var limit = options.limit;
+  query = query + '%';
+  return yield mysql.query(SEARCH_SQL, [query, limit]);
+};
--- a/routes/registry.js
+++ b/routes/registry.js
@@ -15,7 +15,6 @@
 * Module dependencies.
 */

-var middlewares = require('koa-middlewares');
 var limit = require('../middleware/limit');
 var login = require('../middleware/login');
 var publishable = require('../middleware/publishable');
@@ -26,7 +25,15 @@ var user = require('../controllers/registry/user');
 var sync = require('../controllers/sync');

 function routes(app) {
-  app.get('/', middlewares.jsonp(), total.show);
+
+  function* jsonp(next) {
+    yield* next;
+    if (this.body) {
+      this.jsonp = this.body;
+    }
+  }
+
+  app.get('/', jsonp, total.show);

  //before /:name/:version
  //get all modules, for npm search
@@ -36,28 +43,36 @@ function routes(app) {
  app.get('/-/short', mod.listAllModuleNames);

  // module
+  // scope package: params: [$name]
+  app.get(/^\/(@[\w\-\.]+\/[\w\-\.]+)$/, syncByInstall, mod.show);
+  // scope package: params: [$name, $version]
+  app.get(/^\/(@[\w\-\.]+\/[\w\-\.]+)\/([\w\.\-]+)$/, syncByInstall, mod.get);
+
  app.get('/:name', syncByInstall, mod.show);
  app.get('/:name/:version', syncByInstall, mod.get);
  // try to add module
-  app.put('/:name', login, publishable, mod.add);
+  app.put(/^\/(@[\w\-\.]+\/[\w\-\.]+)$/, login, publishable, mod.addPackageAndDist);
+  app.put('/:name', login, publishable, mod.addPackageAndDist);

  // sync from source npm
  app.put('/:name/sync', sync.sync);
  app.get('/:name/sync/log/:id', sync.getSyncLog);

+  app.put(/^\/(@[\w\-\.]+\/[\w\-\.]+)\/([\w\-\.]+)$/, login, mod.updateTag);
+  app.put('/:name/:tag', login, mod.updateTag);
+
  // need limit by ip
+  app.get(/^\/(@[\w\-\.]+\/[\w\-\.]+)\/download\/(@[\w\-\.]+\/[\w\-\.]+)$/, limit, mod.download);
  app.get('/:name/download/:filename', limit, mod.download);

-  // put tarball
-  // https://registry.npmjs.org/cnpmjs.org/-/cnpmjs.org-0.0.0.tgz/-rev/1-c85bc65e8d2470cc4d82b8f40da65b8e
-  app.put('/:name/-/:filename/-rev/:rev', login, publishable, mod.upload);
  // delete tarball
+  app.delete(/^\/(@[\w\-\.]+\/[\w\-\.]+)\/download\/(@[\w\-\.]+\/[\w\-\.]+)\/\-rev\/([\w\-\.]+)$/,
+    login, publishable, mod.removeTar);
  app.delete('/:name/download/:filename/-rev/:rev', login, publishable, mod.removeTar);

-  // put package.json to module
-  app.put('/:name/:version/-tag/latest', login, publishable, mod.updateLatest);
-
  // update module, unpublish will PUT this
+  app.put(/^\/(@[\w\-\.]+\/[\w\-\.]+)\/\-rev\/([\w\-\.]+)$/, login, publishable, mod.updateOrRemove);
+  app.delete(/^\/(@[\w\-\.]+\/[\w\-\.]+)\/\-rev\/([\w\-\.]+)$/, login, publishable, mod.removeAll);
  app.put('/:name/-rev/:rev', login, publishable, mod.updateOrRemove);
  app.delete('/:name/-rev/:rev', login, publishable, mod.removeAll);

@@ -66,8 +81,6 @@ function routes(app) {
  app.put('/-/user/org.couchdb.user::name', user.add);
  app.get('/-/user/org.couchdb.user::name', user.show);
  app.put('/-/user/org.couchdb.user::name/-rev/:rev', login, user.update);
-  // _session
-  app.post('/_session', user.authSession);
 }

 module.exports = routes;
--- a/routes/web.js
+++ b/routes/web.js
@@ -23,20 +23,34 @@ var dist = require('../controllers/web/dist');

 function routes(app) {
  app.get('/total', total.show);
+
+  // scope package without version
+  app.get(/\/package\/(@[\w\-\.]+\/[\w\-\.]+)$/, pkg.display);
+  // scope package with version
+  app.get(/\/package\/(@[\w\-\.]+\/[\w\-\.]+)\/([\w\d\.]+)$/, pkg.display);
  app.get('/package/:name', pkg.display);
  app.get('/package/:name/:version', pkg.display);
+
+  app.get('/privates', pkg.listPrivates);
+
+  app.get(/\/browse\/keyword\/(@[\w\-\.]+\/[\w\-\.]+)$/, pkg.search);
  app.get('/browse/keyword/:word', pkg.search);

  app.get('/~:name', user.display);

  app.get('/sync/:name', pkg.displaySync);
+
  app.put('/sync/:name', sync.sync);
+
+  // params: [$name, $id]
+  app.get(/\/sync\/(@[\w\-\.]+\/[\w\-\.]+)\/log\/(\d+)$/, sync.getSyncLog);
  app.get('/sync/:name/log/:id', sync.getSyncLog);
+
  app.get('/sync', pkg.displaySync);

  app.get('/_list/search/search', pkg.rangeSearch);

-  app.get(/^\/dist(\/.+)?/, dist.redirect);
+  app.get(/^\/dist(\/.*)?/, dist.list);
 }

 module.exports = routes;
--- a/servers/registry.js
+++ b/servers/registry.js
@@ -18,28 +18,28 @@
 var koa = require('koa');
 var app = module.exports = koa();
 var http = require('http');
-var microtime = require('microtime');
 var middlewares = require('koa-middlewares');
 var routes = require('../routes/registry');
 var logger = require('../common/logger');
 var config = require('../config');
-var session = require('../common/session');
 var auth = require('../middleware/auth');
+var staticCache = require('../middleware/static');
 var notFound = require('../middleware/registry_not_found');

-app.use(middlewares.rt({headerName: 'X-ReadTime', timer: microtime}));
-
-app.use(middlewares.rewrite('/favicon.ico', '/public/favicon.ico'));
+middlewares.jsonp(app);
+app.use(middlewares.rt({headerName: 'X-ReadTime'}));
+app.use(middlewares.rewrite('/favicon.ico', '/favicon.png'));
+app.use(staticCache);

 app.keys = ['todokey', config.sessionSecret];
-app.outputErrors = true;
 app.proxy = true;
-app.use(session);
 app.use(middlewares.bodyParser({jsonLimit: config.jsonLimit}));
 app.use(auth());
 app.use(notFound);

-app.use(middlewares.compress({threshold: 150}));
+if (config.enableCompress) {
+  app.use(middlewares.compress({threshold: 150}));
+}
 app.use(middlewares.conditional());
 app.use(middlewares.etag());

@@ -55,6 +55,7 @@ routes(app);
 */

 app.on('error', function (err, ctx) {
+  // console.log(err.stack)
  err.url = err.url || ctx.request.url;
  logger.error(err);
 });
--- a/servers/web.js
+++ b/servers/web.js
@@ -1,4 +1,4 @@
-/*!
+/**!
 * cnpmjs.org - servers/web.js
 *
 * Copyright(c) cnpmjs.org and other contributors.
@@ -18,13 +18,12 @@
 var path = require('path');
 var http = require('http');
 var fs = require('fs');
-var microtime = require('microtime');
 var koa = require('koa');
 var middlewares = require('koa-middlewares');
 var markdown = require('koa-markdown');
-var session = require('../common/session');
 var opensearch = require('../middleware/opensearch');
 var notFound = require('../middleware/web_not_found');
+var staticCache = require('../middleware/static');
 var auth = require('../middleware/auth');
 var routes = require('../routes/web');
 var logger = require('../common/logger');
@@ -34,22 +33,21 @@ var app = koa();

 var rootdir = path.dirname(__dirname);

-app.use(middlewares.rt({headerName: 'X-ReadTime', timer: microtime}));
-app.use(middlewares.staticCache(path.join(__dirname, '..', 'public'), {
-  buffer: !config.debug,
-  maxAge: config.debug ? 0 : 60 * 60 * 24 * 7,
-  dir: path.join(rootdir, 'public')
-}));
+app.use(middlewares.rt({headerName: 'X-ReadTime'}));
+app.use(middlewares.rewrite('/favicon.ico', '/favicon.png'));
+app.use(staticCache);
+
 app.use(opensearch);
 app.keys = ['todokey', config.sessionSecret];
-app.outputErrors = true;
 app.proxy = true;
-app.use(session);
 app.use(middlewares.bodyParser());
 app.use(auth());
 app.use(notFound);

-app.use(middlewares.compress({threshold: 150}));
+if (config.enableCompress) {
+  app.use(middlewares.compress({threshold: 150}));
+}
+
 app.use(middlewares.conditional());
 app.use(middlewares.etag());

@@ -63,20 +61,30 @@ var layout = fs.readFileSync(path.join(viewDir, 'layout.html'), 'utf8')
  .replace('{{logoURL}}', config.logoURL);
 fs.writeFileSync(layoutFile, layout);

+// custom web readme home page support
+var readmeFile = path.join(docDir, '_readme.md');
+var readmeContent;
+if (config.customReadmeFile) {
+  readmeContent = fs.readFileSync(config.customReadmeFile, 'utf8');
+} else {
+  readmeContent = fs.readFileSync(path.join(docDir, 'readme.md'), 'utf8');
+}
+fs.writeFileSync(readmeFile, readmeContent);
+
 app.use(markdown({
  baseUrl: '/',
  root: docDir,
  layout: layoutFile,
  titleHolder: '<%- locals.title %>',
  bodyHolder: '<%- locals.body %>',
-  indexName: 'readme'
+  indexName: '_readme'
 }));

 var locals = {
  config: config
 };

-middlewares.render(app, {
+middlewares.ejs(app, {
  root: viewDir,
  viewExt: 'html',
  layout: '_layout',
--- a/services/default_user_service.js
+++ b/services/default_user_service.js
@@ -0,0 +1,139 @@
+/**!
+ * cnpmjs.org - services/default_user_service.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var gravatar = require('gravatar');
+var User = require('../proxy/user');
+var isAdmin = require('../lib/common').isAdmin;
+var config = require('../config');
+
+// User: https://github.com/cnpm/cnpmjs.org/wiki/Use-Your-Own-User-Authorization#user-data-structure
+// {
+//   "login": "fengmk2",
+//   "email": "fengmk2@gmail.com",
+//   "name": "Yuan Feng",
+//   "html_url": "http://fengmk2.github.com",
+//   "avatar_url": "https://avatars3.githubusercontent.com/u/156269?s=460",
+//   "im_url": "",
+//   "site_admin": false,
+//   "scopes": ["@org1", "@org2"]
+// }
+
+module.exports = DefaultUserService;
+
+function convertToUser(row) {
+  var user = {
+    login: row.name,
+    email: row.email,
+    name: row.name,
+    html_url: 'http://cnpmjs.org/~' + row.name,
+    avatar_url: '',
+    im_url: '',
+    site_admin: isAdmin(row.name),
+    scopes: config.scopes
+  };
+  if (row.json) {
+    var data = row.json;
+    if (data.login) {
+      // custom user
+      user = data;
+    } else {
+      // npm user
+      if (data.avatar) {
+        user.avatar_url = data.avatar;
+      }
+      if (data.fullname) {
+        user.name = data.fullname;
+      }
+      if (data.homepage) {
+        user.html_url = data.homepage;
+      }
+      if (data.twitter) {
+        user.im_url = 'https://twitter.com/' + data.twitter;
+      }
+    }
+  }
+  if (!user.avatar_url) {
+    user.avatar_url = gravatar.url(user.email, {s: '50', d: 'retro'}, true);
+  }
+  return user;
+}
+
+function DefaultUserService() {}
+
+var proto = DefaultUserService.prototype;
+
+/**
+ * Auth user with login name and password
+ * @param  {String} login    login name
+ * @param  {String} password login password
+ * @return {User}
+ */
+proto.auth = function* (login, password) {
+  var row = yield* User.auth(login, password);
+  if (!row) {
+    return null;
+  }
+  return convertToUser(row);
+};
+
+/**
+ * Get user by login name
+ * @param  {String} login  login name
+ * @return {User}
+ */
+proto.get = function* (login) {
+  var row = yield* User.get(login);
+  if (!row) {
+    return null;
+  }
+  return convertToUser(row);
+};
+
+/**
+ * List users
+ * @param  {Array<String>} logins  login names
+ * @return {Array<User>}
+ */
+proto.list = function* (logins) {
+  var rows = yield* User.listByNames(logins);
+  var users = [];
+  rows.forEach(function (row) {
+    users.push(convertToUser(row));
+  });
+  return users;
+};
+
+/**
+ * Search users
+ * @param  {String} query  query keyword
+ * @param  {Object} [options] optional query params
+ *  - {Number} limit match users count, default is `20`
+ * @return {Array<User>}
+ */
+proto.search = function* (query, options) {
+  options = options || {};
+  options.limit = parseInt(options.limit);
+  if (!options.limit || options.limit < 0) {
+    options.limit = 20;
+  }
+
+  var rows = yield* User.search(query, options);
+  var users = [];
+  rows.forEach(function (row) {
+    users.push(convertToUser(row));
+  });
+  return users;
+};
--- a/services/package.js
+++ b/services/package.js
@@ -0,0 +1,75 @@
+/**!
+ * cnpmjs.org - services/package.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var Module = require('../proxy/module');
+var ModuleMaintainer = require('../proxy/module_maintainer');
+var User = require('../proxy/user');
+
+exports.listMaintainers = function* (name) {
+  var names = yield* ModuleMaintainer.get(name);
+  if (names.length === 0) {
+    return names;
+  }
+  var users = yield* User.listByNames(names);
+  return users.map(function (user) {
+    return {
+      name: user.name,
+      email: user.email
+    };
+  });
+};
+
+exports.listMaintainerNamesOnly = function* (name) {
+  return yield* ModuleMaintainer.get(name);
+};
+
+exports.updateMaintainers = function* (name, usernames) {
+  var rs = yield [
+    ModuleMaintainer.update(name, usernames),
+    Module.updateLastModified(name),
+  ];
+  return rs[0];
+};
+
+exports.isMaintainer = function* (name, username) {
+  var rs = yield [
+    ModuleMaintainer.get(name),
+    Module.getLatest(name)
+  ];
+  var maintainers = rs[0];
+  var latestMod = rs[1];
+
+  if (latestMod && !latestMod.package._publish_on_cnpm) {
+    // no one can update public package maintainers
+    // public package only sync from source npm registry
+    return false;
+  }
+
+  if (maintainers.length === 0) {
+    // if not found maintainers, try to get from latest module package info
+    var ms = latestMod && latestMod.package && latestMod.package.maintainers;
+    if (ms && ms.length > 0) {
+      maintainers = ms.map(function (user) {
+        return user.name;
+      });
+    }
+  }
+  if (maintainers.length === 0) {
+    // no maintainers, meaning this module is free for everyone
+    return true;
+  }
+  return maintainers.indexOf(username) >= 0;
+};
--- a/services/user.js
+++ b/services/user.js
@@ -0,0 +1,56 @@
+/**!
+ * cnpmjs.org - services/user.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var config = require('../config');
+if (!config.userService) {
+  var DefaultUserService = require('./default_user_service');
+  config.userService = new DefaultUserService();
+  config.customUserService = false;
+} else {
+  config.customUserService = true;
+}
+config.scopes = config.scopes || [];
+
+function convertUser(user) {
+  if (!user) {
+    return null;
+  }
+  user.scopes = user.scopes || [];
+  if (user.scopes.length === 0 && config.scopes.length > 0) {
+    user.scopes = config.scopes.slice();
+  }
+  return user;
+}
+
+exports.auth = function* (login, password) {
+  var user = yield* config.userService.auth(login, password);
+  return convertUser(user);
+};
+
+exports.get = function* (login) {
+  var user = yield* config.userService.get(login);
+  return convertUser(user);
+};
+
+exports.list = function* (logins) {
+  var users = yield* config.userService.list(logins);
+  return users.map(convertUser);
+};
+
+exports.search = function* (query, options) {
+  var users = yield* config.userService.search(query, options);
+  return users.map(convertUser);
+};
--- a/sync/index.js
+++ b/sync/index.js
@@ -14,15 +14,16 @@
 * Module dependencies.
 */

-var config = require('../config');
+var debug = require('debug')('cnpmjs.org:sync:index');
+var co = require('co');
 var ms = require('ms');
-var mail = require('../common/mail');
 var util = require('util');
 var utility = require('utility');
-var debug = require('debug')('cnpmjs.org:sync:index');
+var config = require('../config');
+var mail = require('../common/mail');
 var Total = require('../proxy/total');
 var logger = require('../common/logger');
-var co = require('co');
+var syncDistWorker = require('./sync_dist');

 var sync = null;

@@ -60,11 +61,11 @@ var handleSync = co(function *() {
      var data = yield *sync();
    } catch (err) {
      error = err;
+      error.message += ' (sync package error)';
+      logger.syncError(error);
    }
-    if (config.debug) {
-      error && console.error(error.stack);
-      data && console.log(data);
-    } else {
+    data && logger.syncInfo(data);
+    if (!config.debug) {
      sendMailToAdmin(error, data, new Date());
    }
    syncing = false;
@@ -73,7 +74,34 @@ var handleSync = co(function *() {

 if (sync) {
  handleSync();
-  setInterval(handleSync, ms('30m'));
+  setInterval(handleSync, ms(config.syncInterval));
+}
+
+var syncingDist = false;
+var syncDist = co(function* syncDist() {
+  if (syncingDist) {
+    return;
+  }
+  syncingDist = true;
+  logger.syncInfo('Start syncing dist...');
+  try {
+    yield* syncDistWorker();
+    yield* syncDistWorker.syncPhantomjsDir();
+  } catch (err) {
+    err.message += ' (sync dist error)';
+    logger.syncError(err);
+    if (config.noticeSyncDistError) {
+      sendMailToAdmin(err, null, new Date());
+    }
+  }
+  syncingDist = false;
+});
+
+if (config.syncDist) {
+  syncDist();
+  setInterval(syncDist, ms(config.syncInterval));
+} else {
+  logger.syncInfo('sync dist disable');
 }

 function sendMailToAdmin(err, result, syncTime) {
@@ -91,7 +119,7 @@ function sendMailToAdmin(err, result, syncTime) {
    subject = 'Sync Error';
    type = 'error';
    html = util.format('Sync packages from official registry failed.\n' +
-      'Start sync time is %s.\nError message is %s.', syncTime, err.stack);
+      'Start sync time is %s.\nError message is %s: %s\n%s.', syncTime, err.name, err.message, err.stack);
  } else if (result.fails && result.fails.length) {
    subject = 'Sync Finished But Some Packages Failed';
    type = 'warn';
@@ -107,10 +135,10 @@ function sendMailToAdmin(err, result, syncTime) {
      syncTime, result.successes.length, result.successes.slice(0, 10));
  }
  debug('send email with type: %s, subject: %s, html: %s', type, subject, html);
+  logger.syncInfo('send email with type: %s, subject: %s, html: %s', type, subject, html);
  if (type && type !== 'log') {
    mail[type](to, subject, html, function (err) {
      if (err) {
-        logger.info('send email with type: %s, subject: %s, html: %s', type, subject, html);
        logger.error(err);
      }
    });
--- a/sync/status.js
+++ b/sync/status.js
@@ -47,6 +47,13 @@ Status.prototype.start = function () {
  this.timer = setInterval(this.log.bind(this), 30000);
 };

+Status.prototype.stop = function () {
+  this.log(true);
+  clearInterval(this.timer);
+  this.timer = null;
+  this.started = false;
+};
+
 Status.init = function (options, worker) {
  var status = new Status(options);
  status.start();
@@ -65,9 +72,7 @@ Status.init = function (options, worker) {
  });

  worker.on('end', function () {
-    status.started = false;
-    status.log(true);
-    clearInterval(status.timer);
+    status.stop();
  });
 };

--- a/sync/sync_all.js
+++ b/sync/sync_all.js
@@ -24,7 +24,6 @@ var Npm = require('../proxy/npm');
 var Total = require('../proxy/total');
 var SyncModuleWorker = require('../proxy/sync_module_worker');
 var Module = require('../proxy/module');
-var co = require('co');
 var thunkify = require('thunkify-wrap');

 function subtract(subtracter, minuend) {
--- a/sync/sync_dist.js
+++ b/sync/sync_dist.js
@@ -0,0 +1,340 @@
+/**!
+ * cnpmjs.org - sync/sync_dist.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var debug = require('debug')('cnpmjs.org:sync:sync_dist');
+var fs = require('fs');
+var urllib = require('co-urllib');
+var co = require('co');
+var bytes = require('bytes');
+var crypto = require('crypto');
+var utility = require('utility');
+var thunkify = require('thunkify-wrap');
+var cheerio = require('cheerio');
+var urlResolve = require('url').resolve;
+var common = require('../lib/common');
+var Dist = require('../proxy/dist');
+var config = require('../config');
+var nfs = require('../common/nfs');
+var logger = require('../common/logger');
+
+var disturl = config.disturl;
+var USER_AGENT = 'distsync.cnpmjs.org/' + config.version + ' ' + urllib.USER_AGENT;
+
+module.exports = sync;
+
+function* sync(name) {
+  name = name || '/';
+  yield* syncDir(name);
+}
+
+function* syncDir(fullname, info) {
+  var news = yield* sync.listdiff(fullname);
+  var files = [];
+  var dirs = [];
+
+  for (var i = 0; i < news.length; i++) {
+    var item = news[i];
+    if (item.type === 'dir') {
+      dirs.push(item);
+    } else {
+      files.push(item);
+    }
+  }
+
+  logger.syncInfo('sync remote:%s got %d new items, %d dirs, %d files to sync',
+    fullname, news.length, dirs.length, files.length);
+
+  for (var i = 0; i < files.length; i++) {
+    yield* syncFile(files[i]);
+  }
+
+  for (var i = 0; i < dirs.length; i++) {
+    var dir = dirs[i];
+    yield* syncDir(dir.parent + dir.name, dir);
+  }
+
+  if (info) {
+    logger.syncInfo('Save dir:%s %j to database', fullname, info);
+    yield* Dist.savedir(info);
+  }
+
+  logger.syncInfo('Sync %s finished, %d dirs, %d files',
+    fullname, dirs.length, files.length);
+}
+
+function* syncFile(info) {
+  var name = info.parent + info.name;
+  name = process.pid + name.replace(/\//g, '_'); // make sure no parent dir
+  var isPhantomjsURL = false;
+  var downurl = disturl + info.parent + info.name;
+  if (info.downloadURL) {
+    downurl = info.downloadURL;
+    isPhantomjsURL = true;
+  }
+  var filepath = common.getTarballFilepath(name);
+  var ws = fs.createWriteStream(filepath);
+
+  var options = {
+    writeStream: ws,
+    followRedirect: true,
+    timeout: 6000000, // 100 minutes download
+    headers: {
+      'user-agent': USER_AGENT
+    }
+  };
+
+  try {
+    logger.syncInfo('downloading %s %s to %s, isPhantomjsURL: %s',
+      bytes(info.size), downurl, filepath, isPhantomjsURL);
+    // get tarball
+    var r = yield *urllib.request(downurl, options);
+    var statusCode = r.status || -1;
+    logger.syncInfo('download %s got status %s, headers: %j',
+      downurl, statusCode, r.headers);
+    if (statusCode !== 200) {
+      var err = new Error('Download ' + downurl + ' fail, status: ' + statusCode);
+      err.name = 'DownloadDistFileError';
+      throw err;
+    }
+
+    var shasum = crypto.createHash('sha1');
+    var dataSize = 0;
+    var rs = fs.createReadStream(filepath);
+    rs.on('data', function (data) {
+      shasum.update(data);
+      dataSize += data.length;
+    });
+    var end = thunkify.event(rs);
+    yield end(); // after end event emit
+
+    if (dataSize === 0) {
+      var err = new Error('Download ' + downurl + ' file size is zero');
+      err.name = 'DownloadDistFileZeroSizeError';
+      throw err;
+    }
+
+    if (isPhantomjsURL) {
+      debug('real size: %s, expect size: %s', dataSize, info.size);
+      if (dataSize < info.size) {
+        // phantomjs download page only show `6.7 MB`
+        var err = new Error('Download ' + downurl + ' file size is '
+          + dataSize + ' not match ' + info.size);
+        err.name = 'DownloadDistFileSizeError';
+        throw err;
+      }
+      info.size = dataSize;
+    } else if (dataSize !== info.size) {
+      var err = new Error('Download ' + downurl + ' file size is '
+        + dataSize + ' not match ' + info.size);
+      err.name = 'DownloadDistFileSizeError';
+      throw err;
+    }
+
+    shasum = shasum.digest('hex');
+    var args = {
+      key: '/dist' + info.parent + info.name,
+      size: info.size,
+      shasum: shasum,
+    };
+
+    // upload to NFS
+    logger.syncInfo('uploading %s to nfs:%s', filepath, args.key);
+    var result = yield nfs.upload(filepath, args);
+    info.url = result.url || result.key;
+    info.sha1 = shasum;
+
+    logger.syncInfo('upload %s to nfs:%s with size:%d, sha1:%s',
+      args.key, info.url, info.size, info.sha1);
+  } finally {
+    // remove tmp file whatever
+    fs.unlink(filepath, utility.noop);
+  }
+
+  logger.syncInfo('Sync dist file: %j done', info);
+  yield* Dist.savefile(info);
+}
+
+// <a href="latest/">latest/</a>                                            02-May-2014 14:45                   -
+// <a href="node-v0.4.10.tar.gz">node-v0.4.10.tar.gz</a>                                26-Aug-2011 16:22            12410018
+var FILE_RE = /^<a[^>]+>([^<]+)<\/a>\s+(\d+\-\w+\-\d+ \d+\:\d+)\s+([\-\d]+)/;
+
+function* listdir(fullname) {
+  var url = disturl + fullname;
+  var result = yield* urllib.request(url, {
+    timeout: 60000,
+  });
+  debug('listdir %s got %s, %j', url, result.status, result.headers);
+  var html = result.data && result.data.toString() || '';
+  var lines = html.split('\n');
+  var items = [];
+  for (var i = 0; i < lines.length; i++) {
+    var m = FILE_RE.exec(lines[i].trim());
+    if (!m) {
+      continue;
+    }
+    var itemName = m[1].replace(/^\/+/, '');
+    if (!itemName) {
+      continue;
+    }
+
+    // filter /nightlies/*
+    if (itemName.indexOf('nightlies/') === 0) {
+      continue;
+    }
+
+    items.push({
+      name: itemName, // 'SHASUMS.txt', 'x64/'
+      date: m[2],
+      size: m[3] === '-' ? '-' : parseInt(m[3]),
+      type: m[3] === '-' ? 'dir' : 'file',
+      parent: fullname, // '/', '/v0.10.28/'
+    });
+  }
+  return items;
+}
+
+sync.listdiff = function* (fullname) {
+  var items = yield* listdir(fullname);
+  if (items.length === 0) {
+    return items;
+  }
+  var exists = yield* Dist.listdir(fullname);
+  debug('listdiff %s got %s exists items', fullname, exists.length);
+  var map = {};
+  for (var i = 0; i < exists.length; i++) {
+    var item = exists[i];
+    map[item.name] = item;
+  }
+  var news = [];
+  for (var i = 0; i < items.length; i++) {
+    var item = items[i];
+    var exist = map[item.name];
+    if (!exist || exist.date !== item.date) {
+      news.push(item);
+      continue;
+    }
+
+    if (item.size !== '-' && item.size !== exist.size) {
+      news.push(item);
+      continue;
+    }
+
+    debug('skip %s', item.name);
+  }
+  return news;
+};
+
+function* syncPhantomjsDir() {
+  var fullname = '/phantomjs/';
+  var files = yield* sync.listPhantomjsDiff(fullname);
+
+  logger.syncInfo('sync remote:%s got %d files to sync',
+    fullname, files.length);
+
+  for (var i = 0; i < files.length; i++) {
+    yield* syncFile(files[i]);
+  }
+
+  logger.syncInfo('SyncPhantomjsDir %s finished, %d files',
+    fullname, files.length);
+}
+sync.syncPhantomjsDir = syncPhantomjsDir;
+
+// <tr class="iterable-item" id="download-301626">
+//   <td class="name"><a class="execute" href="/ariya/phantomjs/downloads/phantomjs-1.9.7-windows.zip">phantomjs-1.9.7-windows.zip</a></td>
+//   <td class="size">6.7 MB</td>
+//   <td class="uploaded-by"><a href="/Vitallium">Vitallium</a></td>
+//   <td class="count">122956</td>
+//   <td class="date">
+//     <div>
+//       <time datetime="2014-01-27T18:29:53.706942" data-title="true">2014-01-27</time>
+//     </div>
+//   </td>
+//   <td class="delete">
+//
+//   </td>
+// </tr>
+
+function* listPhantomjsDir(fullname) {
+  var url = 'https://bitbucket.org/ariya/phantomjs/downloads';
+  var result = yield* urllib.request(url, {
+    timeout: 60000,
+  });
+  debug('listPhantomjsDir %s got %s, %j', url, result.status, result.headers);
+  var html = result.data && result.data.toString() || '';
+  var $ = cheerio.load(html);
+  var items = [];
+  $('tr.iterable-item').each(function (i, el) {
+    var $el = $(this);
+    var $link = $el.find('.name a');
+    var name = $link.text();
+    var downloadURL = $link.attr('href');
+    if (!name || !downloadURL || !/\.(zip|bz2|gz)$/.test(downloadURL)) {
+      return;
+    }
+    downloadURL = urlResolve(url, downloadURL);
+    var size = parseInt(bytes($el.find('.size').text().toLowerCase().replace(/\s/g, '')));
+    if (size > 1024 * 1024) {
+      size -= 1024 * 1024;
+    } else if (size > 1024) {
+      size -= 1024;
+    } else {
+      size -= 10;
+    }
+    var date = $el.find('.date time').text();
+    items.push({
+      name: name, // 'SHASUMS.txt', 'x64/'
+      date: date,
+      size: size,
+      type: 'file',
+      parent: fullname,
+      downloadURL: downloadURL,
+    });
+  });
+  return items;
+}
+sync.listPhantomjsDir = listPhantomjsDir;
+
+sync.listPhantomjsDiff = function* (fullname) {
+  var items = yield* listPhantomjsDir(fullname);
+  if (items.length === 0) {
+    return items;
+  }
+  var exists = yield* Dist.listdir(fullname);
+  debug('listdiff %s got %s exists items', fullname, exists.length);
+  var map = {};
+  for (var i = 0; i < exists.length; i++) {
+    var item = exists[i];
+    map[item.name] = item;
+  }
+  var news = [];
+  for (var i = 0; i < items.length; i++) {
+    var item = items[i];
+    var exist = map[item.name];
+    if (!exist || exist.date !== item.date) {
+      news.push(item);
+      continue;
+    }
+
+    // if (item.size !== exist.size) {
+    //   news.push(item);
+    //   continue;
+    // }
+
+    debug('skip %s', item.name);
+  }
+  return news;
+};
--- a/test/controllers/registry/module.test.js
+++ b/test/controllers/registry/module.test.js
@@ -21,25 +21,46 @@ var thunkify = require('thunkify-wrap');
 var should = require('should');
 var request = require('supertest');
 var mm = require('mm');
+var pedding = require('pedding');
 var config = require('../../../config');
 var app = require('../../../servers/registry');
 var Module = require('../../../proxy/module');
 var Npm = require('../../../proxy/npm');
 var controller = require('../../../controllers/registry/module');
 var ModuleDeps = require('../../../proxy/module_deps');
+var SyncModuleWorker = require('../../../proxy/sync_module_worker');
+var utils = require('../../utils');

 var fixtures = path.join(path.dirname(path.dirname(__dirname)), 'fixtures');

 describe('controllers/registry/module.test.js', function () {
-  var baseauth = 'Basic ' + new Buffer('cnpmjstest10:cnpmjstest10').toString('base64');
-  var baseauthOther = 'Basic ' + new Buffer('cnpmjstest101:cnpmjstest101').toString('base64');
-
  before(function (done) {
-    app.listen(0, function () {
-      var pkg = require(path.join(fixtures, 'package_and_tgz.json'));
+    app = app.listen(0, function () {
+      done = pedding(2, done);
+      // name: mk2testmodule
+      var pkg = utils.getPackage('mk2testmodule', '0.0.1', utils.admin);
+
      request(app)
      .put('/' + pkg.name)
-      .set('authorization', baseauth)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, function (err) {
+        should.not.exist(err);
+        pkg = utils.getPackage('mk2testmodule', '0.0.2', utils.admin);
+        // publish 0.0.2
+        request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.adminAuth)
+        .send(pkg)
+        .expect(201, done);
+      });
+
+      // testputmodule@0.1.9
+      var testpkg = utils.getPackage('testputmodule', '0.1.9', utils.admin);
+
+      request(app)
+      .put('/' + testpkg.name)
+      .set('authorization', utils.adminAuth)
      .send(pkg)
      .expect(201, done);
    });
@@ -53,7 +74,7 @@ describe('controllers/registry/module.test.js', function () {
      mm.data(Npm, 'get', require(path.join(fixtures, 'utility.json')));
      request(app)
      .put('/utility/sync')
-      .set('authorization', baseauth)
+      .set('authorization', utils.adminAuth)
      .end(function (err, res) {
        should.not.exist(err);
        res.body.should.have.keys('ok', 'logId');
@@ -73,13 +94,84 @@ describe('controllers/registry/module.test.js', function () {
    });
  });

+  describe('GET /:name unpublished', function () {
+    before(function (done) {
+      var worker = new SyncModuleWorker({
+        name: ['tnpm'],
+        username: 'fengmk2'
+      });
+
+      worker.start();
+      worker.on('end', function () {
+        var names = worker.successes.concat(worker.fails);
+        names.sort();
+        names.should.eql(['tnpm']);
+        done();
+      });
+    });
+
+    it('should show unpublished info', function (done) {
+      request(app)
+      .get('/tnpm')
+      .expect('content-type', 'application/json; charset=utf-8')
+      .expect(404, function (err, res) {
+        should.not.exist(err);
+        res.body.should.eql({
+          _id: 'tnpm',
+         name: 'tnpm',
+         time: {
+           modified: '2014-06-05T01:33:59.668Z',
+           unpublished:
+          { name: 'fengmk2',
+           time: '2014-06-05T01:33:59.668Z',
+           tags: { latest: '0.3.10' },
+           maintainers:
+           [ { name: 'fengmk2', email: 'fengmk2@gmail.com' },
+            { name: 'dead_horse', email: 'dead_horse@qq.com' } ],
+           description: 'npm client for alibaba private npm registry',
+           versions:
+           [ '0.0.1',
+            '0.0.2',
+            '0.0.3',
+            '0.0.4',
+            '0.1.0',
+            '0.1.1',
+            '0.1.2',
+            '0.1.3',
+            '0.1.4',
+            '0.1.5',
+            '0.1.8',
+            '0.1.9',
+            '0.2.0',
+            '0.2.1',
+            '0.2.2',
+            '0.2.3',
+            '0.2.4',
+            '0.3.0',
+            '0.3.1',
+            '0.3.2',
+            '0.3.3',
+            '0.3.4',
+            '0.3.5',
+            '0.3.6',
+            '0.3.7',
+            '0.3.8',
+            '0.3.9',
+            '0.3.10' ] } },
+          _attachments: {}
+        });
+        done();
+      });
+    });
+  });
+
  describe('GET /:name get module package info', function () {
    var etag;

    it('should return module info and etag', function (done) {
      request(app)
      .get('/mk2testmodule')
-      .expect('content-type', 'application/json')
+      .expect('content-type', 'application/json; charset=utf-8')
      .expect(200, function (err, res) {
        should.not.exist(err);
        // should have etag
@@ -98,7 +190,7 @@ describe('controllers/registry/module.test.js', function () {
          'license');
        res.body.name.should.equal('mk2testmodule');
        res.body.versions[Object.keys(res.body.versions)[0]]
-          .dist.tarball.should.include('/mk2testmodule/download');
+          .dist.tarball.should.containEql('/mk2testmodule/download');
        res.body.time.should.have.property('modified');
        res.body.time.modified.should.be.a.String;
        res.body.time.should.have.property('created');
@@ -113,7 +205,7 @@ describe('controllers/registry/module.test.js', function () {
      request(app)
      .get('/mk2testmodule')
      .set('accept-encoding', 'gzip')
-      .expect('content-encoding', 'gzip')
+      // .expect('content-encoding', 'gzip')
      .expect(200, function (err, res) {
        // console.log(res.headers)
        should.not.exist(err);
@@ -131,7 +223,7 @@ describe('controllers/registry/module.test.js', function () {
          'license');
        res.body.name.should.equal('mk2testmodule');
        res.body.versions[Object.keys(res.body.versions)[0]]
-          .dist.tarball.should.include('/mk2testmodule/download');
+          .dist.tarball.should.containEql('/mk2testmodule/download');
        should.not.exist(res.headers['set-cookie']);
        done();
      });
@@ -170,15 +262,15 @@ describe('controllers/registry/module.test.js', function () {
        should.not.exist(err);
        var body = res.body;
        body.name.should.equal('mk2testmodule');
-        body.version.should.equal('0.0.1');
-        body._id.should.equal('mk2testmodule@0.0.1');
-        body.dist.tarball.should.include('/mk2testmodule/download/mk2testmodule-0.0.1.tgz');
+        body.version.should.equal('0.0.2');
+        body._id.should.equal('mk2testmodule@0.0.2');
+        body.dist.tarball.should.containEql('/mk2testmodule/download/mk2testmodule-0.0.2.tgz');
        done();
      });
    });
  });

-  describe('PUT /:name/-rev/id update maintainers', function () {
+  describe('PUT /:name/-rev/id updateMaintainers()', function () {
    before(function (done) {
      request(app)
      .put('/mk2testmodule/-rev/1')
@@ -188,8 +280,8 @@ describe('controllers/registry/module.test.js', function () {
          email: 'cnpmjstest10@cnpmjs.org'
        }]
      })
-      .set('authorization', baseauth)
-      .expect('content-type', 'application/json', done);
+      .set('authorization', utils.adminAuth)
+      .expect({"ok":true,"id":"mk2testmodule","rev":"1"}, done);
    });

    it('should add new maintainers', function (done) {
@@ -200,13 +292,52 @@ describe('controllers/registry/module.test.js', function () {
          name: 'cnpmjstest10',
          email: 'cnpmjstest10@cnpmjs.org'
        }, {
-          name: 'fengmk2',
+          name: 'cnpmjstest101',
          email: 'fengmk2@cnpmjs.org'
        }]
      })
-      .set('authorization', baseauth)
+      .set('authorization', utils.adminAuth)
      .expect(201)
-      .expect('content-type', 'application/json', done);
+      .expect({
+        ok: true, id: 'mk2testmodule', rev: '1'
+      }, function (err) {
+        should.not.exist(err);
+        done = pedding(2, done);
+        // check maintainers update
+        request(app)
+        .get('/mk2testmodule')
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          var pkg = res.body;
+          pkg.maintainers.should.length(2);
+          pkg.maintainers.should.eql(pkg.versions['0.0.1'].maintainers);
+          pkg.maintainers.sort(function (a, b) {
+            return a.name > b.name ? 1 : -1;
+          });
+          pkg.maintainers.should.eql([
+            { name: 'cnpmjstest10', email: 'fengmk2@gmail.com' },
+            { name: 'cnpmjstest101', email: 'fengmk2@gmail.com' },
+          ]);
+          done();
+        });
+
+        // /pkg/0.0.1
+        request(app)
+        .get('/mk2testmodule/0.0.1')
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          var pkg = res.body;
+          pkg.maintainers.should.length(2);
+          pkg.maintainers.sort(function (a, b) {
+            return a.name > b.name ? 1 : -1;
+          });
+          pkg.maintainers.should.eql([
+            { name: 'cnpmjstest10', email: 'fengmk2@gmail.com' },
+            { name: 'cnpmjstest101', email: 'fengmk2@gmail.com' },
+          ]);
+          done();
+        });
+      });
    });

    it('should add again new maintainers', function (done) {
@@ -221,9 +352,9 @@ describe('controllers/registry/module.test.js', function () {
          email: 'fengmk2@cnpmjs.org'
        }]
      })
-      .set('authorization', baseauth)
+      .set('authorization', utils.adminAuth)
      .expect(201)
-      .expect('content-type', 'application/json', done);
+      .expect('content-type', 'application/json; charset=utf-8', done);
    });

    it('should rm maintainers', function (done) {
@@ -235,9 +366,9 @@ describe('controllers/registry/module.test.js', function () {
          email: 'cnpmjstest10@cnpmjs.org'
        }]
      })
-      .set('authorization', baseauth)
+      .set('authorization', utils.adminAuth)
      .expect(201)
-      .expect('content-type', 'application/json', done);
+      .expect('content-type', 'application/json; charset=utf-8', done);
    });

    it('should rm again maintainers', function (done) {
@@ -249,13 +380,65 @@ describe('controllers/registry/module.test.js', function () {
          email: 'cnpmjstest10@cnpmjs.org'
        }]
      })
-      .set('authorization', baseauth)
+      .set('authorization', utils.adminAuth)
      .expect(201)
-      .expect('content-type', 'application/json', done);
+      .expect({
+        id: 'mk2testmodule',
+        rev: '1',
+        ok: true
+      }, done);
+    });
+
+    it('should rm all maintainers forbidden 403', function (done) {
+      request(app)
+      .put('/mk2testmodule/-rev/1')
+      .send({
+        maintainers: []
+      })
+      .set('authorization', utils.adminAuth)
+      .expect(403)
+      .expect({error: 'invalid operation', reason: 'Can not remove all maintainers'})
+      .expect('content-type', 'application/json; charset=utf-8', done);
+    });
+
+    it('should 403 when not maintainer update in private mode', function (done) {
+      request(app)
+      .put('/mk2testmodule/-rev/1')
+      .send({
+        maintainers: [{
+          name: 'cnpmjstest10',
+          email: 'cnpmjstest10@cnpmjs.org'
+        }]
+      })
+      .set('authorization', utils.otherUserAuth)
+      .expect(403)
+      .expect({
+        error: 'no_perms',
+        reason: 'Private mode enable, only admin can publish this module'
+      }, done);
+    });
+
+    it('should 403 when not maintainer update in public mode', function (done) {
+      mm(config, 'enablePrivate', false);
+      mm(config, 'forcePublishWithScope', false);
+      request(app)
+      .put('/mk2testmodule/-rev/1')
+      .send({
+        maintainers: [{
+          name: 'cnpmjstest10',
+          email: 'cnpmjstest10@cnpmjs.org'
+        }]
+      })
+      .set('authorization', utils.otherUserAuth)
+      .expect(403)
+      .expect({
+        error: 'forbidden user',
+        reason: 'cnpmjstest101 not authorized to modify mk2testmodule'
+      }, done);
    });
  });

-  describe('PUT /:name', function () {
+  describe('PUT /:name old publish flow (stop support)', function () {
    var pkg = {
      name: 'testputmodule',
      description: 'test put module',
@@ -286,63 +469,45 @@ describe('controllers/registry/module.test.js', function () {
      });
    });

-    it('should try to add not exists module return 201', function (done) {
+    it('should publish return 400', function (done) {
      request(app)
      .put('/' + pkg.name)
      .set('authorization', baseauth)
      .send(pkg)
-      .expect(201, function (err, res) {
+      .expect(400, function (err, res) {
        should.not.exist(err);
-        res.body.should.have.keys('ok', 'id', 'rev');
-        res.body.ok.should.equal(true);
-        res.body.id.should.equal(pkg.name);
-        res.body.rev.should.be.a.String;
+        res.body.reason.should.containEql('filename or version not found');
        done();
      });
    });

-    it('should try to add return 409 when only next module exists', function (done) {
+    it('should publish exists return 400', function (done) {
      request(app)
      .put('/' + pkg.name)
      .set('authorization', baseauth)
      .send(pkg)
-      .expect(201, done);
+      .expect(400, done);
    });

-    it.skip('should try to add return 403 when not module user and only next module exists',
+    it('should try to add return 400 when not module user and only next module exists',
    function (done) {
      mm(config, 'enablePrivate', false);
+      mm(config, 'forcePublishWithScope', false);
      request(app)
      .put('/' + pkg.name)
      .set('authorization', baseauthOther)
      .send(pkg)
-      .expect(403, function (err, res) {
+      .expect(400, function (err, res) {
        should.not.exist(err);
        res.body.should.eql({
-          error: 'no_perms',
-          reason: 'Current user can not publish this module'
+          error: 'version_error',
+          reason: 'filename or version not found, filename: undefined, version: undefined'
        });
        done();
      });
    });

-    it('should get versions empty when only next module exists', function (done) {
-      request(app)
-      .get('/' + pkg.name)
-      .expect(200, function (err, res) {
-        should.not.exist(err);
-        res.body.should.have.keys('_id', '_rev', 'name', 'description', 'versions', 'dist-tags',
-          'readme', 'maintainers', 'time', '_attachments', 'users');
-        res.body.versions.should.eql({});
-        res.body.time.should.eql({});
-        res.body['dist-tags'].should.eql({});
-        lastRev = res.body._rev;
-        // console.log('lastRev: %s', lastRev);
-        done();
-      });
-    });
-
-    it('should upload tarball success: /:name/-/:filename/-rev/:rev', function (done) {
+    it('should upload 404', function (done) {
      var body = fs.readFileSync(path.join(fixtures, 'testputmodule-0.1.9.tgz'));
      request(app)
      .put('/' + pkg.name + '/-/' + pkg.name + '-0.1.9.tgz/-rev/' + lastRev)
@@ -350,96 +515,10 @@ describe('controllers/registry/module.test.js', function () {
      .set('content-type', 'application/octet-stream')
      .set('content-length', '' + body.length)
      .send(body)
-      .expect(201, function (err, res) {
-        should.not.exist(err);
-        res.body.should.eql({
-          ok: true,
-          rev: lastRev,
-        });
-        done();
-      });
+      .expect(404, done);
    });

-    it('should upload tarball success again: /:name/-/:filename/-rev/:rev', function (done) {
-      var body = fs.readFileSync(path.join(fixtures, 'testputmodule-0.1.9.tgz'));
-      request(app)
-      .put('/' + pkg.name + '/-/' + pkg.name + '-0.1.9.tgz/-rev/' + lastRev)
-      .set('authorization', baseauth)
-      .set('content-type', 'application/octet-stream')
-      .set('content-length', '' + body.length)
-      .send(body)
-      .expect(201, function (err, res) {
-        should.not.exist(err);
-        res.body.should.eql({
-          ok: true,
-          rev: lastRev,
-        });
-        done();
-      });
-    });
-
-    it('should upload tarball fail 403 when user not admin', function (done) {
-      var body = fs.readFileSync(path.join(fixtures, 'testputmodule-0.1.9.tgz'));
-      request(app)
-      .put('/' + pkg.name + '/-/' + pkg.name + '-0.1.9.tgz/-rev/25')
-      .set('authorization', baseauthOther)
-      .set('content-type', 'application/octet-stream')
-      .set('content-length', '' + body.length)
-      .send(body)
-      .expect(403, function (err, res) {
-        should.not.exist(err);
-        res.body.should.eql({
-          error: 'no_perms',
-          reason: 'Private mode enable, only admin can publish this module'
-        });
-        done();
-      });
-    });
-
-    it('should upload tarball fail 404 when rev wrong', function (done) {
-      var body = fs.readFileSync(path.join(fixtures, 'testputmodule-0.1.9.tgz'));
-      request(app)
-      .put('/' + pkg.name + '/-/' + pkg.name + '-0.1.9.tgz/-rev/' + lastRev + '1')
-      .set('authorization', baseauth)
-      .set('content-type', 'application/octet-stream')
-      .set('content-length', '' + body.length)
-      .send(body)
-      .expect(404, function (err, res) {
-        should.not.exist(err);
-        res.body.should.eql({
-          error: 'not_found',
-          reason: 'document not found'
-        });
-        done();
-      });
-    });
-
-    it('should update package.json info success: /:name/:version/-tag/latest', function (done) {
-      var pkg = require(path.join(fixtures, 'testputmodule.json')).versions['0.1.8'];
-      pkg.name = 'testputmodule';
-      pkg.version = '0.1.9';
-      pkg.dependencies['foo-testputmodule'] = '*';
-      request(app)
-      .put('/' + pkg.name + '/' + pkg.version + '/-tag/latest')
-      .set('authorization', baseauth)
-      .send(pkg)
-      .expect(201, function (err, res) {
-        should.not.exist(err);
-        res.body.should.have.keys('ok', 'rev');
-        // should get deps foo-testputmodule contains 'testputmodule'
-        ModuleDeps.list('foo-testputmodule', function (err, rows) {
-          should.not.exist(err);
-          var exists = rows.filter(function (r) {
-            return r.deps === 'testputmodule';
-          });
-          exists.should.length(1);
-          exists[0].deps.should.equal('testputmodule');
-          done();
-        });
-      });
-    });
-
-    it('should update package.json info version invalid: /:name/:version/-tag/latest', function (done) {
+    it('should update 404 package.json info version invalid: /:name/:version/-tag/latest', function (done) {
      var pkg = require(path.join(fixtures, 'testputmodule.json')).versions['0.1.8'];
      pkg.name = 'testputmodule';
      pkg.version = '0.1.9.alpha';
@@ -447,86 +526,44 @@ describe('controllers/registry/module.test.js', function () {
      .put('/' + pkg.name + '/' + pkg.version + '/-tag/latest')
      .set('authorization', baseauth)
      .send(pkg)
-      .expect(400)
-      .expect({
-        error: 'Params Invalid',
-        reason: 'Invalid version: ' + pkg.version
-      }, done);
-    });
-
-    it('should update package.json info again fail 403: /:name/:version/-tag/latest', function (done) {
-      var pkg = require(path.join(fixtures, 'testputmodule.json')).versions['0.1.8'];
-      pkg.name = 'testputmodule';
-      pkg.version = '0.1.10';
-      request(app)
-      .put('/' + pkg.name + '/' + pkg.version + '/-tag/latest')
-      .set('authorization', baseauth)
-      .send(pkg)
-      .expect(403, function (err, res) {
-        should.not.exist(err);
-        res.body.should.eql({
-          error: 'version_wrong',
-          reason: 'version not match'
-        });
-        done();
-      });
-    });
-
-    it('should get new package info', function (done) {
-      request(app)
-      .get('/testputmodule/0.1.9')
-      .expect(200, function (err, res) {
-        should.not.exist(err);
-        res.body.name.should.equal('testputmodule');
-        res.body.version.should.equal('0.1.9');
-        res.body.dist.tarball.should.include('/testputmodule/download/testputmodule-0.1.9.tgz');
-        done();
-      });
+      .expect(404, done);
    });
+  });

+  describe('PUT /:name publish new flow addPackageAndDist()', function () {
    it('should publish with tgz base64, addPackageAndDist()', function (done) {
-      var pkg = require(path.join(fixtures, 'package_and_tgz.json'));
-      // delete first
+      var pkg = utils.getPackage('testpublishmodule', '0.0.2');
      request(app)
-      .del('/' + pkg.name + '/-rev/1')
-      .set('authorization', baseauth)
-      .expect({ok: true})
-      .expect(200, function (err, res) {
+      .put('/' + pkg.name)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, function (err, res) {
        should.not.exist(err);
+        res.body.should.have.keys('ok', 'rev');
+        res.body.ok.should.equal(true);

+        // upload again should 403
        request(app)
        .put('/' + pkg.name)
-        .set('authorization', baseauth)
+        .set('authorization', utils.adminAuth)
        .send(pkg)
-        .expect(201, function (err, res) {
+        .expect(403, function (err, res) {
          should.not.exist(err);
-          res.body.should.have.keys('ok', 'rev');
-          res.body.ok.should.equal(true);
-
-          // upload again should 409
-          request(app)
-          .put('/' + pkg.name)
-          .set('authorization', baseauth)
-          .send(pkg)
-          .expect(409, function (err, res) {
-            should.not.exist(err);
-            res.body.should.eql({
-              error: 'conflict',
-              reason: 'Document update conflict.'
-            });
-            done();
+          res.body.should.eql({
+            error: 'forbidden',
+            reason: 'cannot modify pre-existing version: 0.0.2'
          });
-
+          done();
        });
      });
    });

    it('should version_error when versions missing', function (done) {
-      var pkg = require(path.join(fixtures, 'package_and_tgz.json'));
+      var pkg = utils.getPackage('version_missing_module');
      delete pkg.versions;
      request(app)
      .put('/' + pkg.name)
-      .set('authorization', baseauth)
+      .set('authorization', utils.adminAuth)
      .send(pkg)
      .expect(400, function (err, res) {
        should.not.exist(err);
@@ -537,6 +574,86 @@ describe('controllers/registry/module.test.js', function () {
        done();
      });
    });
+
+    it('should 400 when dist-tags empty', function (done) {
+      var pkg = utils.getPackage('dist-tags-empty');
+      pkg['dist-tags'] = {};
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(400, function (err, res) {
+        should.not.exist(err);
+        res.body.should.eql({
+          error: 'invalid',
+          reason: 'dist-tags should not be empty'
+        });
+        done();
+      });
+    });
+
+    it('should publish with beta tag addPackageAndDist()', function (done) {
+      var version = '0.1.1';
+      var pkg = utils.getPackage('publish-with-beta-tag', version);
+      pkg['dist-tags'] = {
+        beta: version
+      };
+      request(app)
+      .del('/' + pkg.name + '/-rev/1')
+      .set('authorization', utils.adminAuth)
+      .end(function (err, res) {
+        should.not.exist(err);
+
+        request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.adminAuth)
+        .send(pkg)
+        .expect(201, function (err, res) {
+          should.not.exist(err);
+          res.body.should.have.keys('ok', 'rev');
+          res.body.ok.should.equal(true);
+          // should auto set latest
+          request(app)
+          .get('/' + pkg.name)
+          .expect(200, function (err, res) {
+            should.not.exist(err);
+            res.body['dist-tags'].should.eql({
+              beta: version,
+              latest: version
+            });
+
+            // update new beta
+            pkg['dist-tags'] = {
+              beta: '10.10.1'
+            };
+            pkg.versions = {
+              '10.10.1': pkg.versions[version]
+            };
+            request(app)
+            .put('/' + pkg.name)
+            .set('authorization', utils.adminAuth)
+            .send(pkg)
+            .expect(201, function (err, res) {
+              should.not.exist(err);
+              res.body.should.have.keys('ok', 'rev');
+              res.body.ok.should.equal(true);
+              // should auto set latest
+              request(app)
+              .get('/' + pkg.name)
+              .expect(200, function (err, res) {
+                should.not.exist(err);
+                res.body['dist-tags'].should.eql({
+                  beta: '10.10.1',
+                  latest: version
+                });
+                done();
+              });
+            });
+
+          });
+        });
+      });
+    });
  });

  describe('GET /-/all', function () {
@@ -557,6 +674,8 @@ describe('controllers/registry/module.test.js', function () {
      request(app)
      .get('/-/all/since?stale=update_after&startkey=0')
      .expect(200, function (err, res) {
+        should.not.exist(err);
+        should.exist(res.body);
        res.body.should.be.an.Object;
        res.body._updated.should.be.a.Number;
        var keys = Object.keys(res.body);
@@ -569,6 +688,8 @@ describe('controllers/registry/module.test.js', function () {
      request(app)
      .get('/-/all/since?stale=update_after&startkey=' + (Date.now() * 2))
      .expect(200, function (err, res) {
+        should.not.exist(err);
+        should.exist(res.body);
        res.body.should.be.an.Object;
        res.body._updated.should.be.a.Number;
        res.body.should.eql({
@@ -591,13 +712,15 @@ describe('controllers/registry/module.test.js', function () {
    });
  });

-  describe('PUT /:name/-rev/:rev', function () {
+  describe('PUT /:name/-rev/:rev removeWithVersions', function () {
+    var pkg = require(path.join(fixtures, 'package_and_tgz.json'));
+    var pkgname = pkg.name;
    var baseauth = 'Basic ' + new Buffer('cnpmjstest10:cnpmjstest10').toString('base64');
    var baseauthOther = 'Basic ' + new Buffer('cnpmjstest101:cnpmjstest101').toString('base64');
    var lastRev;
    before(function (done) {
      request(app)
-      .get('/testputmodule')
+      .get('/' + pkgname)
      .end(function (err, res) {
        lastRev = res.body._rev;
        done(err);
@@ -606,39 +729,39 @@ describe('controllers/registry/module.test.js', function () {

    it('should update 401 when no auth', function (done) {
      request(app)
-      .put('/testputmodule/-rev/123')
+      .put('/' + pkgname + '/-rev/123')
      .expect(401, done);
    });

    it('should update 403 when auth error', function (done) {
      request(app)
-      .put('/testputmodule/-rev/123')
+      .put('/' + pkgname + '/-rev/123')
      .set('authorization', baseauthOther)
      .expect(403, done);
    });

    it('should remove nothing removed ok', function (done) {
      request(app)
-      .put('/testputmodule/-rev/' + lastRev)
+      .put('/' + pkgname + '/-rev/' + lastRev)
      .set('authorization', baseauth)
      .send({
        versions: {
-          '0.1.9': {}
+          '0.0.1': {},
+          '0.0.2': {}
        }
      })
      .expect(201, done);
    });

-    it('should remove version ok', function (done) {
+    it('should remove all version ok', function (done) {
      //do not really remove it here
      mm.empty(Module, 'removeByNameAndVersions');
      mm.empty(Module, 'removeTagsByIds');
      request(app)
-      .put('/testputmodule/-rev/' + lastRev)
+      .put('/' + pkgname + '/-rev/' + lastRev)
      .set('authorization', baseauth)
      .send({
-        versions: {
-        }
+        versions: {}
      })
      .expect(201, done);
    });
@@ -648,7 +771,7 @@ describe('controllers/registry/module.test.js', function () {
    it('should download a file with 302 redirect', function (done) {
      request(app)
      .get('/cutter/download/cutter-0.0.2.tgz')
-      .expect('Location', 'http://qtestbucket.qiniudn.com/cutter/-/cutter-0.0.2.tgz')
+      .expect('Location', config.qn.domain + '/cutter/-/cutter-0.0.2.tgz')
      .expect(302, done);
    });
  });
@@ -656,36 +779,113 @@ describe('controllers/registry/module.test.js', function () {
  describe('DELETE /:name/download/:filename/-rev/:rev', function () {
    var lastRev;
    before(function (done) {
+      var pkg = utils.getPackage('test-delete-download-module', '0.1.9');
      request(app)
-      .get('/testputmodule')
-      .end(function (err, res) {
-        lastRev = res.body._rev;
-        done(err);
+      .put('/' + pkg.name)
+      .set('content-type', 'application/json')
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, function (err, res) {
+        should.not.exist(err);
+        lastRev = res.body.rev;
+        done();
      });
    });

    it('should delete 401 when no auth', function (done) {
      request(app)
-      .del('/testputmodule/download/testputmodule-0.1.9.tgz/-rev/' + lastRev)
+      .del('/test-delete-download-module/download/test-delete-download-module-0.1.9.tgz/-rev/' + lastRev)
      .expect(401, done);
    });

    it('should delete 403 when auth error', function (done) {
      request(app)
-      .del('/testputmodule/download/testputmodule-0.1.9.tgz/-rev/' + lastRev)
-      .set('authorization', baseauthOther)
+      .del('/test-delete-download-module/download/test-delete-download-module-0.1.9.tgz/-rev/' + lastRev)
+      .set('authorization', utils.otherUserAuth)
      .expect(403, done);
    });

    it('should delete file ok', function (done) {
      request(app)
-      .del('/testputmodule/download/testputmodule-0.1.9.tgz/-rev/' + lastRev)
-      .set('authorization', baseauth)
+      .del('/test-delete-download-module/download/test-delete-download-module-0.1.9.tgz/-rev/' + lastRev)
+      .set('authorization', utils.adminAuth)
      .expect(200, done);
    });
  });

-  describe('DELETE /:name/-rev/:rev', function (done) {
+  describe('PUT /:name/:tag updateTag()', function () {
+    it('should create new tag ok', function (done) {
+      request(app)
+      .put('/mk2testmodule/newtag')
+      .set('content-type', 'application/json')
+      .set('authorization', utils.adminAuth)
+      .send('"0.0.1"')
+      .expect(201)
+      .expect({"ok":true}, done);
+    });
+
+    it('should override exist tag ok', function (done) {
+      request(app)
+      .put('/mk2testmodule/newtag')
+      .set('content-type', 'application/json')
+      .set('authorization', utils.adminAuth)
+      .send('"0.0.1"')
+      .expect(201, done);
+    });
+
+    it('should tag invalid version 403', function (done) {
+      request(app)
+      .put('/mk2testmodule/newtag')
+      .set('content-type', 'application/json')
+      .set('authorization', utils.adminAuth)
+      .send('"hello"')
+      .expect(403)
+      .expect({
+        error: 'forbidden',
+        reason: 'setting tag newtag to invalid version: hello: mk2testmodule/newtag'
+      }, done);
+    });
+
+    it('should tag not eixst version 403', function (done) {
+      request(app)
+      .put('/mk2testmodule/newtag')
+      .set('content-type', 'application/json')
+      .set('authorization', utils.adminAuth)
+      .send('"5.0.0"')
+      .expect(403)
+      .expect({
+        error: 'forbidden',
+        reason: 'setting tag newtag to unknown version: 5.0.0: mk2testmodule/newtag'
+      }, done);
+    });
+
+    describe('update tag not maintainer', function () {
+      before(function (done) {
+        var pkg = utils.getPackage('update-tag-not-maintainer', '1.0.0');
+        request(app)
+        .put('/' + pkg.name)
+        .set('content-type', 'application/json')
+        .set('authorization', utils.adminAuth)
+        .send(pkg)
+        .expect(201, done);
+      });
+
+      it('should not maintainer update tag return no permission 403', function (done) {
+        request(app)
+        .put('/update-tag-not-maintainer/newtag')
+        .set('content-type', 'application/json')
+        .set('authorization', utils.otherUserAuth)
+        .send('"1.0.0"')
+        .expect(403)
+        .expect({
+          error: 'forbidden user',
+          reason: 'cnpmjstest101 not authorized to modify update-tag-not-maintainer'
+        }, done);
+      });
+    });
+  });
+
+  describe('DELETE /:name/-rev/:rev', function () {
    var baseauth = 'Basic ' + new Buffer('cnpmjstest10:cnpmjstest10').toString('base64');
    var baseauthOther = 'Basic ' + new Buffer('cnpmjstest101:cnpmjstest101').toString('base64');
    var lastRev;
@@ -707,20 +907,44 @@ describe('controllers/registry/module.test.js', function () {
    it('should delete 403 when auth error', function (done) {
      request(app)
      .del('/testputmodule/-rev/' + lastRev)
-      .set('authorization', baseauthOther)
+      .set('authorization', utils.otherUserAuth)
      .expect(403, done);
    });

-    it('shold remove all the module ok', function (done) {
-      //do not really remove
-      mm.empty(Module, 'removeByName');
-      request(app)
-      .del('/testputmodule/-rev/' + lastRev)
-      .set('authorization', baseauth)
-      .expect(200, function (err, res) {
-        should.not.exist(err);
-        should.not.exist(res.headers['set-cookie']);
-        done();
+    describe('remove all modules by name', function () {
+      before(function (done) {
+        var pkg = utils.getPackage('remove-all-module');
+        request(app)
+        .put('/remove-all-module')
+        .set('content-type', 'application/json')
+        .set('authorization', utils.adminAuth)
+        .send(pkg)
+        .expect(201, done);
+      });
+
+      it('shold fail when user not maintainer', function (done) {
+        request(app)
+        .del('/remove-all-module/-rev/1')
+        .set('authorization', utils.otherUserAuth)
+        .expect(403, function (err, res) {
+          should.not.exist(err);
+          res.body.should.eql({
+            error: 'no_perms',
+            reason: 'Private mode enable, only admin can publish this module'
+          });
+          done();
+        });
+      });
+
+      it('shold ok', function (done) {
+        request(app)
+        .del('/remove-all-module/-rev/1')
+        .set('authorization', utils.adminAuth)
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          should.not.exist(res.headers['set-cookie']);
+          done();
+        });
      });
    });
  });
--- a/test/controllers/registry/module/config_private_packages.test.js
+++ b/test/controllers/registry/module/config_private_packages.test.js
@@ -0,0 +1,105 @@
+/*!
+ * cnpmjs.org - test/controllers/registry/module/public_mode.test.js
+ * Copyright(c) 2014 dead_horse <dead_horse@qq.com>
+ * MIT Licensed
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var should = require('should');
+var request = require('supertest');
+var mm = require('mm');
+var config = require('../../../../config');
+var app = require('../../../../servers/registry');
+var utils = require('../../../utils');
+
+describe('controllers/registry/module/config_private_packages.test.js', function () {
+  beforeEach(function () {
+    mm(config, 'enablePrivate', false);
+    mm(config, 'forcePublishWithScope', true);
+    mm(config, 'privatePackages', ['private-package']);
+  });
+
+  after(mm.restore);
+  it('should publish with tgz base64, addPackageAndDist()', function (done) {
+    var pkg = utils.getPackage('private-package', '0.0.1', utils.otherUser);
+    request(app)
+    .put('/' + pkg.name)
+    .set('authorization', utils.otherUserAuth)
+    .send(pkg)
+    .expect(201, function (err, res) {
+      should.not.exist(err);
+      res.body.should.have.keys('ok', 'rev');
+      res.body.ok.should.equal(true);
+      pkg = utils.getPackage('private-package', '0.0.1', utils.otherUser);
+      // upload again should 403
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.otherUserAuth)
+      .send(pkg)
+      .expect(403, function (err, res) {
+        should.not.exist(err);
+        res.body.should.eql({
+          error: 'forbidden',
+          reason: 'cannot modify pre-existing version: 0.0.1'
+        });
+        done();
+      });
+    });
+  });
+
+  it('should other user publish 403', function (done) {
+    var pkg = utils.getPackage('private-package', '0.0.2', utils.secondUser);
+    request(app)
+    .put('/' + pkg.name)
+    .set('authorization', utils.secondUserAuth)
+    .send(pkg)
+    .expect(/forbidden user/)
+    .expect(403, done);
+  });
+
+  it('should admin publish 403', function (done) {
+    var pkg = utils.getPackage('private-package', '0.0.2', utils.admin);
+    request(app)
+    .put('/' + pkg.name)
+    .set('authorization', utils.adminAuth)
+    .send(pkg)
+    .expect(/forbidden user/)
+    .expect(403, done);
+  });
+
+  it('should add again new maintainers', function (done) {
+    request(app)
+    .put('/private-package/-rev/1')
+    .send({
+      maintainers: [{
+        name: 'cnpmjstest101',
+        email: 'cnpmjstest101@cnpmjs.org'
+      }, {
+        name: 'fengmk2',
+        email: 'fengmk2@cnpmjs.org'
+      }]
+    })
+    .set('authorization', utils.otherUserAuth)
+    .expect(201)
+    .expect('content-type', 'application/json; charset=utf-8', done);
+  });
+
+  it('should remove maintainers', function (done) {
+    request(app)
+    .put('/private-package/-rev/1')
+    .send({
+      maintainers: [{
+        name: 'cnpmjstest101',
+        email: 'cnpmjstest101@cnpmjs.org'
+      }]
+    })
+    .set('authorization', utils.otherUserAuth)
+    .expect(201)
+    .expect('content-type', 'application/json; charset=utf-8', done);
+  });
+});
--- a/test/controllers/registry/module/maintainer.test.js
+++ b/test/controllers/registry/module/maintainer.test.js
@@ -0,0 +1,100 @@
+/**!
+ * cnpmjs.org - test/controllers/registry/module/maintainer.test.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var should = require('should');
+var request = require('supertest');
+var mm = require('mm');
+var config = require('../../../../config');
+var app = require('../../../../servers/registry');
+var utils = require('../../../utils');
+
+describe('controllers/registry/module/maintainer.test.js', function () {
+  var pkgname = '@cnpm/test-package-maintainer';
+  var pkgURL = '/@' + encodeURIComponent(pkgname.substring(1));
+  before(function (done) {
+    app = app.listen(0, function () {
+      // add scope package
+      var pkg = utils.getPackage(pkgname, '0.0.1', utils.admin);
+
+      request(app)
+      .put(pkgURL)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, done);
+    });
+  });
+
+  beforeEach(function () {
+    mm(config, 'scopes', ['@cnpm', '@cnpmtest']);
+  });
+
+  afterEach(mm.restore);
+
+  it('should add new maintainer without custom user service', function (done) {
+    mm(config, 'customUserService', false);
+    request(app)
+    .put('/@cnpm/test-package-maintainer/-rev/1')
+    .set('authorization', utils.adminAuth)
+    .send({
+      maintainers: [
+        { name: 'new-maintainer', email: 'new-maintainer@cnpmjs.org' },
+        { name: utils.admin, email: utils.admin + '@cnpmjs.org' },
+      ]
+    })
+    .expect(201, done);
+  });
+
+  describe('config.customUserService = true', function () {
+    it('should add new maintainer fail when user not exists', function (done) {
+      mm(config, 'customUserService', true);
+      request(app)
+      .put('/@cnpm/test-package-maintainer/-rev/1')
+      .set('authorization', utils.adminAuth)
+      .send({
+        maintainers: [
+          { name: 'new-maintainer-not-exists', email: 'new-maintainer@cnpmjs.org' },
+          { name: 'new-maintainer-not-exists2', email: 'new-maintainer@cnpmjs.org' },
+          { name: utils.admin, email: utils.admin + '@cnpmjs.org' },
+        ]
+      })
+      .expect({
+        error: 'invalid user name',
+        reason: 'User: new-maintainer-not-exists, new-maintainer-not-exists2 not exists'
+      })
+      .expect(403, done);
+    });
+
+    it('should add new maintainer success when user all exists', function (done) {
+      mm(config, 'customUserService', true);
+      request(app)
+      .put('/@cnpm/test-package-maintainer/-rev/1')
+      .set('authorization', utils.adminAuth)
+      .send({
+        maintainers: [
+          { name: 'cnpmjstest101', email: 'cnpmjstest101@cnpmjs.org' },
+          { name: 'cnpmjstest102', email: 'cnpmjstest102@cnpmjs.org' },
+          { name: utils.admin, email: utils.admin + '@cnpmjs.org' },
+        ]
+      })
+      .expect({
+        ok: true,
+        id: '@cnpm/test-package-maintainer',
+        rev: '1'
+      })
+      .expect(201, done);
+    });
+  });
+});
--- a/test/controllers/registry/module/public_mode.test.js
+++ b/test/controllers/registry/module/public_mode.test.js
@@ -0,0 +1,800 @@
+/*!
+ * cnpmjs.org - test/controllers/registry/module/public_mode.test.js
+ * Copyright(c) 2014 dead_horse <dead_horse@qq.com>
+ * MIT Licensed
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var should = require('should');
+var request = require('supertest');
+var path = require('path');
+var mm = require('mm');
+var pedding = require('pedding');
+var config = require('../../../../config');
+var app = require('../../../../servers/registry');
+var utils = require('../../../utils');
+var Module = require('../../../../proxy/module');
+
+var fixtures = path.join(__dirname, '..', '..', '..', 'fixtures');
+
+describe('controllers/registry/module/public_module.test.js', function () {
+  beforeEach(function () {
+    mm(config, 'enablePrivate', false);
+  });
+  before(function (done) {
+    mm(config, 'enablePrivate', false);
+    mm(config, 'forcePublishWithScope', false);
+    app = app.listen(0, function () {
+      done = pedding(2, done);
+      // name: publictestmodule
+      var pkg = utils.getPackage('publictestmodule', '0.0.1', utils.otherUser);
+
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.otherUserAuth)
+      .send(pkg)
+      .expect(201, function (err) {
+        should.not.exist(err);
+        pkg = utils.getPackage('publictestmodule', '0.0.2', utils.otherUser);
+        // publish 0.0.2
+        request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201, done);
+      });
+
+      // publicputmodule@0.1.9
+      var testpkg = utils.getPackage('publicputmodule', '0.1.9', utils.otherUser);
+
+      request(app)
+      .put('/' + testpkg.name)
+      .set('authorization', utils.otherUserAuth)
+      .send(pkg)
+      .expect(201, done);
+    });
+  });
+  afterEach(mm.restore);
+
+  describe('PUT /:name/-rev/id updateMaintainers() in public mode', function () {
+    beforeEach(function () {
+      mm(config, 'forcePublishWithScope', false);
+    });
+
+    before(function (done) {
+      mm(config, 'enablePrivate', false);
+      mm(config, 'forcePublishWithScope', false);
+      request(app)
+      .put('/publictestmodule/-rev/1')
+      .send({
+        maintainers: [{
+          name: 'cnpmjstest101',
+          email: 'fengmk2@cnpmjs.org'
+        }]
+      })
+      .set('authorization', utils.otherUserAuth)
+      .expect({"ok":true,"id":"publictestmodule","rev":"1"}, done);
+    });
+
+    it('should add new maintainers', function (done) {
+      request(app)
+      .put('/publictestmodule/-rev/1')
+      .send({
+        maintainers: [{
+          name: 'cnpmjstest10',
+          email: 'fengmk2@cnpmjs.org'
+        }, {
+          name: 'cnpmjstest101',
+          email: 'fengmk2@cnpmjs.org'
+        }]
+      })
+      .set('authorization', utils.otherUserAuth)
+      .expect(201)
+      .expect({
+        ok: true, id: 'publictestmodule', rev: '1'
+      }, function (err) {
+        should.not.exist(err);
+        done = pedding(2, done);
+        // check maintainers update
+        request(app)
+        .get('/publictestmodule')
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          var pkg = res.body;
+          pkg.maintainers.should.length(2);
+          pkg.maintainers.should.eql(pkg.versions['0.0.1'].maintainers);
+          pkg.maintainers.sort(function (a, b) {
+            return a.name > b.name ? 1 : -1;
+          });
+          pkg.maintainers.should.eql([
+            { name: 'cnpmjstest10', email: 'fengmk2@gmail.com' },
+            { name: 'cnpmjstest101', email: 'fengmk2@gmail.com' },
+          ]);
+          done();
+        });
+
+        // /pkg/0.0.1
+        request(app)
+        .get('/publictestmodule/0.0.1')
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          var pkg = res.body;
+          pkg.maintainers.should.length(2);
+          pkg.maintainers.sort(function (a, b) {
+            return a.name > b.name ? 1 : -1;
+          });
+          pkg.maintainers.should.eql([
+            { name: 'cnpmjstest10', email: 'fengmk2@gmail.com' },
+            { name: 'cnpmjstest101', email: 'fengmk2@gmail.com' },
+          ]);
+          done();
+        });
+      });
+    });
+
+    it('should add again new maintainers', function (done) {
+      request(app)
+      .put('/publictestmodule/-rev/1')
+      .send({
+        maintainers: [{
+          name: 'cnpmjstest101',
+          email: 'cnpmjstest101@cnpmjs.org'
+        }, {
+          name: 'fengmk2',
+          email: 'fengmk2@cnpmjs.org'
+        }]
+      })
+      .set('authorization', utils.otherUserAuth)
+      .expect(201)
+      .expect('content-type', 'application/json; charset=utf-8', done);
+    });
+
+    it('should add new maintainers by admin', function (done) {
+      request(app)
+      .put('/publictestmodule/-rev/1')
+      .send({
+        maintainers: [{
+          name: 'cnpmjstest101',
+          email: 'cnpmjstest101@cnpmjs.org'
+        }, {
+          name: 'fengmk2',
+          email: 'fengmk2@cnpmjs.org'
+        }]
+      })
+      .set('authorization', utils.adminAuth)
+      .expect(201)
+      .expect('content-type', 'application/json; charset=utf-8', done);
+    });
+
+    it('should rm maintainers', function (done) {
+      request(app)
+      .put('/publictestmodule/-rev/1')
+      .send({
+        maintainers: [{
+          name: 'cnpmjstest101',
+          email: 'cnpmjstest101@cnpmjs.org'
+        }]
+      })
+      .set('authorization', utils.otherUserAuth)
+      .expect(201)
+      .expect('content-type', 'application/json; charset=utf-8', done);
+    });
+
+    it('should rm again maintainers', function (done) {
+      request(app)
+      .put('/publictestmodule/-rev/1')
+      .send({
+        maintainers: [{
+          name: 'cnpmjstest101',
+          email: 'cnpmjstest101@cnpmjs.org'
+        }]
+      })
+      .set('authorization', utils.otherUserAuth)
+      .expect(201)
+      .expect({
+        id: 'publictestmodule',
+        rev: '1',
+        ok: true
+      }, done);
+    });
+
+    it('should rm all maintainers forbidden 403', function (done) {
+      request(app)
+      .put('/publictestmodule/-rev/1')
+      .send({
+        maintainers: []
+      })
+      .set('authorization', utils.otherUserAuth)
+      .expect(403)
+      .expect({error: 'invalid operation', reason: 'Can not remove all maintainers'})
+      .expect('content-type', 'application/json; charset=utf-8', done);
+    });
+
+    it('should 403 when not maintainer update', function (done) {
+      request(app)
+      .put('/publictestmodule/-rev/1')
+      .send({
+        maintainers: [{
+          name: 'cnpmjstest10',
+          email: 'cnpmjstest10@cnpmjs.org'
+        }]
+      })
+      .set('authorization', utils.secondUserAuth)
+      .expect(403)
+      .expect({
+        error: 'forbidden user',
+        reason: 'cnpmjstest102 not authorized to modify publictestmodule'
+      }, done);
+    });
+
+    describe('forcePublishWithScope = true', function () {
+      beforeEach(function () {
+        mm(config, 'forcePublishWithScope', true);
+      });
+
+      before(function (done) {
+        mm(config, 'forcePublishWithScope', true);
+        mm(config, 'enablePrivate', false);
+        var pkg = utils.getPackage('@cnpm/publictestmodule', '0.0.1', utils.otherUser);
+        request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201, function (err, res) {
+          should.not.exist(err);
+          pkg = utils.getPackage(pkg.name, '0.0.2', utils.otherUser);
+          // publish 0.0.2
+          request(app)
+          .put('/' + pkg.name)
+          .set('authorization', utils.otherUserAuth)
+          .send(pkg)
+          .expect(201, done);
+        });
+      });
+
+      it('should 403 add maintainers without scope', function (done) {
+        request(app)
+        .put('/publictestmodule/-rev/1')
+        .send({
+          maintainers: [{
+            name: 'cnpmjstest101',
+            email: 'cnpmjstest101@cnpmjs.org'
+          }, {
+            name: 'fengmk2',
+            email: 'fengmk2@cnpmjs.org'
+          }]
+        })
+        .set('authorization', utils.otherUserAuth)
+        .expect(403, done);
+      });
+
+      it('should add maintainers ok with scope', function (done) {
+        request(app)
+        .put('/@cnpm/publictestmodule/-rev/1')
+        .send({
+          maintainers: [{
+            name: 'cnpmjstest101',
+            email: 'cnpmjstest101@cnpmjs.org'
+          }, {
+            name: 'fengmk2',
+            email: 'fengmk2@cnpmjs.org'
+          }]
+        })
+        .set('authorization', utils.otherUserAuth)
+        .expect( { ok: true, id: '@cnpm/publictestmodule', rev: '1' })
+        .expect(201, done);
+      });
+    });
+  });
+
+  describe('PUT /:name publish new flow addPackageAndDist()', function () {
+    beforeEach(function () {
+      mm(config, 'enablePrivate', false);
+      mm(config, 'forcePublishWithScope', false);
+    });
+
+    it('should publish with tgz base64, addPackageAndDist()', function (done) {
+      var pkg = utils.getPackage('publicpublishmodule', '0.0.2', utils.otherUser);
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.otherUserAuth)
+      .send(pkg)
+      .expect(201, function (err, res) {
+        should.not.exist(err);
+        res.body.should.have.keys('ok', 'rev');
+        res.body.ok.should.equal(true);
+        pkg = utils.getPackage('publicpublishmodule', '0.0.2', utils.otherUser);
+        // upload again should 403
+        request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(403, function (err, res) {
+          should.not.exist(err);
+          res.body.should.eql({
+            error: 'forbidden',
+            reason: 'cannot modify pre-existing version: 0.0.2'
+          });
+          done();
+        });
+      });
+    });
+
+    it('should other user pulbish 403', function (done) {
+      var pkg = utils.getPackage('publicpublishmodule', '0.0.3', utils.secondUser);
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.secondUserAuth)
+      .send(pkg)
+      .expect(403, done);
+    });
+
+    it('should admin pulbish 403', function (done) {
+      var pkg = utils.getPackage('publicpublishmodule', '0.0.3', utils.admin);
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(403, done);
+    });
+
+    it('should publish with scope, addPackageAndDist()', function (done) {
+      mm(config, 'forcePublishWithScope', false);
+      var pkg = utils.getPackage('@cnpm/publicpublishmodule', '0.0.2', utils.otherUser);
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.otherUserAuth)
+      .send(pkg)
+      .expect(201, function (err, res) {
+        should.not.exist(err);
+        res.body.should.have.keys('ok', 'rev');
+        res.body.ok.should.equal(true);
+
+        // upload again should 403
+        request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(403, function (err, res) {
+          should.not.exist(err);
+          res.body.should.eql({
+            error: 'forbidden',
+            reason: 'cannot modify pre-existing version: 0.0.2'
+          });
+          done();
+        });
+      });
+    });
+
+    describe('forcePublishWithScope = true', function () {
+      it('should publish without scope 403, addPackageAndDist()', function (done) {
+        mm(config, 'forcePublishWithScope', false);
+        var pkg = utils.getPackage('publicpublishmodule', '0.0.2');
+        request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(403, done);
+      });
+
+      it('should admin publish without scope ok, addPackageAndDist()', function (done) {
+        mm(config, 'forcePublishWithScope', false);
+        var pkg = utils.getPackage('publicpublishmodule1', '0.0.4', utils.admin);
+        request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.adminAuth)
+        .send(pkg)
+        .expect(201, done);
+      });
+    });
+  });
+
+  describe('PUT /:name/-rev/:rev removeWithVersions', function () {
+    var withoutScopeRev;
+    before(function (done) {
+      mm(config, 'enablePrivate', false);
+      mm(config, 'forcePublishWithScope', false);
+      var pkg = utils.getPackage('publicremovemodule', '0.0.1', utils.otherUser);
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.otherUserAuth)
+      .send(pkg)
+      .expect(201, function (err, res) {
+        should.not.exist(err);
+        res.body.should.have.keys('ok', 'rev');
+        res.body.ok.should.equal(true);
+
+        pkg = utils.getPackage('publicremovemodule', '0.0.2', utils.otherUser);
+        request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201, function (err, res) {
+          should.not.exist(err);
+          withoutScopeRev = res.body.rev;
+          done();
+        });
+      });
+    });
+
+    it('should remove with version ok', function (done) {
+      mm.empty(Module, 'removeByNameAndVersions');
+      mm.empty(Module, 'removeTagsByIds');
+      request(app)
+      .put('/publicremovemodule/-rev/' + withoutScopeRev)
+      .set('authorization', utils.otherUserAuth)
+      .send({
+        versions: {
+          '0.0.1': {}
+        }
+      })
+      .expect(201, done);
+    });
+
+    it('should no auth user remove 403', function (done) {
+      mm.empty(Module, 'removeByNameAndVersions');
+      mm.empty(Module, 'removeTagsByIds');
+      request(app)
+      .put('/publicremovemodule/-rev/' + withoutScopeRev)
+      .set('authorization', utils.secondUserAuth)
+      .send({
+        versions: {
+          '0.0.1': {}
+        }
+      })
+      .expect(403, done);
+    });
+
+    it('should admin remove ok', function (done) {
+      mm.empty(Module, 'removeByNameAndVersions');
+      mm.empty(Module, 'removeTagsByIds');
+      request(app)
+      .put('/publicremovemodule/-rev/' + withoutScopeRev)
+      .set('authorization', utils.adminAuth)
+      .send({
+        versions: {
+          '0.0.1': {}
+        }
+      })
+      .expect(201, done);
+    });
+
+    describe('forcePublishWithScope = true', function () {
+      var withScopeRev;
+      before(function (done) {
+        mm(config, 'enablePrivate', false);
+        mm(config, 'forcePublishWithScope', true);
+        var pkg = utils.getPackage('@cnpm/publicremovemodule', '0.0.1', utils.otherUser);
+        request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201, function (err, res) {
+          should.not.exist(err);
+          res.body.should.have.keys('ok', 'rev');
+          res.body.ok.should.equal(true);
+
+          pkg = utils.getPackage('@cnpm/publicremovemodule', '0.0.2', utils.otherUser);
+          request(app)
+          .put('/' + pkg.name)
+          .set('authorization', utils.otherUserAuth)
+          .send(pkg)
+          .expect(201, function (err, res) {
+            should.not.exist(err);
+            withScopeRev = res.body.rev;
+            done();
+          });
+        });
+      });
+
+      it('should remove without scope 403', function (done) {
+        mm(config, 'forcePublishWithScope', true);
+        mm.empty(Module, 'removeByNameAndVersions');
+        mm.empty(Module, 'removeTagsByIds');
+        request(app)
+        .put('/publicremovemodule/-rev/' + withoutScopeRev)
+        .set('authorization', utils.otherUserAuth)
+        .send({
+          versions: {
+            '0.0.1': {}
+          }
+        })
+        .expect(403, done);
+      });
+
+      it('should admin remove without scope ok', function (done) {
+        mm(config, 'forcePublishWithScope', true);
+        mm.empty(Module, 'removeByNameAndVersions');
+        mm.empty(Module, 'removeTagsByIds');
+        request(app)
+        .put('/publicremovemodule/-rev/' + withoutScopeRev)
+        .set('authorization', utils.adminAuth)
+        .send({
+          versions: {
+            '0.0.1': {}
+          }
+        })
+        .expect(201, done);
+      });
+
+      it('should remove with scope ok', function (done) {
+        mm(config, 'forcePublishWithScope', true);
+        mm.empty(Module, 'removeByNameAndVersions');
+        mm.empty(Module, 'removeTagsByIds');
+        request(app)
+        .put('/@cnpm/publicremovemodule/-rev/' + withScopeRev)
+        .set('authorization', utils.otherUserAuth)
+        .send({
+          versions: {
+            '0.0.1': {}
+          }
+        })
+        .expect(201, done);
+      });
+
+      it('should admin remove with scope ok', function (done) {
+        mm(config, 'forcePublishWithScope', true);
+        mm.empty(Module, 'removeByNameAndVersions');
+        mm.empty(Module, 'removeTagsByIds');
+        request(app)
+        .put('/@cnpm/publicremovemodule/-rev/' + withScopeRev)
+        .set('authorization', utils.adminAuth)
+        .send({
+          versions: {
+            '0.0.1': {}
+          }
+        })
+        .expect(201, done);
+      });
+    });
+  });
+
+  describe('DELETE /:name/download/:filename/-rev/:rev', function () {
+    var withoutScopeRev;
+    beforeEach(function () {
+      mm(config, 'enablePrivate', false);
+      mm(config, 'forcePublishWithScope', false);
+    });
+    before(function (done) {
+      mm(config, 'enablePrivate', false);
+      mm(config, 'forcePublishWithScope', false);
+      var pkg = utils.getPackage('public-test-delete-download-module', '0.1.9', utils.otherUser);
+      request(app)
+      .put('/' + pkg.name)
+      .set('content-type', 'application/json')
+      .set('authorization', utils.otherUserAuth)
+      .send(pkg)
+      .expect(201, function (err, res) {
+        should.not.exist(err);
+        withoutScopeRev = res.body.rev;
+        done();
+      });
+    });
+
+    it('should delete 403 when auth error', function (done) {
+      request(app)
+      .del('/public-test-delete-download-module/download/public-test-delete-download-module-0.1.9.tgz/-rev/' + withoutScopeRev)
+      .set('authorization', utils.secondUserAuth)
+      .expect(403, done);
+    });
+
+    it('should delete file ok', function (done) {
+      request(app)
+      .del('/public-test-delete-download-module/download/public-test-delete-download-module-0.1.9.tgz/-rev/' + withoutScopeRev)
+      .set('authorization', utils.otherUserAuth)
+      .expect(200, done);
+    });
+
+    it('should admin delete file ok', function (done) {
+      request(app)
+      .del('/public-test-delete-download-module/download/public-test-delete-download-module-0.1.9.tgz/-rev/' + withoutScopeRev)
+      .set('authorization', utils.adminAuth)
+      .expect(200, done);
+    });
+
+    describe('forcePublishWithScope = true', function () {
+      var withScopeRev;
+      beforeEach(function () {
+        mm(config, 'enablePrivate', false);
+        mm(config, 'forcePublishWithScope', true);
+      });
+      before(function (done) {
+        mm(config, 'enablePrivate', false);
+        mm(config, 'forcePublishWithScope', true);
+        var pkg = utils.getPackage('@cnpm/public-test-delete-download-module', '0.1.9', utils.otherUser);
+        request(app)
+        .put('/' + pkg.name)
+        .set('content-type', 'application/json')
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201, function (err, res) {
+          should.not.exist(err);
+          withScopeRev = res.body.rev;
+          done();
+        });
+      });
+
+      it('should delete file without scope 403', function (done) {
+        request(app)
+        .del('/public-test-delete-download-module/download/public-test-delete-download-module-0.1.9.tgz/-rev/' + withoutScopeRev)
+        .set('authorization', utils.otherUserAuth)
+        .expect(403, done);
+      });
+
+      it('should admin delete file without scope ok', function (done) {
+        request(app)
+        .del('/public-test-delete-download-module/download/public-test-delete-download-module-0.1.9.tgz/-rev/' + withoutScopeRev)
+        .set('authorization', utils.adminAuth)
+        .expect(200, done);
+      });
+      it('should delete file with scope ok', function (done) {
+        request(app)
+        .del('/@cnpm/public-test-delete-download-module/download/@cnpm/public-test-delete-download-module-0.1.9.tgz/-rev/' + withScopeRev)
+        .set('authorization', utils.otherUserAuth)
+        .expect(200, done);
+      });
+
+      it('should admin delete file with scope ok', function (done) {
+        request(app)
+        .del('/@cnpm/public-test-delete-download-module/download/@cnpm/public-test-delete-download-module-0.1.9.tgz/-rev/' + withScopeRev)
+        .set('authorization', utils.adminAuth)
+        .expect(200, done);
+      });
+    });
+  });
+
+  describe('PUT /:name/:tag updateTag()', function () {
+    it('should create new tag ok', function (done) {
+      request(app)
+      .put('/publictestmodule/newtag')
+      .set('content-type', 'application/json')
+      .set('authorization', utils.otherUserAuth)
+      .send('"0.0.1"')
+      .expect(201)
+      .expect({"ok":true}, done);
+    });
+
+    it('shold update tag not maintainer 403', function (done) {
+      request(app)
+      .put('/publictestmodule/newtag')
+      .set('content-type', 'application/json')
+      .set('authorization', utils.secondUserAuth)
+      .send('"0.0.1"')
+      .expect(403, done);
+    });
+
+    it('should admin update tag ok', function (done) {
+      request(app)
+      .put('/publictestmodule/newtag')
+      .set('content-type', 'application/json')
+      .set('authorization', utils.adminAuth)
+      .send('"0.0.1"')
+      .expect(201, done);
+    });
+  });
+
+  describe('DELETE /:name/-rev/:rev', function () {
+    describe('remove all modules by name', function () {
+      beforeEach(function () {
+        mm(config, 'enablePrivate', false);
+        mm(config, 'forcePublishWithScope', false);
+      });
+      before(function (done) {
+        mm(config, 'enablePrivate', false);
+        mm(config, 'forcePublishWithScope', false);
+        var pkg = utils.getPackage('public-remove-all-module', '0.0.1', utils.otherUser);
+        request(app)
+        .put('/public-remove-all-module')
+        .set('content-type', 'application/json')
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201, done);
+      });
+
+      it('shold fail when user not maintainer', function (done) {
+        request(app)
+        .del('/public-remove-all-module/-rev/1')
+        .set('authorization', utils.secondUserAuth)
+        .expect(403, function (err, res) {
+          should.not.exist(err);
+          res.body.should.eql({
+            error: 'forbidden user',
+            reason: 'cnpmjstest102 not authorized to modify public-remove-all-module'
+          });
+          done();
+        });
+      });
+
+      it('shold maintainer remove ok', function (done) {
+        mm.empty(Module, 'removeByName');
+        mm.empty(Module, 'removeTags');
+        request(app)
+        .del('/public-remove-all-module/-rev/1')
+        .set('authorization', utils.otherUserAuth)
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          should.not.exist(res.headers['set-cookie']);
+          done();
+        });
+      });
+
+      it('shold admin remove ok', function (done) {
+        mm.empty(Module, 'removeByName');
+        mm.empty(Module, 'removeTags');
+        request(app)
+        .del('/public-remove-all-module/-rev/1')
+        .set('authorization', utils.adminAuth)
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          should.not.exist(res.headers['set-cookie']);
+          done();
+        });
+      });
+
+      describe('forcePublishWithScope = true', function () {
+        before(function (done) {
+          mm(config, 'enablePrivate', false);
+          mm(config, 'forcePublishWithScope', true);
+          var pkg = utils.getPackage('@cnpm/public-remove-all-module', '0.0.1', utils.otherUser);
+          request(app)
+          .put('/@cnpm/public-remove-all-module')
+          .set('content-type', 'application/json')
+          .set('authorization', utils.otherUserAuth)
+          .send(pkg)
+          .expect(201, done);
+        });
+
+        it('should fail when user remove module without scope', function (done) {
+          mm(config, 'forcePublishWithScope', true);
+          request(app)
+          .del('/public-remove-all-module/-rev/1')
+          .set('authorization', utils.otherUserAuth)
+          .expect(403, done);
+        });
+
+        it('shold admin remove module without scope ok', function (done) {
+          mm(config, 'forcePublishWithScope', true);
+          mm.empty(Module, 'removeByName');
+          mm.empty(Module, 'removeTags');
+          request(app)
+          .del('/public-remove-all-module/-rev/1')
+          .set('authorization', utils.adminAuth)
+          .expect(200, done);
+        });
+
+        it('shold maintainer remove ok', function (done) {
+          mm(config, 'forcePublishWithScope', true);
+          mm.empty(Module, 'removeByName');
+          mm.empty(Module, 'removeTags');
+          request(app)
+          .del('/@cnpm/public-remove-all-module/-rev/1')
+          .set('authorization', utils.otherUserAuth)
+          .expect(200, function (err, res) {
+            should.not.exist(err);
+            should.not.exist(res.headers['set-cookie']);
+            done();
+          });
+        });
+
+        it('shold admin remove ok', function (done) {
+          mm(config, 'forcePublishWithScope', true);
+          mm.empty(Module, 'removeByName');
+          mm.empty(Module, 'removeTags');
+          request(app)
+          .del('/@cnpm/public-remove-all-module/-rev/1')
+          .set('authorization', utils.adminAuth)
+          .expect(200, function (err, res) {
+            should.not.exist(err);
+            should.not.exist(res.headers['set-cookie']);
+            done();
+          });
+        });
+      });
+    });
+  });
+});
--- a/test/controllers/registry/module/scope_package.test.js
+++ b/test/controllers/registry/module/scope_package.test.js
@@ -0,0 +1,279 @@
+/**!
+ * cnpmjs.org - test/controllers/registry/module/scope_package.test.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var should = require('should');
+var request = require('supertest');
+var mm = require('mm');
+var config = require('../../../../config');
+var app = require('../../../../servers/registry');
+var utils = require('../../../utils');
+var Module = require('../../../../proxy/module');
+
+describe('controllers/registry/module/scope_package.test.js', function () {
+  var pkgname = '@cnpm/test-scope-package';
+  var pkgURL = '/@' + encodeURIComponent(pkgname.substring(1));
+  before(function (done) {
+    app = app.listen(0, function () {
+      // add scope package
+      var pkg = utils.getPackage(pkgname, '0.0.1', utils.admin);
+
+      request(app)
+      .put(pkgURL)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, function (err) {
+        should.not.exist(err);
+        pkg = utils.getPackage(pkgname, '0.0.2', utils.admin);
+        // publish 0.0.2
+        request(app.listen())
+        .put(pkgURL)
+        .set('authorization', utils.adminAuth)
+        .send(pkg)
+        .expect(201, done);
+      });
+    });
+  });
+
+  beforeEach(function () {
+    mm(config, 'scopes', ['@cnpm', '@cnpmtest']);
+  });
+
+  afterEach(mm.restore);
+
+  it('should get 404 when do not support scope', function (done) {
+    mm(config, 'scopes', []);
+    request(app)
+    .get('/@invalid/test')
+    .expect(404, done);
+  });
+
+  it('should get 400 when scope not match', function (done) {
+    request(app)
+    .get('/@invalid/test')
+    .expect(404, done);
+  });
+
+  it('should get scope package info: /@scope%2Fname', function (done) {
+    request(app)
+    .get(pkgURL)
+    .expect(200, function (err, res) {
+      should.not.exist(err);
+      var pkg = res.body;
+      pkg.name.should.equal(pkgname);
+      pkg.versions.should.have.keys('0.0.1', '0.0.2');
+      pkg['dist-tags'].latest.should.equal('0.0.2');
+      pkg.versions['0.0.1'].name.should.equal(pkgname);
+      pkg.versions['0.0.1'].dist.tarball
+        .should.containEql('/@cnpm/test-scope-package/download/@cnpm/test-scope-package-0.0.1.tgz');
+      done();
+    });
+  });
+
+  it('should get scope package info: /@scope/name', function (done) {
+    request(app.listen())
+    .get('/' + pkgname)
+    .expect(200, function (err, res) {
+      should.not.exist(err);
+      var pkg = res.body;
+      pkg.name.should.equal(pkgname);
+      pkg.versions.should.have.keys('0.0.1', '0.0.2');
+      pkg['dist-tags'].latest.should.equal('0.0.2');
+      pkg.versions['0.0.1'].name.should.equal(pkgname);
+      pkg.versions['0.0.1'].dist.tarball
+        .should.containEql('/@cnpm/test-scope-package/download/@cnpm/test-scope-package-0.0.1.tgz');
+      done();
+    });
+  });
+
+  it('should get scope package info: /%40scope%2Fname', function (done) {
+    request(app)
+    .get('/' + encodeURIComponent(pkgname))
+    .expect(200, function (err, res) {
+      should.not.exist(err);
+      var pkg = res.body;
+      pkg.name.should.equal(pkgname);
+      pkg.versions.should.have.keys('0.0.1', '0.0.2');
+      pkg['dist-tags'].latest.should.equal('0.0.2');
+      pkg.versions['0.0.1'].name.should.equal(pkgname);
+      pkg.versions['0.0.1'].dist.tarball
+        .should.containEql('/@cnpm/test-scope-package/download/@cnpm/test-scope-package-0.0.1.tgz');
+      done();
+    });
+  });
+
+  it('should get scope package with version', function (done) {
+    request(app)
+    .get('/' + pkgname + '/0.0.1')
+    .expect(200, function (err, res) {
+      should.not.exist(err);
+      var pkg = res.body;
+      pkg.name.should.equal(pkgname);
+      pkg.version.should.equal('0.0.1');
+      pkg.dist.tarball
+        .should.containEql('/@cnpm/test-scope-package/download/@cnpm/test-scope-package-0.0.1.tgz');
+      done();
+    });
+  });
+
+  it('should get scope package with tag', function (done) {
+    request(app)
+    .get('/' + pkgname + '/latest')
+    .expect(200, function (err, res) {
+      should.not.exist(err);
+      var pkg = res.body;
+      pkg.name.should.equal(pkgname);
+      pkg.version.should.equal('0.0.2');
+      pkg.dist.tarball
+        .should.containEql('/@cnpm/test-scope-package/download/@cnpm/test-scope-package-0.0.2.tgz');
+      done();
+    });
+  });
+
+  it('should download work', function (done) {
+    request(app)
+    .get('/@cnpm/test-scope-package/download/@cnpm/test-scope-package-0.0.2.tgz')
+    .expect('Location', /\.tgz$/)
+    .expect(302, done);
+  });
+
+  describe('support adaptScope', function () {
+    before(function (done) {
+      var pkg = utils.getPackage('test-default-scope-package', '0.0.1', utils.admin);
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, done);
+    });
+    describe('/@:scope/:name', function () {
+      it('should adapt /@cnpm/test-default-scope-package => /test-default-scope-package', function (done) {
+        mm(config, 'adaptScope', true);
+        request(app)
+        .get('/@cnpm/test-default-scope-package')
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          var pkg = res.body;
+          pkg._id.should.equal('@cnpm/test-default-scope-package');
+          pkg.name.should.equal('@cnpm/test-default-scope-package');
+          pkg.versions.should.have.keys('0.0.1');
+          pkg['dist-tags'].latest.should.equal('0.0.1');
+          pkg.versions['0.0.1'].name.should.equal('@cnpm/test-default-scope-package');
+          pkg.versions['0.0.1']._id.should.equal('@cnpm/test-default-scope-package@0.0.1');
+          pkg.versions['0.0.1'].dist.tarball
+            .should.containEql('/test-default-scope-package/download/test-default-scope-package-0.0.1.tgz');
+          done();
+        });
+      });
+
+      it('should adapt /@cnpmtest/test-default-scope-package => /test-default-scope-package', function (done) {
+        mm(config, 'adaptScope', true);
+        request(app)
+        .get('/@cnpmtest/test-default-scope-package')
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          var pkg = res.body;
+          pkg._id.should.equal('@cnpmtest/test-default-scope-package');
+          pkg.name.should.equal('@cnpmtest/test-default-scope-package');
+          pkg.versions.should.have.keys('0.0.1');
+          pkg['dist-tags'].latest.should.equal('0.0.1');
+          pkg.versions['0.0.1'].name.should.equal('@cnpmtest/test-default-scope-package');
+          pkg.versions['0.0.1']._id.should.equal('@cnpmtest/test-default-scope-package@0.0.1');
+          pkg.versions['0.0.1'].dist.tarball
+            .should.containEql('/test-default-scope-package/download/test-default-scope-package-0.0.1.tgz');
+          done();
+        });
+      });
+
+      it('should not adapt when adaptScope is false', function (done) {
+        mm(config, 'adaptScope', false);
+        request(app)
+        .get('/@cnpm/test-default-scope-package')
+        .expect(404, done);
+      });
+
+      it('should 404 when pkg not exists', function (done) {
+        mm(config, 'adaptScope', true);
+        request(app)
+        .get('/@cnpm/test-default-scope-package-not-exists')
+        .expect(404, done);
+      });
+
+      it('should show() 404 when adapt package is not private package', function (done) {
+        var getByTag = Module.getByTag;
+        mm(Module, 'getByTag', function* (name, tag) {
+          var pkg = yield getByTag.call(Module, name, tag);
+          pkg && delete pkg.package._publish_on_cnpm;
+          return pkg;
+        });
+        mm(config, 'adaptScope', true);
+        request(app)
+        .get('/@cnpm/test-default-scope-package')
+        .expect(404, done);
+      });
+    });
+
+    describe('/@:scope/:name/:tag', function () {
+      it('should adapt /@cnpm/test-default-scope-package/latest => /test-default-scope-package/latest', function (done) {
+        mm(config, 'adaptScope', true);
+        request(app)
+        .get('/@cnpm/test-default-scope-package/latest')
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          var pkg = res.body;
+          pkg.version.should.have.equal('0.0.1');
+          pkg.name.should.equal('@cnpm/test-default-scope-package');
+          pkg._id.should.equal('@cnpm/test-default-scope-package@0.0.1');
+          pkg.dist.tarball.should.containEql('/test-default-scope-package/download/test-default-scope-package-0.0.1.tgz');
+          done();
+        });
+      });
+
+      it('should not adapt when adaptScope is false', function (done) {
+        mm(config, 'adaptScope', false);
+        request(app)
+        .get('/@cnpm/test-default-scope-package/latest')
+        .expect(404, done);
+      });
+
+      it('should 404 when pkg not exists', function (done) {
+        mm(config, 'adaptScope', true);
+        request(app)
+        .get('/@cnpm/test-default-scope-package-not-exists/latest')
+        .expect(404, done);
+      });
+
+      it('should 404 when pkg version not exists', function (done) {
+        mm(config, 'adaptScope', true);
+        request(app)
+        .get('/@cnpm/test-default-scope-package-not-exists/1.0.0')
+        .expect(404, done);
+      });
+
+      it('should get() 404 when adapt package is not private package', function (done) {
+        var getByTag = Module.getByTag;
+        mm(Module, 'getByTag', function* (name, tag) {
+          var pkg = yield getByTag.call(Module, name, tag);
+          pkg && delete pkg.package._publish_on_cnpm;
+          return pkg;
+        });
+        mm(config, 'adaptScope', true);
+        request(app)
+        .get('/@cnpm/test-default-scope-package/latest')
+        .expect(404, done);
+      });
+    });
+  });
+});
--- a/test/controllers/registry/user.test.js
+++ b/test/controllers/registry/user.test.js
@@ -20,14 +20,12 @@ var mm = require('mm');
 var app = require('../../../servers/registry');
 var user = require('../../../proxy/user');
 var mysql = require('../../../common/mysql');
+var config = require('../../../config');
+var UserService = require('../../../services/user');

 describe('controllers/registry/user.test.js', function () {
  before(function (done) {
-    app.listen(0, done);
-  });
-
-  after(function (done) {
-    app.close(done);
+    app = app.listen(0, done);
  });

  afterEach(mm.restore);
@@ -88,91 +86,51 @@ describe('controllers/registry/user.test.js', function () {
    });

    it('should 409 when already exist', function (done) {
-      mm.data(user, 'get', {name: 'name'});
+      mm(user, 'get', function* () {
+        return {name: 'name'};
+      });
      request(app)
      .put('/-/user/org.couchdb.user:name')
      .send({
        name: 'name',
-        salt: 'salt',
-        password_sha: 'password_sha',
+        password: 'password',
        email: 'email'
      })
      .expect(409, done);
    });

    it('should 500 when user.get error', function (done) {
-      mm.error(user, 'get', 'mock error');
+      mm(user, 'get', function* () {
+        throw new Error('mock User.get error');
+      });
      request(app)
      .put('/-/user/org.couchdb.user:name')
      .send({
        name: 'name',
-        salt: 'salt',
-        password_sha: 'password_sha',
+        password: 'password',
        email: 'email'
      })
      .expect(500, done);
    });

    it('should 201 when user.add ok', function (done) {
-      mm.empty(user, 'get');
-      mm.data(user, 'add', {rev: '1-123'});
+      mm(user, 'get', function* () {
+        return null;
+      });
+      mm(user, 'add', function* () {
+        return {rev: '1-123'};
+      });
      request(app)
      .put('/-/user/org.couchdb.user:name')
      .send({
        name: 'name',
-        salt: 'salt',
-        password_sha: 'password_sha',
+        password: 'password',
        email: 'email'
      })
      .expect(201, done);
    });
  });

-  describe('POST /_session', function () {
-    it('should 500 auth error by user.auth', function (done) {
-      mm.error(user, 'auth', 'mock error');
-      request(app)
-      .post('/_session')
-      .send({
-        name: 'name',
-        password: '123'
-      })
-      .expect(500, done);
-    });
-
-    it('should 401 auth fail by user.auth', function (done) {
-      mm.empty(user, 'auth');
-      request(app)
-      .post('/_session')
-      .send({
-        name: 'name',
-        password: '123'
-      })
-      .expect(401, done);
-    });
-
-    it('should 200 auth pass by user.auth', function (done) {
-      mm.data(user, 'auth', {name: 'name'});
-      request(app)
-      .post('/_session')
-      .send({
-        name: 'name',
-        password: '123'
-      })
-      .expect(200)
-      .expect({
-        ok: true,
-        name: 'name',
-        roles: []
-      }, function (err, res) {
-        should.not.exist(err);
-        should.exist(res.headers['set-cookie']);
-        res.headers['set-cookie'].join(';').should.include('AuthSession=');
-        done();
-      });
-    });
-  });
-
  describe('PUT /-/user/:name/-rev/:rev', function () {
    it('should 404 when without a name', function (done) {
      request(app)
@@ -227,4 +185,184 @@ describe('controllers/registry/user.test.js', function () {
      .expect(201, done);
    });
  });
+
+  describe('config.customUserSerivce = true', function () {
+    beforeEach(function () {
+      mm(config, 'customUserService', true);
+    });
+
+    it('should 422 when password missing', function (done) {
+      request(app)
+      .put('/-/user/org.couchdb.user:cnpmjstest10-not-exists')
+      .send({
+        name: 'cnpmjstest10-not-exists',
+        password: '',
+        email: 'cnpmjstest10@cnpmjs.org'
+      })
+      .expect({
+        error: 'paramError',
+        reason: 'params missing, name, email or password missing.'
+      })
+      .expect(422, done);
+    });
+
+    it('should 201 login success', function (done) {
+      request(app)
+      .put('/-/user/org.couchdb.user:cnpmjstest10')
+      .send({
+        name: 'cnpmjstest10',
+        password: 'cnpmjstest10',
+        email: 'cnpmjstest10@cnpmjs.org'
+      })
+      .expect(201, function (err, res) {
+        should.not.exist(err);
+        res.body.should.have.keys('ok', 'id', 'rev');
+        res.body.id.should.equal('org.couchdb.user:cnpmjstest10');
+        res.body.rev.should.match(/\d+\-cnpmjstest10/);
+        res.body.ok.should.equal(true);
+        done();
+      });
+    });
+
+    it('should 401 login fail', function (done) {
+      request(app)
+      .put('/-/user/org.couchdb.user:cnpmjstest10-not-exists')
+      .send({
+        name: 'cnpmjstest10-not-exists',
+        password: 'cnpmjstest10',
+        email: 'cnpmjstest10@cnpmjs.org'
+      })
+      .expect({
+        error: 'unauthorized',
+        reason: 'Login fail, please check your login name and password'
+      })
+      .expect(401, done);
+    });
+  });
+
+  describe('config.customUserService = true', function () {
+    beforeEach(function () {
+      mm(config, 'customUserService', true);
+    });
+
+    afterEach(mm.restore);
+
+    it('should show custom user info: admin', function (done) {
+      mm(UserService, 'get', function* () {
+        return {
+          login: 'mock_custom_user',
+          email: 'mock_custom_user@cnpmjs.org',
+          name: 'mock_custom_user fullname',
+          avatar_url: 'avatar_url',
+          html_url: 'html_url',
+          im_url: '',
+          site_admin: true,
+          scopes: ['@test-user-scope']
+        };
+      });
+      request(app)
+      .get('/-/user/org.couchdb.user:mock_custom_user')
+      .expect(200, function (err, res) {
+        should.not.exist(err);
+        var user = res.body;
+        delete user._cnpm_meta.gmt_create;
+        delete user._cnpm_meta.gmt_modified;
+        delete user._cnpm_meta.id;
+        delete user.date;
+
+        user.should.eql({
+          _id: 'org.couchdb.user:mock_custom_user',
+          _rev: '1-mock_custom_user',
+          name: 'mock_custom_user',
+          email: 'mock_custom_user@cnpmjs.org',
+          type: 'user',
+          roles: [],
+          // date: '2014-07-28T16:46:36.000Z',
+          avatar: 'avatar_url',
+          fullname: 'mock_custom_user fullname',
+          homepage: 'html_url',
+          _cnpm_meta:
+           {
+            //  id: 4,
+             npm_user: false,
+             custom_user: true,
+            //  gmt_create: '2014-07-28T16:46:36.000Z',
+            //  gmt_modified: '2014-07-28T16:46:36.000Z',
+             admin: true,
+             scopes: [ '@test-user-scope' ] }
+        });
+        done();
+      });
+    });
+
+    it('should show custom user info: not admin', function (done) {
+      mm(UserService, 'get', function* () {
+        return {
+          login: 'mock_custom_not_admin_user',
+          email: 'mock_custom_not_admin_user@cnpmjs.org',
+          name: 'mock_custom_not_admin_user fullname',
+          avatar_url: 'avatar_url',
+          html_url: 'html_url',
+          im_url: '',
+          site_admin: false,
+          scopes: ['@test-user-scope']
+        };
+      });
+      request(app)
+      .get('/-/user/org.couchdb.user:mock_custom_not_admin_user')
+      .expect(200, function (err, res) {
+        should.not.exist(err);
+        var user = res.body;
+        delete user._cnpm_meta.gmt_create;
+        delete user._cnpm_meta.gmt_modified;
+        delete user._cnpm_meta.id;
+        delete user.date;
+
+        user.should.eql({
+          _id: 'org.couchdb.user:mock_custom_not_admin_user',
+          _rev: '1-mock_custom_not_admin_user',
+          name: 'mock_custom_not_admin_user',
+          email: 'mock_custom_not_admin_user@cnpmjs.org',
+          type: 'user',
+          roles: [],
+          // date: '2014-07-28T16:46:36.000Z',
+          avatar: 'avatar_url',
+          fullname: 'mock_custom_not_admin_user fullname',
+          homepage: 'html_url',
+          _cnpm_meta:
+           {
+            //  id: 5,
+             npm_user: false,
+             custom_user: true,
+            //  gmt_create: '2014-07-28T16:46:36.000Z',
+            //  gmt_modified: '2014-07-28T16:46:36.000Z',
+             admin: false,
+             scopes: [ '@test-user-scope' ] }
+        });
+        done();
+      });
+    });
+
+    it('should show error json when userSerive.auth throw error', function (done) {
+      mm(UserService, 'auth', function* () {
+        var err = new Error('mock user service auth error, please visit http://ooxx.net/user to sigup first');
+        err.name = 'UserSeriveAuthError';
+        err.status = 401;
+        throw err;
+      });
+
+      request(app)
+      .put('/-/user/org.couchdb.user:cnpmjstest10')
+      .send({
+        name: 'cnpmjstest10',
+        password: 'cnpmjstest10',
+        email: 'cnpmjstest10@cnpmjs.org'
+      })
+      .expect({
+        error: 'UserSeriveAuthError',
+        reason: 'mock user service auth error, please visit http://ooxx.net/user to sigup first'
+      })
+      .expect(401, done);
+    });
+  });
 });
--- a/test/controllers/sync.test.js
+++ b/test/controllers/sync.test.js
@@ -27,8 +27,8 @@ var webApp = require('../../servers/web');
 describe('controllers/sync.test.js', function () {
  before(function (done) {
    done = pedding(2, done);
-    registryApp.listen(0, done);
-    webApp.listen(0, done);
+    registryApp = registryApp.listen(0, done);
+    webApp = webApp.listen(0, done);
  });

  afterEach(mm.restore);
@@ -116,4 +116,12 @@ describe('controllers/sync.test.js', function () {
      });
    });
  });
+
+  describe('scope package', function () {
+    it('should sync scope package not found', function (done) {
+      request(webApp)
+      .put('/sync/@cnpm/not-exists-package')
+      .expect(404, done);
+    });
+  });
 });
--- a/test/controllers/total.test.js
+++ b/test/controllers/total.test.js
@@ -27,11 +27,6 @@ describe('controllers/total.test.js', function () {
    registryApp.listen(0, done);
    webApp.listen(0, done);
  });
-  after(function (done) {
-    done = pedding(2, done);
-    registryApp.close(done);
-    webApp.close(done);
-  });

  describe('GET / in registry', function () {
    it('should return total info', function (done) {
--- a/test/controllers/web/dist.test.js
+++ b/test/controllers/web/dist.test.js
@@ -16,22 +16,122 @@

 var should = require('should');
 var request = require('supertest');
+var pedding = require('pedding');
+var mm = require('mm');
 var app = require('../../../servers/web');
+var Dist = require('../../../proxy/dist');

 describe('controllers/web/dist.test.js', function () {
  before(function (done) {
-    app.listen(0, done);
-  });
-  after(function (done) {
-    app.close(done);
+    app = app.listen(0, done);
  });

-  describe('GET /dist', function (done) {
-    it('should 302 to config.disturl', function (done) {
+  afterEach(mm.restore);
+
+  describe('GET /dist/*', function (done) {
+    it('should GET /dist redirect to /dist/', function (done) {
      request(app)
      .get('/dist')
-      .expect('Location', 'http://dist.u.qiniudn.com/')
-      .expect(302, done);
+      .expect(302)
+      .expect('Location', '/dist/', done);
+    });
+
+    it('should GET /dist/ show file list', function (done) {
+      request(app)
+      .get('/dist/')
+      .expect('Content-Type', 'text/html; charset=utf-8')
+      .expect(200, function (err, res) {
+        should.not.exist(err);
+        res.text.should.containEql('<title>Mirror index of http://nodejs.org/dist/</title>');
+        done();
+      });
+    });
+
+    it('should mock return files and dirs', function (done) {
+      mm(Dist, 'listdir', function* () {
+        return [
+          {name: 'ooxx/', date: '02-May-2014 00:54'},
+          {name: 'foo.txt', size: 1024, date: '02-May-2014 00:54'},
+        ];
+      });
+      request(app)
+      .get('/dist/v1.0.0/')
+      .expect('Content-Type', 'text/html; charset=utf-8')
+      .expect(200, function (err, res) {
+        should.not.exist(err);
+        res.text.should.containEql('<title>Mirror index of http://nodejs.org/dist/v1.0.0/</title>');
+        res.text.should.containEql('<h1>Mirror index of <a target="_blank" href="http://nodejs.org/dist/v1.0.0/">http://nodejs.org/dist/v1.0.0/</a></h1>');
+        res.text.should.containEql('<a href="ooxx/">ooxx/</a>                                             02-May-2014 00:54                   -\n');
+        res.text.should.containEql('<a href="foo.txt">foo.txt</a>                                           02-May-2014 00:54                1024\n');
+        done();
+      });
+    });
+
+    it('should list files and dirs', function (done) {
+      mm(Dist, 'listdir', function* () {
+        return [
+          {name: 'npm/', date: '02-May-2014 00:54'},
+          {name: 'npm-versions.txt', size: 1676, date: '02-May-2014 00:54'},
+        ];
+      });
+      request(app)
+      .get('/dist/')
+      .expect('Content-Type', 'text/html; charset=utf-8')
+      .expect(200, function (err, res) {
+        should.not.exist(err);
+        res.text.should.containEql('<title>Mirror index of http://nodejs.org/dist/</title>');
+        res.text.should.containEql('<h1>Mirror index of <a target="_blank" href="http://nodejs.org/dist/">http://nodejs.org/dist/</a></h1>');
+        res.text.should.containEql('<a href="npm/">npm/</a>                                              02-May-2014 00:54                   -\n');
+        res.text.should.containEql('<a href="npm-versions.txt">npm-versions.txt</a>                                  02-May-2014 00:54                1676\n');
+        done();
+      });
+    });
+  });
+
+  describe('GET /dist/ files', function () {
+    it('should redirect to nfs url', function (done) {
+      mm(Dist, 'getfile', function* () {
+        return {
+          name: 'foo.txt', size: 1024, date: '02-May-2014 00:54',
+          url: 'http://mock.com/dist/v0.10.28/SHASUMS.txt'
+        };
+      });
+
+      request(app)
+      .get('/dist/v0.10.28/SHASUMS.txt')
+      .expect(302)
+      .expect('Location', 'http://mock.com/dist/v0.10.28/SHASUMS.txt', done);
+    });
+
+    it('should GET /dist/npm-versions.txt redirect to nfs url', function (done) {
+      mm(Dist, 'getfile', function* (fullname) {
+        fullname.should.equal('/npm-versions.txt');
+        return {
+          name: 'npm-versions.txt', size: 1024, date: '02-May-2014 00:54',
+          url: 'http://mock.com/dist/npm-versions.txt'
+        };
+      });
+
+      request(app)
+      .get('/dist/npm-versions.txt')
+      .expect(302)
+      .expect('Location', 'http://mock.com/dist/npm-versions.txt', done);
+    });
+
+    it('should download nfs file and send it', function (done) {
+      mm(Dist, 'getfile', function* () {
+        return {
+          name: 'foo.txt',
+          size: 1264,
+          date: '02-May-2014 00:54',
+          url: '/dist/v0.10.28/SHASUMS.txt'
+        };
+      });
+
+      request(app)
+      .get('/dist/v0.10.28/SHASUMS.txt')
+      .expect(200)
+      .expect(/6eff580cc8460741155d42ef1ef537961194443f/, done);
    });
  });
 });
--- a/test/controllers/web/package.test.js
+++ b/test/controllers/web/package.test.js
@@ -18,31 +18,31 @@ var should = require('should');
 var request = require('supertest');
 var mm = require('mm');
 var path = require('path');
+var pedding = require('pedding');
 var mysql = require('../../../common/mysql');
 var app = require('../../../servers/web');
 var registry = require('../../../servers/registry');
 var pkg = require('../../../controllers/web/package');
+var SyncModuleWorker = require('../../../proxy/sync_module_worker');
+var utils = require('../../utils');
+var config = require('../../../config');

 var fixtures = path.join(path.dirname(path.dirname(__dirname)), 'fixtures');

 describe('controllers/web/package.test.js', function () {
-  var baseauth = 'Basic ' + new Buffer('cnpmjstest10:cnpmjstest10').toString('base64');
-
  before(function (done) {
-    registry.listen(0, function () {
-      var pkg = require(path.join(fixtures, 'package_and_tgz.json'));
+    done = pedding(2, done);
+    registry = registry.listen(0, function () {
+      // name: mk2testmodule
+      var pkg = utils.getPackage('mk2testmodule', '0.0.1', utils.admin);
      request(registry)
      .put('/' + pkg.name)
-      .set('authorization', baseauth)
+      .set('authorization', utils.adminAuth)
      .send(pkg)
-      .expect(201, function () {
-        app.listen(0, done);
-      });
+      .end(done);
    });
-  });

-  after(function (done) {
-    app.close(done);
+    app = app.listen(0, done);
  });

  afterEach(mm.restore);
@@ -51,7 +51,7 @@ describe('controllers/web/package.test.js', function () {
    it('should search with "m"', function (done) {
      request(app)
      .get('/_list/search/search?startkey="m"&limit=2')
-      .expect('content-type', 'application/json')
+      .expect('content-type', 'application/json; charset=utf-8')
      .expect(200, function (err, res) {
        should.not.exist(err);
        res.body.should.have.keys('rows');
@@ -95,14 +95,14 @@ describe('controllers/web/package.test.js', function () {
      request(app)
      .get('/package/mk2testmodule')
      .expect(200)
-      .expect('content-encoding', 'gzip')
+      // .expect('content-encoding', 'gzip')
      .expect('content-type', 'text/html; charset=utf-8')
      .expect(/<div id="package">/)
      .expect(/<th>Maintainers<\/th>/)
      .expect(/<th>Version<\/th>/, function (err, res) {
        should.not.exist(err);
        res.should.have.header('etag');
-        res.text.should.include('<meta charset="utf-8">');
+        res.text.should.containEql('<meta charset="utf-8">');
        done();
      });
    });
@@ -214,4 +214,45 @@ describe('controllers/web/package.test.js', function () {
      .expect(/Log/, done);
    });
  });
+
+  describe('unpublished package', function () {
+    before(function (done) {
+      var worker = new SyncModuleWorker({
+        name: ['browserjs'],
+        username: 'fengmk2'
+      });
+
+      worker.start();
+      worker.on('end', function () {
+        var names = worker.successes.concat(worker.fails);
+        names.sort();
+        names.should.eql(['browserjs']);
+        done();
+      });
+    });
+
+    it('should display unpublished info', function (done) {
+      request(app)
+      .get('/package/browserjs')
+      .expect(200)
+      .expect(/This package has been unpublished\./, done);
+    });
+  });
+
+  describe('GET /privates', function () {
+    it('should response no private packages', function (done) {
+      mm(config, 'scopes', []);
+      request(app)
+      .get('/privates')
+      .expect(/Can not found private package/)
+      .expect(200, done);
+    });
+
+    it('should response no private packages', function (done) {
+      request(app)
+      .get('/privates')
+      .expect(/Private packages in this registry/)
+      .expect(200, done);
+    });
+  });
 });
--- a/test/controllers/web/package/scope_package.test.js
+++ b/test/controllers/web/package/scope_package.test.js
@@ -0,0 +1,177 @@
+/**!
+ * cnpmjs.org - test/controllers/web/package/scope_package.test.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var should = require('should');
+var request = require('supertest');
+var pedding = require('pedding');
+var mm = require('mm');
+var config = require('../../../../config');
+var registry = require('../../../../servers/registry');
+var web = require('../../../../servers/web');
+var utils = require('../../../utils');
+var Module = require('../../../../proxy/module');
+
+describe('controllers/web/package/scope_package.test.js', function () {
+  var pkgname = '@cnpm/test-web-scope-package';
+  var pkgURL = '/@' + encodeURIComponent(pkgname.substring(1));
+  before(function (done) {
+    done = pedding(2, done);
+    registry = registry.listen(0, function () {
+      // add scope package
+      var pkg = utils.getPackage(pkgname, '0.0.1', utils.admin);
+      request(registry)
+      .put(pkgURL)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, function (err) {
+        should.not.exist(err);
+        pkg = utils.getPackage(pkgname, '0.0.2', utils.admin);
+        // publish 0.0.2
+        request(registry)
+        .put(pkgURL)
+        .set('authorization', utils.adminAuth)
+        .send(pkg)
+        .expect(201, done);
+      });
+    });
+    web = web.listen(0, done);
+  });
+
+  beforeEach(function () {
+    mm(config, 'scopes', ['@cnpm', '@cnpmtest']);
+  });
+
+  afterEach(mm.restore);
+
+  it('should show scope package info page: /@scope%2Fname', function (done) {
+    request(web)
+    .get('/package' + pkgURL)
+    .expect(200, function (err, res) {
+      should.not.exist(err);
+      var body = res.text;
+      body.should.containEql('$ cnpm install @cnpm/test-web-scope-package');
+      body.should.containEql('/@cnpm/test-web-scope-package/download/@cnpm/test-web-scope-package-0.0.2.tgz');
+      done();
+    });
+  });
+
+  it('should show scope package info page: encodeURIComponent("/@scope/name")', function (done) {
+    request(web)
+    .get('/package/' + encodeURIComponent(pkgname))
+    .expect(200, function (err, res) {
+      should.not.exist(err);
+      var body = res.text;
+      body.should.containEql('$ cnpm install @cnpm/test-web-scope-package');
+      body.should.containEql('/@cnpm/test-web-scope-package/download/@cnpm/test-web-scope-package-0.0.2.tgz');
+      done();
+    });
+  });
+
+  it('should show scope package info page: /@scope/name', function (done) {
+    request(web)
+    .get('/package/' + pkgname)
+    .expect(200, function (err, res) {
+      should.not.exist(err);
+      var body = res.text;
+      body.should.containEql('$ cnpm install @cnpm/test-web-scope-package');
+      body.should.containEql('/@cnpm/test-web-scope-package/download/@cnpm/test-web-scope-package-0.0.2.tgz');
+      done();
+    });
+  });
+
+  it('should /package/@scope/name/ 404', function (done) {
+    request(web)
+    .get('/package/' + pkgname + '/')
+    .expect(404, done);
+  });
+
+  it('should show scope package with version: /@scope/name/0.0.2', function (done) {
+    request(web)
+    .get('/package/' + pkgname + '/0.0.2')
+    .expect(200, function (err, res) {
+      should.not.exist(err);
+      var body = res.text;
+      body.should.containEql('$ cnpm install @cnpm/test-web-scope-package');
+      body.should.containEql('/@cnpm/test-web-scope-package/download/@cnpm/test-web-scope-package-0.0.2.tgz');
+      done();
+    });
+  });
+
+  it('should /@scope/name redirect to /package/@scope/name', function (done) {
+    request(web)
+    .get('/' + pkgname)
+    .expect('Location', '/package/' + pkgname)
+    .expect(302, done);
+  });
+
+  describe('support adapt scope', function () {
+    before(function (done) {
+      var pkg = utils.getPackage('test-default-web-scope-package', '0.0.1', utils.admin);
+      request(registry)
+      .put('/' + pkg.name)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, done);
+    });
+
+    it('should adapt /@cnpm/test-default-web-scope-package => /test-default-web-scope-package', function (done) {
+      mm(config, 'adaptScope', true);
+      request(web)
+      .get('/package/@cnpm/test-default-web-scope-package')
+      .expect(200, function (err, res) {
+        should.not.exist(err);
+        var body = res.text;
+        body.should.containEql('@cnpm/test-default-web-scope-package');
+        body.should.containEql('/test-default-web-scope-package/download/test-default-web-scope-package-0.0.1.tgz');
+        done();
+      });
+    });
+
+    it('should not adapt /@cnpm123/test-default-web-scope-package', function (done) {
+      mm(config, 'adaptScope', true);
+      request(web)
+      .get('/package/@cnpm123/test-default-web-scope-package')
+      .expect(404, done);
+    });
+
+    it('should not adapt', function (done) {
+      mm(config, 'adaptScope', false);
+      request(web)
+      .get('/package/@cnpm/test-default-web-scope-package')
+      .expect(404, done);
+    });
+
+    it('should 404 when pkg not exists', function (done) {
+      mm(config, 'adaptScope', true);
+      request(web)
+      .get('/package/@cnpm/test-default-web-scope-package-not-exists')
+      .expect(404, done);
+    });
+
+    it('should 404 when pkg is not private package', function (done) {
+      var getByTag = Module.getByTag;
+      mm(Module, 'getByTag', function* (name, tag) {
+        var pkg = yield getByTag.call(Module, name, tag);
+        pkg && delete pkg.package._publish_on_cnpm;
+        return pkg;
+      });
+      mm(config, 'adaptScope', true);
+      request(web)
+      .get('/package/@cnpm/test-default-web-scope-package')
+      .expect(404, done);
+    });
+  });
+});
--- a/test/controllers/web/user.test.js
+++ b/test/controllers/web/user.test.js
@@ -20,10 +20,7 @@ var app = require('../../../servers/web');

 describe('controllers/web/user.test.js', function () {
  before(function (done) {
-    app.listen(0, done);
-  });
-  after(function (done) {
-    app.close(done);
+    app = app.listen(0, done);
  });

  describe('GET /~:name', function (done) {
@@ -33,7 +30,7 @@ describe('controllers/web/user.test.js', function () {
      .expect(200)
      .expect('content-type', 'text/html; charset=utf-8')
      .expect(/<div id="profile">/)
-      .expect(/Packages by /, done);
+      .expect(/Packages by/, done);
    });

    it('should get 404', function (done) {
--- a/test/fixtures/scope-package/.gitignore
+++ b/test/fixtures/scope-package/.gitignore
@@ -0,0 +1,16 @@
+coverage.html
+*.seed
+*.log
+*.csv
+*.dat
+*.out
+*.pid
+*.gz
+
+pids
+logs
+results
+
+node_modules
+npm-debug.log
+coverage/
--- a/test/fixtures/scope-package/.jshintignore
+++ b/test/fixtures/scope-package/.jshintignore
@@ -0,0 +1,4 @@
+node_modules/
+coverage/
+.tmp/
+.git/
--- a/test/fixtures/scope-package/.jshintrc
+++ b/test/fixtures/scope-package/.jshintrc
@@ -0,0 +1,95 @@
+{
+    // JSHint Default Configuration File (as on JSHint website)
+    // See http://jshint.com/docs/ for more details
+
+    "maxerr"        : 50,       // {int} Maximum error before stopping
+
+    // Enforcing
+    "bitwise"       : true,     // true: Prohibit bitwise operators (&, |, ^, etc.)
+    "camelcase"     : false,    // true: Identifiers must be in camelCase
+    "curly"         : true,     // true: Require {} for every new block or scope
+    "eqeqeq"        : true,     // true: Require triple equals (===) for comparison
+    "forin"         : false,    // true: Require filtering for..in loops with obj.hasOwnProperty()
+    "immed"         : false,    // true: Require immediate invocations to be wrapped in parens e.g. `(function () { } ());`
+    "indent"        : false,    // {int} Number of spaces to use for indentation
+    "latedef"       : false,    // true: Require variables/functions to be defined before being used
+    "newcap"        : false,    // true: Require capitalization of all constructor functions e.g. `new F()`
+    "noarg"         : true,     // true: Prohibit use of `arguments.caller` and `arguments.callee`
+    "noempty"       : true,     // true: Prohibit use of empty blocks
+    "nonew"         : false,    // true: Prohibit use of constructors for side-effects (without assignment)
+    "plusplus"      : false,    // true: Prohibit use of `++` & `--`
+    "quotmark"      : false,    // Quotation mark consistency:
+                                //   false    : do nothing (default)
+                                //   true     : ensure whatever is used is consistent
+                                //   "single" : require single quotes
+                                //   "double" : require double quotes
+    "undef"         : true,     // true: Require all non-global variables to be declared (prevents global leaks)
+    "unused"        : false,    // true: Require all defined variables be used
+    "strict"        : true,     // true: Requires all functions run in ES5 Strict Mode
+    "trailing"      : false,    // true: Prohibit trailing whitespaces
+    "maxparams"     : false,    // {int} Max number of formal params allowed per function
+    "maxdepth"      : false,    // {int} Max depth of nested blocks (within functions)
+    "maxstatements" : false,    // {int} Max number statements per function
+    "maxcomplexity" : false,    // {int} Max cyclomatic complexity per function
+    "maxlen"        : false,    // {int} Max number of characters per line
+
+    // Relaxing
+    "asi"           : false,     // true: Tolerate Automatic Semicolon Insertion (no semicolons)
+    "boss"          : true,      // true: Tolerate assignments where comparisons would be expected
+    "debug"         : false,     // true: Allow debugger statements e.g. browser breakpoints.
+    "eqnull"        : false,     // true: Tolerate use of `== null`
+    "es5"           : false,     // true: Allow ES5 syntax (ex: getters and setters)
+    "esnext"        : true,      // true: Allow ES.next (ES6) syntax (ex: `const`)
+    "moz"           : false,     // true: Allow Mozilla specific syntax (extends and overrides esnext features)
+                                 // (ex: `for each`, multiple try/catch, function expression…)
+    "evil"          : false,     // true: Tolerate use of `eval` and `new Function()`
+    "expr"          : true,      // true: Tolerate `ExpressionStatement` as Programs
+    "funcscope"     : false,     // true: Tolerate defining variables inside control statements"
+    "globalstrict"  : false,     // true: Allow global "use strict" (also enables 'strict')
+    "iterator"      : false,     // true: Tolerate using the `__iterator__` property
+    "lastsemic"     : false,     // true: Tolerate omitting a semicolon for the last statement of a 1-line block
+    "laxbreak"      : true,      // true: Tolerate possibly unsafe line breakings
+    "laxcomma"      : false,     // true: Tolerate comma-first style coding
+    "loopfunc"      : false,     // true: Tolerate functions being defined in loops
+    "multistr"      : true,      // true: Tolerate multi-line strings
+    "proto"         : false,     // true: Tolerate using the `__proto__` property
+    "scripturl"     : false,     // true: Tolerate script-targeted URLs
+    "smarttabs"     : false,     // true: Tolerate mixed tabs/spaces when used for alignment
+    "shadow"        : true,      // true: Allows re-define variables later in code e.g. `var x=1; x=2;`
+    "sub"           : false,     // true: Tolerate using `[]` notation when it can still be expressed in dot notation
+    "supernew"      : false,     // true: Tolerate `new function () { ... };` and `new Object;`
+    "validthis"     : false,     // true: Tolerate using this in a non-constructor function
+
+    // Environments
+    "browser"       : true,     // Web Browser (window, document, etc)
+    "couch"         : false,    // CouchDB
+    "devel"         : true,     // Development/debugging (alert, confirm, etc)
+    "dojo"          : false,    // Dojo Toolkit
+    "jquery"        : false,    // jQuery
+    "mootools"      : false,    // MooTools
+    "node"          : true,     // Node.js
+    "nonstandard"   : false,    // Widely adopted globals (escape, unescape, etc)
+    "prototypejs"   : false,    // Prototype and Scriptaculous
+    "rhino"         : false,    // Rhino
+    "worker"        : false,    // Web Workers
+    "wsh"           : false,    // Windows Scripting Host
+    "yui"           : false,    // Yahoo User Interface
+    "noyield"       : true,     // allow generators without a yield
+
+    // Legacy
+    "nomen"         : false,    // true: Prohibit dangling `_` in variables
+    "onevar"        : false,    // true: Allow only one `var` statement per function
+    "passfail"      : false,    // true: Stop on first error
+    "white"         : false,    // true: Check against strict whitespace and indentation rules
+
+    // Custom Globals
+    "globals"       : {         // additional predefined global variables
+      // mocha
+      "describe": true,
+      "it": true,
+      "before": true,
+      "afterEach": true,
+      "beforeEach": true,
+      "after": true
+    }
+}
--- a/test/fixtures/scope-package/.npmignore
+++ b/test/fixtures/scope-package/.npmignore
@@ -0,0 +1,8 @@
+test/
+Makefile
+.travis.yml
+logo.png
+.jshintignore
+.jshintrc
+.gitingore
+coverage/
--- a/test/fixtures/scope-package/.travis.yml
+++ b/test/fixtures/scope-package/.travis.yml
@@ -0,0 +1,6 @@
+language: node_js
+node_js:
+  - '0.11'
+  - '0.10'
+script: "make test-travis"
+after_script: "npm install coveralls@2 && cat ./coverage/lcov.info | coveralls"
--- a/test/fixtures/scope-package/AUTHORS
+++ b/test/fixtures/scope-package/AUTHORS
--- a/test/fixtures/scope-package/LICENSE.txt
+++ b/test/fixtures/scope-package/LICENSE.txt
@@ -0,0 +1,21 @@
+This software is licensed under the MIT License.
+
+Copyright (c) 2014 fengmk2 <fengmk2@gmail.com> and other contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
--- a/test/fixtures/scope-package/Makefile
+++ b/test/fixtures/scope-package/Makefile
@@ -0,0 +1,51 @@
+TESTS = test/*.test.js
+REPORTER = spec
+TIMEOUT = 1000
+MOCHA_OPTS =
+
+install:
+	@npm install --registry=https://registry.npm.taobao.org --disturl=https://npm.taobao.org/dist
+
+jshint: install
+	@./node_modules/.bin/jshint .
+
+test: install
+	@NODE_ENV=test ./node_modules/.bin/mocha \
+		--harmony \
+		--reporter $(REPORTER) \
+		--timeout $(TIMEOUT) \
+		$(MOCHA_OPTS) \
+		$(TESTS)
+
+test-cov cov: install
+	@NODE_ENV=test node --harmony \
+		node_modules/.bin/istanbul cover --preserve-comments \
+		./node_modules/.bin/_mocha \
+		-- \
+		--reporter $(REPORTER) \
+		--timeout $(TIMEOUT) \
+		$(MOCHA_OPTS) \
+		$(TESTS)
+	@./node_modules/.bin/cov coverage
+
+test-travis: install
+	@NODE_ENV=test node --harmony \
+		node_modules/.bin/istanbul cover --preserve-comments \
+		./node_modules/.bin/_mocha \
+		--report lcovonly \
+		-- \
+		--reporter dot \
+		--timeout $(TIMEOUT) \
+		$(MOCHA_OPTS) \
+		$(TESTS)
+
+test-all: install jshint test cov
+
+autod: install
+	@./node_modules/.bin/autod -w --prefix "~"
+	@$(MAKE) install
+
+contributors: install
+	@./node_modules/.bin/contributors -f plain -o AUTHORS
+
+.PHONY: test
--- a/test/fixtures/scope-package/README.md
+++ b/test/fixtures/scope-package/README.md
@@ -0,0 +1,64 @@
+scope-package
+=======
+
+[![NPM version][npm-image]][npm-url]
+[![build status][travis-image]][travis-url]
+[![Test coverage][coveralls-image]][coveralls-url]
+[![Gittip][gittip-image]][gittip-url]
+[![David deps][david-image]][david-url]
+
+[npm-image]: https://img.shields.io/npm/v/scope-package.svg?style=flat
+[npm-url]: https://npmjs.org/package/scope-package
+[travis-image]: https://img.shields.io/travis/node-modules/scope-package.svg?style=flat
+[travis-url]: https://travis-ci.org/node-modules/scope-package
+[coveralls-image]: https://img.shields.io/coveralls/node-modules/scope-package.svg?style=flat
+[coveralls-url]: https://coveralls.io/r/node-modules/scope-package?branch=master
+[gittip-image]: https://img.shields.io/gittip/fengmk2.svg?style=flat
+[gittip-url]: https://www.gittip.com/fengmk2/
+[david-image]: https://img.shields.io/david/node-modules/scope-package.svg?style=flat
+[david-url]: https://david-dm.org/node-modules/scope-package
+
+![logo](https://raw.github.com/node-modules/scope-package/master/logo.png)
+
+scope-package desc
+
+## Install
+
+```bash
+$ npm install scope-package
+```
+
+## Usage
+
+```js
+var scope-package = require('scope-package');
+
+scope-package.foo(function (err) {
+
+});
+```
+
+## License
+
+(The MIT License)
+
+Copyright (c) 2014 fengmk2 &lt;fengmk2@gmail.com&gt; and other contributors
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/test/fixtures/scope-package/index.js
+++ b/test/fixtures/scope-package/index.js
@@ -0,0 +1 @@
+module.exports = require('./lib/scope-package');
--- a/test/fixtures/scope-package/lib/scope-package.js
+++ b/test/fixtures/scope-package/lib/scope-package.js
@@ -0,0 +1,17 @@
+/**!
+ * scope-package - lib/scope-package.js
+ *
+ * Copyright(c) 2014 fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+"use strict";
+
+/**
+ * Module dependencies.
+ */
+
+var varname = require('modulename');
--- a/test/fixtures/scope-package/package.json
+++ b/test/fixtures/scope-package/package.json
@@ -0,0 +1,44 @@
+{
+  "name": "@cnpm/scope-package",
+  "version": "0.0.1",
+  "description": "scope-package",
+  "main": "index.js",
+  "scripts": {
+    "test": "make test-all"
+  },
+  "config": {
+    "cov": {
+      "threshold": 100
+    }
+  },
+  "dependencies": {
+
+  },
+  "devDependencies": {
+    "autod": "*",
+    "contributors": "*",
+    "should": "*",
+    "jshint": "*",
+    "cov": "*",
+    "istanbul-harmony": "*",
+    "mocha": "*"
+  },
+  "homepage": "https://github.com/node-modules/scope-package",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/node-modules/scope-package.git",
+    "web": "https://github.com/node-modules/scope-package"
+  },
+  "bugs": {
+    "url": "https://github.com/node-modules/scope-package/issues",
+    "email": "fengmk2@gmail.com"
+  },
+  "keywords": [
+    "scope-package"
+  ],
+  "engines": {
+    "node": ">= 0.10.0"
+  },
+  "author": "fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)",
+  "license": "MIT"
+}
--- a/test/init.js
+++ b/test/init.js
@@ -20,6 +20,7 @@ var User = require('../proxy/user');

 var usernames = [
  'cnpmjstest101',
+  'cnpmjstest102',
  'cnpmjstest10'
 ];

--- a/test/middleware/auth.test.js
+++ b/test/middleware/auth.test.js
@@ -20,6 +20,8 @@ var request = require('supertest');
 var app = require('../../servers/registry');
 var mm = require('mm');
 var mysql = require('../../common/mysql');
+var config = require('../../config');
+var UserService = require('../../services/user');

 describe('middleware/auth.test.js', function () {
  before(function (done) {
@@ -60,5 +62,29 @@ describe('middleware/auth.test.js', function () {
      .set('authorization', 'basic ' + new Buffer('cnpmjstest10:cnpmjstest10').toString('base64'))
      .expect(500, done);
    });
+
+    describe('config.customUserService = true', function () {
+      beforeEach(function () {
+        mm(config, 'customUserService', true);
+      });
+
+      it('should 401 when user service auth throw error', function (done) {
+        mm(UserService, 'auth', function* () {
+          var err = new Error('mock user service auth error, please visit http://ooxx.net/user to sigup first');
+          err.name = 'UserSeriveAuthError';
+          err.status = 401;
+          throw err;
+        });
+
+        request(app)
+        .put('/-/user/org.couchdb.user:cnpmjstest10')
+        .set('authorization', 'basic ' + new Buffer('cnpmjstest10:cnpmjstest10').toString('base64'))
+        .expect({
+          error: 'UserSeriveAuthError',
+          reason: 'mock user service auth error, please visit http://ooxx.net/user to sigup first'
+        })
+        .expect(401, done);
+      });
+    });
  });
 });
--- a/test/middleware/static.test.js
+++ b/test/middleware/static.test.js
@@ -0,0 +1,60 @@
+/**!
+ * cnpmjs.org - test/middleware/static.test.js
+ *
+ * Copyright(c) cnpmjs.org and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *  fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var should = require('should');
+var request = require('supertest');
+var registry = require('../../servers/registry');
+var web = require('../../servers/registry');
+
+describe('middleware/static.test.js', function () {
+  before(function (done) {
+    registry = registry.listen(0, function () {
+      web = web.listen(0, done);
+    });
+  });
+
+  describe('registry', function () {
+    it('should /favicon.ico rewrite to /favicon.png', function (done) {
+      request(registry)
+      .get('/favicon.ico')
+      // .expect('content-type', 'image/png')
+      .expect(200, done);
+    });
+
+    it('should 200 /favicon.png', function (done) {
+      request(registry)
+      .get('/favicon.png')
+      .expect('content-type', 'image/png')
+      .expect(200, done);
+    });
+  });
+
+  describe('web', function () {
+    it('should /favicon.ico rewrite to /favicon.png', function (done) {
+      request(registry)
+      .get('/favicon.ico')
+      // .expect('content-type', 'image/png')
+      .expect(200, done);
+    });
+
+    it('should 200 /favicon.png', function (done) {
+      request(registry)
+      .get('/favicon.png')
+      .expect('content-type', 'image/png')
+      .expect(200, done);
+    });
+  });
+});
--- a/test/middleware/web_not_found.test.js
+++ b/test/middleware/web_not_found.test.js
@@ -16,15 +16,22 @@

 var should = require('should');
 var request = require('supertest');
+var utils = require('../utils');
 var app = require('../../servers/web');
+var registry = require('../../servers/registry');

 describe('middleware/web_not_found.test.js', function () {
  before(function (done) {
-    app.listen(0, done);
-  });
+    // make sure mk2testmodule exists
+    var baseauth = 'Basic ' + new Buffer('cnpmjstest10:cnpmjstest10').toString('base64');
+    // name: mk2testmodule
+    var pkg = utils.getPackage('mk2testmodule');

-  after(function (done) {
-    app.close(done);
+    request(registry)
+    .put('/' + pkg.name)
+    .set('authorization', utils.adminAuth)
+    .send(pkg)
+    .end(done);
  });

  describe('web_not_found()', function () {
--- a/test/proxy/dist.test.js
+++ b/test/proxy/dist.test.js
@@ -0,0 +1,52 @@
+/**!
+ * cnpmjs.org - test/proxy/dist.test.js
+ *
+ * Copyright(c) cnpmjs.org and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *  fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var should = require('should');
+var Dist = require('../../proxy/dist');
+
+describe('proxy/dist.test.js', function () {
+  describe('savefile() and getfile', function () {
+    it('should save and get /npm-versions.txt', function* () {
+      var info = {
+        name: 'npm-versions.txt',
+        parent: '/',
+        date: '15-Sep-2011 23:48',
+        size: 1676,
+        url: 'http://cnpmjs.org/dist/npm-versions.txt',
+        sha1: '104731881047318810473188'
+      };
+      yield* Dist.savefile(info);
+      var got = yield* Dist.getfile('/npm-versions.txt');
+      should.exist(got);
+      got.should.eql(info);
+    });
+
+    it('should save and get /v1.0.0/npm-versions.txt', function* () {
+      var info = {
+        name: 'npm-versions.txt',
+        parent: '/v1.0.0/',
+        date: '15-Sep-2011 23:48',
+        size: 1676,
+        url: 'http://cnpmjs.org/dist/v1.0.0/npm-versions.txt',
+        sha1: '104731881047318810473188'
+      };
+      yield* Dist.savefile(info);
+      var got = yield* Dist.getfile('/v1.0.0/npm-versions.txt');
+      should.exist(got);
+      got.should.eql(info);
+    });
+  });
+});
--- a/test/proxy/module.test.js
+++ b/test/proxy/module.test.js
@@ -20,6 +20,7 @@ var fs = require('fs');
 var path = require('path');
 var mysql = require('../../common/mysql');
 var Module = require('../../proxy/module');
+var config = require('../../config');

 var fixtures = path.join(path.dirname(__dirname), 'fixtures');

@@ -167,4 +168,32 @@ describe('proxy/module.test.js', function () {
      });
    });
  });
+
+  describe('removeTagsByNames()', function () {
+    it('should work', function* () {
+      yield* Module.removeTagsByNames('foo', ['latest', '1.0']);
+    });
+  });
+
+  describe('listPrivates()', function () {
+    it('should response [] if scopes not present', function* () {
+      mm(config, 'scopes', []);
+      var modules = yield Module.listPrivates();
+      modules.should.eql([]);
+    });
+
+    it('should response [] if private modules not present', function* () {
+      mm(config, 'privatePackages', []);
+      mm(config, 'scopes', ['@not-exist']);
+      var modules = yield Module.listPrivates();
+      modules.should.eql([]);
+    });
+
+    it('should work', function* () {
+      var modules = yield Module.listPrivates();
+      modules.forEach(function (m) {
+        m.should.have.keys(['name', 'description']);
+      })
+    });
+  });
 });
--- a/test/proxy/module_maintainer.test.js
+++ b/test/proxy/module_maintainer.test.js
@@ -0,0 +1,69 @@
+/**!
+ * cnpmjs.org - test/proxy/module_maintainer.test.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var should = require('should');
+var ModuleMaintainer = require('../../proxy/module_maintainer');
+
+describe('proxy/module_maintainer.test.js', function () {
+  describe('update()', function () {
+    it('should update one maintainer', function* () {
+      var rs = yield* ModuleMaintainer.update('testfoo', ['fengmk2']);
+      rs.should.eql({
+        add: ['fengmk2'],
+        remove: []
+      });
+      // again should be fine
+      var rs = yield* ModuleMaintainer.update('testfoo', ['fengmk2']);
+      rs.should.eql({
+        add: ['fengmk2'],
+        remove: []
+      });
+      // remove the exists
+      var rs = yield* ModuleMaintainer.update('testfoo', ['fengmk2-1', 'foobar']);
+      rs.should.eql({
+        add: ['fengmk2-1', 'foobar'],
+        remove: ['fengmk2']
+      });
+    });
+
+    it('should update multi maintainers', function* () {
+      var rs = yield* ModuleMaintainer.update('testfoo2', ['fengmk2', 'ok', 'foobar']);
+      rs.should.eql({
+        add: ['fengmk2', 'ok', 'foobar'],
+        remove: []
+      });
+      // remove exists
+      var rs = yield* ModuleMaintainer.update('testfoo2', ['fengmk2']);
+      rs.should.eql({
+        add: ['fengmk2'],
+        remove: ['ok', 'foobar']
+      });
+      var rs = yield* ModuleMaintainer.update('testfoo3', ['fengmk2', 'ok', 'foobar']);
+      rs.should.eql({
+        add: ['fengmk2', 'ok', 'foobar'],
+        remove: []
+      });
+    });
+
+    it('should add empty maintainers do nothing', function* () {
+      var rs = yield* ModuleMaintainer.update('tesfoobar', []);
+      rs.should.eql({
+        add: [],
+        remove: []
+      });
+    });
+  });
+});
--- a/test/proxy/sync_module_worker.test.js
+++ b/test/proxy/sync_module_worker.test.js
@@ -63,4 +63,31 @@ describe('proxy/sync_module_worker.test.js', function () {
    worker.start();
    worker.on('end', done);
  });
+
+  it('should sync unpublished module by name', function* () {
+    var result = yield* SyncModuleWorker.sync('tnpm', 'fengmk2');
+    result.ok.should.equal(true);
+    result.should.have.property('logId');
+  });
+
+  it('should not sync not exists module', function* () {
+    var result = yield* SyncModuleWorker.sync('tnpm-not-exists', 'fengmk2');
+    result.ok.should.equal(false);
+    result.should.not.have.property('logId');
+  });
+
+  it('should sync unpublished info', function (done) {
+    var worker = new SyncModuleWorker({
+      name: ['tnpm'],
+      username: 'fengmk2'
+    });
+
+    worker.start();
+    worker.on('end', function () {
+      var names = worker.successes.concat(worker.fails);
+      names.sort();
+      names.should.eql(['tnpm']);
+      done();
+    });
+  });
 });
--- a/test/proxy/user.test.js
+++ b/test/proxy/user.test.js
@@ -51,59 +51,51 @@ describe('proxy/user.test.js', function () {

  describe('get()', function () {
    before(initUser);
-    it('should get user ok', function (done) {
-      user.get('mockuser', function (err, data) {
-        should.not.exist(err);
-        data.should.have.keys('id', 'rev', 'name', 'email', 'salt',
-          'json', 'npm_user',
-          'password_sha', 'ip', 'roles', 'gmt_create', 'gmt_modified');
-        done();
-      });
+    it('should get user ok', function* () {
+      var data = yield* user.get('mockuser');
+      data.should.have.keys('id', 'rev', 'name', 'email', 'salt',
+        'json', 'npm_user',
+        'password_sha', 'ip', 'roles', 'gmt_create', 'gmt_modified');
    });

-    it('should get error when mysql error', function (done) {
+    it('should get error when mysql error', function* () {
      mm.error(mysql, 'query', 'mock error');
-      user.get('mockuser', function (err) {
+      try {
+        yield* user.get('mockuser');
+        new Error('should not run this');
+      } catch (err) {
        err.message.should.equal('mock error');
-        done();
-      });
+      }
    });
  });

  describe('auth()', function () {
    before(initUser);
-    it('should auth user ok', function (done) {
-      user.auth(mockUser.name, mockUser.password, function (err, data) {
-        should.not.exist(err);
-        data.should.have.keys('id', 'rev', 'name', 'email', 'salt',
-          'json', 'npm_user',
-          'password_sha', 'ip', 'roles', 'gmt_create', 'gmt_modified');
-        done();
-      });
+    it('should auth user ok', function* () {
+      var data = yield* user.auth(mockUser.name, mockUser.password);
+      data.should.have.keys('id', 'rev', 'name', 'email', 'salt',
+        'json', 'npm_user',
+        'password_sha', 'ip', 'roles', 'gmt_create', 'gmt_modified');
    });

-    it('should auth user fail when user not exist', function (done) {
-      user.auth('notexistmockuser', '123', function (err, data) {
-        should.not.exist(err);
-        should.not.exist(data);
-        done();
-      });
+    it('should auth user fail when user not exist', function* () {
+      var data = yield* user.auth('notexistmockuser', '123');
+      should.not.exist(data);
    });

-    it('should auth fail when password error', function (done) {
-      user.auth(mockUser.name, '123', function (err, data) {
-        should.not.exist(err);
-        should.not.exist(data);
-        done();
-      });
+    it('should auth fail when password error', function* () {
+      var data = yield* user.auth(mockUser.name, '123');
+      should.not.exist(data);
    });

-    it('should auth error when mysql error', function (done) {
+    it('should auth error when mysql error', function* () {
      mm.error(mysql, 'query', 'mock error');
-      user.auth(mockUser.name, '123', function (err, data) {
+      try {
+        yield* user.auth(mockUser.name, '123');
+        new Error('should not run this');
+      } catch (err) {
        err.message.should.equal('mock error');
-        done();
-      });
+      }
    });
  });

--- a/test/services/default_user_service.test.js
+++ b/test/services/default_user_service.test.js
@@ -0,0 +1,151 @@
+/**!
+ * cnpmjs.org - test/services/default_user_service.test.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var should = require('should');
+var mm = require('mm');
+var npm = require('../../proxy/npm');
+var User = require('../../proxy/user');
+var DefaultUserService = require('../../services/default_user_service');
+var config = require('../../config');
+
+describe('services/default_user_service.test.js', function () {
+  var userService = new DefaultUserService();
+
+  before(function* () {
+    var user = yield* npm.getUser('fengmk2');
+    if (!user) {
+      return;
+    }
+    user.fullname = 'Yuan Feng';
+    yield* User.saveNpmUser(user);
+  });
+
+  beforeEach(function () {
+    mm(config, 'scopes', ['@cnpm', '@cnpmtest']);
+  });
+  afterEach(mm.restore);
+
+  describe('auth()', function () {
+    it('should return user when auth success', function* () {
+      var user = yield* userService.auth('cnpmjstest10', 'cnpmjstest10');
+      should.exist(user);
+      user.should.eql({
+        login: 'cnpmjstest10',
+        email: 'fengmk2@gmail.com',
+        name: 'cnpmjstest10',
+        html_url: 'http://cnpmjs.org/~cnpmjstest10',
+        avatar_url: 'https://secure.gravatar.com/avatar/95b9d41231617a05ced5604d242c9670?s=50&d=retro',
+        im_url: '',
+        site_admin: true,
+        scopes: ['@cnpm', '@cnpmtest'],
+      });
+    });
+
+    it('should return null when auth fail', function* () {
+      var user = yield* userService.auth('cnpmjstest10', 'wrong');
+      should.not.exist(user);
+    });
+  });
+
+  describe('get()', function () {
+    it('should get a cnpm admin user by login name', function* () {
+      var user = yield* userService.get('cnpmjstest10');
+      should.exist(user);
+      user.should.eql({
+        login: 'cnpmjstest10',
+        email: 'fengmk2@gmail.com',
+        name: 'cnpmjstest10',
+        html_url: 'http://cnpmjs.org/~cnpmjstest10',
+        avatar_url: 'https://secure.gravatar.com/avatar/95b9d41231617a05ced5604d242c9670?s=50&d=retro',
+        im_url: '',
+        site_admin: true,
+        scopes: ['@cnpm', '@cnpmtest'],
+      });
+    });
+
+    it('should get a cnpm normal user by login name', function* () {
+      var user = yield* userService.get('cnpmjstest101');
+      should.exist(user);
+      user.should.eql({
+        login: 'cnpmjstest101',
+        email: 'fengmk2@gmail.com',
+        name: 'cnpmjstest101',
+        html_url: 'http://cnpmjs.org/~cnpmjstest101',
+        avatar_url: 'https://secure.gravatar.com/avatar/95b9d41231617a05ced5604d242c9670?s=50&d=retro',
+        im_url: '',
+        site_admin: false,
+        scopes: ['@cnpm', '@cnpmtest'],
+      });
+    });
+
+    it('should get a npm sync user by login name', function* () {
+      var user = yield* userService.get('fengmk2');
+      should.exist(user);
+      user.should.eql({
+        login: 'fengmk2',
+        email: 'fengmk2@gmail.com',
+        name: 'Yuan Feng',
+        html_url: 'http://fengmk2.github.com',
+        avatar_url: 'https://secure.gravatar.com/avatar/95b9d41231617a05ced5604d242c9670?s=50&d=retro',
+        im_url: 'https://twitter.com/fengmk2',
+        site_admin: true,
+        scopes: ['@cnpm', '@cnpmtest'],
+      });
+    });
+
+    it('should get null when user not exists', function* () {
+      var user = yield* userService.get('not-exists');
+      should.not.exist(user);
+    });
+  });
+
+  describe('list()', function () {
+    it('should return all exists users', function* () {
+      var users = yield* userService.list(['cnpmjstest10', 'fengmk2', 'cnpmjstest101']);
+      users.should.length(3);
+    });
+
+    it('should return some exists users', function* () {
+      var users = yield* userService.list(['cnpmjstest10', 'fengmk2123', 'cnpmjstest101']);
+      users.should.length(2);
+    });
+
+    it('should return []', function* () {
+      var users = yield* userService.list([]);
+      users.should.length(0);
+
+      var users = yield* userService.list(['not1', 'not2']);
+      users.should.length(0);
+    });
+  });
+
+  describe('search()', function () {
+    it('should return login name matched users', function* () {
+      var users = yield* userService.search('cnpm');
+      users.length.should.above(2);
+    });
+
+    it('should return limit 1 user', function* () {
+      var users = yield* userService.search('cnpm', {limit: 1});
+      users.should.length(1);
+    });
+
+    it('should return []', function* () {
+      var users = yield* userService.search('not-cnpm');
+      users.should.length(0);
+    });
+  });
+});
--- a/test/sync.js
+++ b/test/sync.js
@@ -14,12 +14,14 @@
 * Module dependencies.
 */

+var debug = require('debug');
+debug.enable('cnpmjs.org*');
 var SyncModuleWorker = require('../proxy/sync_module_worker');
 var mysql = require('../common/mysql');
 var Log = require('../proxy/module_log');
 var config = require('../config');

-config.sourceNpmRegistry = 'http://r.cnpmjs.org';
+config.sourceNpmRegistry = 'http://registry.npmjs.org';

 var names = process.argv[2] || 'byte';
 names = names.split(',');
--- a/test/sync/sync_all.test.js
+++ b/test/sync/sync_all.test.js
@@ -25,13 +25,14 @@ describe('sync/sync_all.test.js', function () {
    afterEach(mm.restore);

    it('should sync first time ok', function *() {
-      mm.data(Npm, 'getShort', ['mk2testmodule']);
+      mm.data(Npm, 'getShort', ['mk2testmodule', 'mk2testmodule-not-exists']);
      mm.data(Total, 'getTotalInfo', {last_sync_time: 0});
      var data = yield sync;
-      data.successes.should.eql(['mk2testmodule']);
+      data.successes.should.eql(['mk2testmodule', 'mk2testmodule-not-exists']);
      mm.restore();
      var result = yield Total.getTotalInfo();
-      result.last_sync_module.should.equal('mk2testmodule');
+      should.exist(result);
+      result.last_sync_module.should.equal('mk2testmodule-not-exists');
    });

    it('should sync common ok', function *() {
--- a/test/sync/sync_dist.test.js
+++ b/test/sync/sync_dist.test.js
@@ -0,0 +1,129 @@
+/**!
+ * cnpmjs.org - test/sync/sync_dist.test.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var should = require('should');
+var mm = require('mm');
+var urllib = require('co-urllib');
+var Dist = require('../../proxy/dist');
+var distsync = require('../../sync/sync_dist');
+
+describe('sync/sync_dist.test.js', function () {
+  afterEach(mm.restore);
+
+  describe('listPhantomjsDir()', function () {
+    it('should list all phantomjs download infos', function* () {
+      var items = yield* distsync.listPhantomjsDir('/phantomjs');
+      items.length.should.above(1);
+      items.forEach(function (item) {
+        item.should.have.keys('name', 'date', 'size', 'type', 'parent', 'downloadURL');
+      });
+    });
+  });
+
+  describe('listdiff()', function () {
+    it('should got all news', function* () {
+      mm(urllib, 'request', function* () {
+        return {
+          status: 200,
+          data: '<a href="npm/">npm/</a>   06-May-2014 01:18     -\n<a href="npm-versions.txt">npm-versions.txt</a>  27-Feb-2014 00:01         1676',
+          headers: {},
+        };
+      });
+
+      mm(Dist, 'listdir', function* () {
+        return [];
+      });
+
+      var items = yield* distsync.listdiff('/');
+      items.should.eql([
+        { name: 'npm/',
+          date: '06-May-2014 01:18',
+          size: '-',
+          type: 'dir',
+          parent: '/' },
+        { name: 'npm-versions.txt',
+          date: '27-Feb-2014 00:01',
+          size: 1676,
+          type: 'file',
+          parent: '/' }
+      ]);
+    });
+
+    it('should got empty when all exists', function* () {
+      mm(urllib, 'request', function* () {
+        return {
+          status: 200,
+          data: '<a href="npm/">npm/</a>   06-May-2014 01:18     -\n<a href="npm-versions.txt">npm-versions.txt</a>  27-Feb-2014 00:01         1676',
+          headers: {},
+        };
+      });
+
+      mm(Dist, 'listdir', function* () {
+        return [
+          {
+            name: 'npm/',
+            date: '06-May-2014 01:18',
+            parent: '/'
+          },
+          {
+            name: 'npm-versions.txt',
+            date: '27-Feb-2014 00:01',
+            size: 1676,
+            parent: '/'
+          },
+        ];
+      });
+
+      var items = yield* distsync.listdiff('/');
+      items.should.length(0);
+    });
+
+    it('should got date change dir', function* () {
+      mm(urllib, 'request', function* () {
+        return {
+          status: 200,
+          data: '<a href="npm/">npm/</a>   06-May-2014 01:18     -\n<a href="npm-versions.txt">npm-versions.txt</a>  27-Feb-2014 00:01         1676',
+          headers: {},
+        };
+      });
+
+      mm(Dist, 'listdir', function* () {
+        return [
+          {
+            name: 'npm/',
+            date: '06-May-2014 01:17',
+            parent: '/'
+          },
+          {
+            name: 'npm-versions.txt',
+            date: '27-Feb-2014 00:01',
+            size: 1676,
+            parent: '/'
+          },
+        ];
+      });
+
+      var items = yield* distsync.listdiff('/');
+      items.should.eql([
+        { name: 'npm/',
+          date: '06-May-2014 01:18',
+          size: '-',
+          type: 'dir',
+          parent: '/' }
+      ]);
+    });
+  });
+});
--- a/test/sync_dist.js
+++ b/test/sync_dist.js
@@ -0,0 +1,25 @@
+/**!
+ * cnpmjs.org - test/sync_dist.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var debug = require('debug');
+debug.enable('cnpmjs.org*');
+var co = require('co');
+var syncdist = require('../sync/sync_dist');
+
+co(function* () {
+  // yield* syncdist('/v0.10.28/');
+  yield* syncdist.syncPhantomjsDir();
+})();
--- a/test/utils.js
+++ b/test/utils.js
@@ -0,0 +1,51 @@
+/**!
+ * cnpmjs.org - test/utils.js
+ *
+ * Copyright(c) fengmk2 and other contributors.
+ * MIT Licensed
+ *
+ * Authors:
+ *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var path = require('path');
+var fs = require('fs');
+
+var fixtures = path.join(__dirname, 'fixtures');
+
+var admin = exports.admin = 'cnpmjstest10';
+exports.adminAuth = 'Basic ' + new Buffer(admin + ':' + admin).toString('base64');
+
+var otherUser = exports.otherUser = 'cnpmjstest101';
+exports.otherUserAuth = 'Basic ' + new Buffer(otherUser + ':' + otherUser).toString('base64');
+
+var secondUser = exports.secondUser = 'cnpmjstest102';
+exports.secondUserAuth = 'Basic ' + new Buffer(secondUser + ':' + secondUser).toString('base64');
+
+var _pkg = fs.readFileSync(path.join(fixtures, 'package_and_tgz.json'));
+
+exports.getPackage = function (name, version, user) {
+  // name: mk2testmodule
+  name = name || 'mk2testmodule';
+  version = version || '0.0.1';
+  user = user || admin;
+
+  var pkg = JSON.parse(_pkg);
+  var versions = pkg.versions;
+  pkg.versions = {};
+  pkg.versions[version] = versions[Object.keys(versions)[0]];
+  pkg.maintainers[0].name = user;
+  pkg.versions[version].maintainers[0].name = user;
+  pkg.versions[version].name = name;
+  pkg.versions[version].version = version;
+  pkg.versions[version]._id = name + '@' + version;
+  pkg.name = name;
+  pkg['dist-tags'] = {latest: version};
+  return pkg;
+};
--- a/test/zlib_write_after_close.js
+++ b/test/zlib_write_after_close.js
@@ -0,0 +1,9 @@
+var zlib = require('zlib');
+
+var stream = zlib.createGzip();
+
+stream.write('foo');
+stream.close();
+
+// Assertion failed: (!ctx->pending_close_ && "close is pending"), function Write, file ../src/node_zlib.cc, line 150.
+stream.write('again');
--- a/view/web/404.html
+++ b/view/web/404.html
@@ -0,0 +1,5 @@
+<div class="alert alert-warning">
+  Can not found package match <%= name %>. You can
+  <a href="/sync/<%= name %>" target="_blank">SYNC</a> from official npm registry or
+  <a href="https://npmjs.org/search?q=<%= name %>" target="_blank">SEARCH</a> in official npm website.
+</div>
--- a/view/web/dist.html
+++ b/view/web/dist.html
@@ -0,0 +1,9 @@
+<h1>Mirror index of <a target="_blank" href="<%= disturl %><%= dirname %>"><%= disturl %><%= dirname %></a></h1>
+<hr>
+<pre><a href="../">../</a><% for (var i = 0; i < items.length; i++) {
+  var item = items[i];
+  var sizestr = '' + (item.size || '-');
+%>
+<a href="<%= item.name %>"><%= item.name %></a><%- padding(50, item.name.length, " ") %><%= item.date %><%- padding(20, sizestr.length, " ") %><%= sizestr %><% } %>
+</pre>
+<hr>
--- a/view/web/layout.html
+++ b/view/web/layout.html
@@ -4,12 +4,12 @@
    <meta charset="utf-8">
    <title><%- locals.title %></title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="shortcut icon" href="/public/favicon.png">
+    <link rel="shortcut icon" href="/favicon.png">
    <!-- Bootstrap -->
-    <link href="http://cdn.staticfile.org/twitter-bootstrap/3.0.0-rc2/css/bootstrap.min.css" rel="stylesheet" media="screen">
-    <link href="http://cdn.staticfile.org/prettify/r298/prettify.min.css" rel="stylesheet" media="screen">
+    <link href="//dn-staticfile.qbox.me/twitter-bootstrap/3.0.0-rc2/css/bootstrap.min.css" rel="stylesheet" media="screen">
+    <link href="//dn-staticfile.qbox.me/prettify/r298/prettify.min.css" rel="stylesheet" media="screen">
    <!-- JavaScript plugins (requires jQuery) -->
-    <script src="http://cdn.staticfile.org/jquery/2.0.3/jquery.min.js"></script>
+    <script src="//dn-staticfile.qbox.me/jquery/2.0.3/jquery.min.js"></script>
    <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="CNPM" />
    <style>
      a{color:#09f;}
@@ -72,17 +72,17 @@
        {{footer}}
      </p>
      <a href="https://github.com/cnpm/cnpmjs.org" id="fork" target="_blank">
-        <img alt="Fork me on GitHub" src="http://s3.amazonaws.com/github/ribbons/forkme_right_darkblue_121621.png">
+        <img alt="Fork me on GitHub" src="//s3.amazonaws.com/github/ribbons/forkme_right_darkblue_121621.png">
    </a>
    </div>
    </div>
    <!-- Include all compiled plugins (below), or include individual files as needed -->
-    <script src="http://cdn.staticfile.org/twitter-bootstrap/3.0.0-rc2/js/bootstrap.min.js"></script>
+    <script src="//dn-staticfile.qbox.me/twitter-bootstrap/3.0.0-rc2/js/bootstrap.min.js"></script>

    <!-- Enable responsive features in IE8 with Respond.js (https://github.com/scottjehl/Respond) -->
-    <script src="http://cdn.staticfile.org/respond.js/1.2.0/respond.min.js"></script>
+    <script src="//dn-staticfile.qbox.me/respond.js/1.2.0/respond.min.js"></script>

-    <script src="http://cdn.staticfile.org/prettify/r298/prettify.min.js"></script>
+    <script src="//dn-staticfile.qbox.me/prettify/r298/prettify.min.js"></script>

    <!-- Specific to this page -->
    <script>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
dead_horse	4dd59cb300	Release 1.0.1	2014-08-01 12:00:33 +08:00
dead_horse	5ff25474c0	Merge pull request #398 from cnpm/fix-auth hot fix auth error	2014-08-01 11:58:54 +08:00
dead_horse	6d49a859c6	hot fix auth error	2014-08-01 11:58:23 +08:00
fengmk2	63a57b906e	Release 1.0.0	2014-08-01 09:26:04 +08:00
fengmk2	a09e6b142d	Merge pull request #394 from cnpm/list-pravites add private package list	2014-08-01 08:55:11 +08:00
dead_horse	bca9341e5d	add private package list	2014-08-01 01:43:13 +08:00
fengmk2	71b0662d49	Release 0.9.2	2014-07-30 23:15:11 +08:00
fengmk2	b894c0fa2b	hotfix save custom user bug	2014-07-30 23:14:53 +08:00
fengmk2	4127fa1f07	Release 0.9.1	2014-07-30 17:20:17 +08:00
dead_horse	5ee2a6e8fd	Merge pull request #390 from cnpm/handle-user-service-auth-throw-error Handle user service auth throw custom error message	2014-07-30 10:16:24 +08:00
fengmk2	8baa34145b	Handle user service auth throw custom error message	2014-07-30 10:05:55 +08:00
fengmk2	4acb819356	Merge pull request #389 from cnpm/private-white-list Private white list	2014-07-30 08:21:43 +08:00
dead_horse	2a84e39aee	add test for config private packages	2014-07-30 00:52:44 +08:00
dead_horse	2019d72e36	add config.privatePackages	2014-07-29 23:55:42 +08:00
dead_horse	b9fa7e7f98	add more comments in config/index.js	2014-07-29 23:31:22 +08:00
fengmk2	694795e451	Release 0.9.0	2014-07-29 10:24:56 +08:00
dead_horse	fae67880a5	Merge pull request #388 from cnpm/user-service Custom user service. fixed #385	2014-07-29 10:17:08 +08:00
fengmk2	0929748cbd	listMaintainers only return name and email	2014-07-29 10:06:28 +08:00
fengmk2	a87945c6a0	remove sessions	2014-07-29 01:55:18 +08:00
fengmk2	d7345dcc76	scopes init mv to services/user.js	2014-07-29 01:51:32 +08:00
fengmk2	1a9ea8c6cf	show user more profile	2014-07-29 01:42:02 +08:00
fengmk2	8f0ada7bf8	registry show user support custom user service	2014-07-29 00:54:18 +08:00
fengmk2	ddd9c9557d	support custom user service for user auth	2014-07-29 00:11:34 +08:00
fengmk2	9b2a846865	remove session middleware	2014-07-28 09:17:42 +08:00
fengmk2	b1b238e20c	add DefaultUserService	2014-07-28 09:17:42 +08:00
fengmk2	26031a49d2	Merge pull request #383 from cnpm/issue382-limit-scope Issue382 limit scope	2014-07-28 09:15:39 +08:00
dead_horse	8bfc8ce71d	check scopes in module.getAdapt	2014-07-27 23:32:58 +08:00
dead_horse	dffae785ca	test public mode, fix some logic, close #382	2014-07-27 23:28:38 +08:00
dead_horse	078d7ddf3d	fix sync scope test	2014-07-27 23:28:38 +08:00
dead_horse	8ec082db89	move scope.js into publishable.js, add forcePublishWithScope	2014-07-27 23:28:38 +08:00
dead_horse	040b727878	config.scopes not exist, means do not support scope	2014-07-27 23:28:38 +08:00
dead_horse	02e1ba63d6	fix scope test cases	2014-07-25 09:39:33 +08:00
dead_horse	a16883618e	add test, fix middleware	2014-07-25 00:23:26 +08:00
dead_horse	7bd1c85d4e	fix adapt scope	2014-07-25 00:12:01 +08:00
dead_horse	336e6f0da8	fix debug info	2014-07-24 23:55:07 +08:00
dead_horse	d43266670e	add assert scope middleware	2014-07-24 23:54:53 +08:00
fengmk2	8fdbbf0b04	Release 0.8.7	2014-07-24 00:05:47 +08:00
fengmk2	b62a3b78fb	fix unpublished info missing maintainers cause TypeError	2014-07-24 00:05:28 +08:00
fengmk2	d6cf093844	Release 0.8.6	2014-07-23 13:07:33 +08:00
fengmk2	081f0cb4f8	show unpublished info on web package page. fixes #381	2014-07-23 13:06:20 +08:00
fengmk2	0bf18639b6	Release 0.8.5	2014-07-22 23:38:58 +08:00
dead_horse	cbe7a165b0	Merge pull request #380 from cnpm/private-package-default-scoped Only private package support default scoped. fixed #378	2014-07-22 23:14:31 +08:00
fengmk2	7cadfb4007	Only private package support default scoped. fixed #378	2014-07-22 21:55:45 +08:00
fengmk2	ec51fcf70c	Release 0.8.4	2014-07-22 13:32:47 +08:00
fengmk2	565a7d3cfe	Merge pull request #379 from cnpm/get-adapt adapt default scpoe in /@:scope/:name/:version	2014-07-22 12:51:53 +08:00
dead_horse	4ac857fba2	adapt default scpoe in /@:scope/:name/:version	2014-07-22 11:42:18 +08:00
fengmk2	af7c952d2f	Release 0.8.3	2014-07-22 10:14:12 +08:00
fengmk2	6705172d4b	hot fix download	2014-07-22 10:13:55 +08:00
fengmk2	c0295ecc77	Release 0.8.2	2014-07-22 01:00:38 +08:00
fengmk2	aaf7f04d08	fix default scope detect	2014-07-22 01:00:22 +08:00
fengmk2	beceac10dc	Release 0.8.1	2014-07-21 23:54:45 +08:00
dead_horse	fad58273b6	Merge pull request #377 from cnpm/default-scope support default @org. close #376	2014-07-21 17:16:21 +08:00
fengmk2	e0361dc1f2	add more test cases	2014-07-21 16:18:28 +08:00
fengmk2	d8c337acc5	support default @org. close #376	2014-07-21 16:13:43 +08:00
dead_horse	9d7683bd61	hotfix redis init error	2014-07-21 14:14:52 +08:00
fengmk2	994b2e47aa	Release 0.8.0	2014-07-21 13:58:24 +08:00
dead_horse	b14faad3fb	Merge pull request #375 from cnpm/scope-package support scoped package	2014-07-21 13:56:13 +08:00
fengmk2	9163f793a3	update readme show scoped packages	2014-07-21 13:53:33 +08:00
fengmk2	1c0d4fdcdc	support "scoped" packages. close #352	2014-07-21 13:51:43 +08:00
dead_horse	20fce9f55f	Merge pull request #373 from cnpm/stop-old-publish-flow Stop old publish flow	2014-07-19 01:21:22 +08:00
fengmk2	6b73a7762f	use safe jsonp	2014-07-19 01:16:30 +08:00
fengmk2	fd34e0512c	Stop support old publish flow. fix #368	2014-07-19 01:11:33 +08:00
fengmk2	a84715167e	Merge pull request #372 from cnpm/sql update SQLs	2014-07-13 07:07:59 +08:00
dead_horse	db1cb0d0f8	update SQLs	2014-07-12 23:20:55 +08:00
dead_horse	dc137f0821	bump redis	2014-07-12 14:57:23 +08:00
fengmk2	76d270fc77	Merge pull request #371 from cnpm/update-logger use sync_info and sync_error categories	2014-07-11 12:06:28 +08:00
dead_horse	b5190b56e8	use sync_info and sync_error categories	2014-07-11 10:03:41 +08:00
fengmk2	d2d238db59	add categories to loggers. fix #370	2014-07-11 09:07:48 +08:00
fengmk2	4c02d84fec	fix get latest tag always not exists bug	2014-07-11 01:04:52 +08:00
dead_horse	74585f0b8a	Merge pull request #369 from cnpm/publish-with-tag support `npm publish --tag beta`. fix #366	2014-07-10 23:47:48 +08:00
fengmk2	a6ac632e73	support `npm publish --tag beta`. fix #366	2014-07-10 23:34:25 +08:00
fengmk2	0b59547ac1	Merge pull request #365 from cnpm/logger use mini-logger and error-formater	2014-07-09 11:30:48 +08:00
dead_horse	b5929c94e0	use mini-logger and error-formater	2014-07-09 11:23:20 +08:00
fengmk2	4c96682603	Release 0.7.0	2014-07-07 12:11:12 +08:00
dead_horse	78af0fc15b	Merge pull request #364 from cnpm/maintainer Maintainer logic improve	2014-07-07 11:42:53 +08:00
fengmk2	ce381618a0	use module_maintainers on GET /pakcage/:name page	2014-07-07 10:25:06 +08:00
fengmk2	87486c484f	use new module_maintainers on GET /:name	2014-07-07 10:23:53 +08:00
fengmk2	4608712e05	admin user should never publish to other user's packages. fix #363 but admin user need have the permission to delete other's packages.	2014-07-07 01:41:03 +08:00
fengmk2	3c6576bcab	Add a new table for module-maintainers. * fix #362 update maintianers change the lastmodified. remove version and change last modified. * #363 change isMaintainer detect logic.	2014-07-07 00:56:44 +08:00
fengmk2	ba1986b931	gravatar use https	2014-07-02 00:09:56 +08:00
fengmk2	5efa508376	support https	2014-07-01 23:26:48 +08:00
dead_horse	38617d4572	bump dependencies	2014-06-30 17:31:04 +08:00
fengmk2	a9a04b370d	Release 0.6.1	2014-06-18 12:27:47 +08:00
fengmk2	ec1d924dc1	hot fix removeTagsByNames()	2014-06-17 10:41:41 +08:00
fengmk2	234d1ec4d6	fix _rev not exists	2014-06-16 15:52:56 +08:00
dead_horse	b8f4958d8f	Merge pull request #357 from cnpm/fix-sync-request sync unpublished on GET /sync/:name	2014-06-16 15:23:22 +08:00
fengmk2	e56a21e890	sync unpublished on GET /sync/:name	2014-06-16 15:21:53 +08:00
fengmk2	e3434a58c5	Release 0.6.0	2014-06-16 15:06:17 +08:00
dead_horse	cd9d38aadb	Merge pull request #356 from cnpm/unpublished sync unpublished info. close #353	2014-06-16 13:50:05 +08:00
fengmk2	0ff22ccc60	sync unpublished info. close #353	2014-06-16 10:54:02 +08:00
dead_horse	e4cfb13383	Merge pull request #354 from cnpm/delete-not-exists-versions Delete not exists versions on sync worker. #353	2014-06-16 09:39:58 +08:00
fengmk2	23ad3a29b4	Delete not exists versions on sync worker. #353	2014-06-15 00:57:18 +08:00
dead_horse	f11b4e9954	Release 0.5.3	2014-06-13 18:08:12 +08:00
dead_horse	6e775eed47	fix sync response 204	2014-06-13 18:05:09 +08:00
dead_horse	ca6841c042	add links in History.md	2014-06-08 00:59:54 +08:00
dead_horse	652b900fc4	bump koa	2014-06-08 00:59:22 +08:00
dead_horse	43379cc66d	fix test-cov	2014-06-04 17:37:19 +08:00
dead_horse	8f9b3db029	bump koa and should	2014-06-04 17:29:52 +08:00
fengmk2	884b75f6a3	Release 0.5.2	2014-06-04 15:41:01 +08:00
dead_horse	a958ee40c4	Merge pull request #350 from cnpm/hotfix sync hotfix	2014-06-04 15:39:05 +08:00
fengmk2	1a01909750	sync hotfix	2014-06-04 15:35:50 +08:00
dead_horse	6901a5c994	Merge pull request #349 from cnpm/dist-sync-phantomjs sync phantomjs downloads pkg. close #348	2014-06-04 15:12:31 +08:00
fengmk2	33b13dc30e	sync phantomjs downloads pkg. close #348	2014-06-04 14:35:20 +08:00
fengmk2	73d9d2c3d0	Merge pull request #347 from cnpm/issue346-restart-syncer add restart, fixed #346	2014-06-04 12:39:34 +08:00
dead_horse	8b955adb42	add restart, fixed #346	2014-06-04 10:57:50 +08:00
fengmk2	1f219cbd1b	Release 0.5.1	2014-05-28 09:18:15 +08:00
dead_horse	17025d42b4	Merge pull request #344 from cnpm/list-since-from-tag fix attack on /-/all/since?stale=update_after&startkey=2 close #336	2014-05-28 09:09:43 +08:00
fengmk2	922f26b052	fix attack on /-/all/since?stale=update_after&startkey=2 close #336 Also add modified_time key to tag	2014-05-28 00:19:26 +08:00
dead_horse	9371685188	bump thunkify-wrap	2014-05-26 21:44:51 +08:00
dead_horse	ad0b66c7e5	bump koa-middlewares	2014-05-25 01:03:19 +08:00
dead_horse	5588880ec0	remove outputError	2014-05-25 00:44:26 +08:00
dead_horse	9ad72cbdcb	bump dependencies	2014-05-25 00:43:16 +08:00
dead_horse	4d033471fc	use svg badge	2014-05-25 00:36:58 +08:00
fengmk2	590b7f7eee	Merge pull request #340 from cnpm/404-page add package/notfound page	2014-05-19 19:26:34 +08:00
dead_horse	0ce817f9f3	add package/notfound page	2014-05-19 19:16:15 +08:00
fengmk2	59af2bfd56	add dist mirror link to home page	2014-05-13 09:37:46 +08:00
fengmk2	a83f6bb183	fix sync listdiff and add more test cases	2014-05-13 09:28:54 +08:00
fengmk2	b6f1531743	Release 0.5.0	2014-05-13 08:32:51 +08:00
dead_horse	42d0b538ca	Merge pull request #337 from cnpm/dist-sync Dist sync	2014-05-12 23:48:52 +08:00
fengmk2	a240eb9922	filter /nightlies/*	2014-05-12 17:32:06 +08:00
fengmk2	6853b73fb2	use koa setter instead of set()	2014-05-12 17:09:51 +08:00
fengmk2	a887acec05	update co-urllib	2014-05-12 10:19:19 +08:00
fengmk2	1d3f0f0ad3	add more info on error email	2014-05-12 10:03:01 +08:00
fengmk2	20e04065df	add sync dist to sync/index.js	2014-05-12 07:38:48 +08:00
fengmk2	1cee298bc3	show dist page	2014-05-11 20:56:40 +08:00
fengmk2	854bc6c9d8	sync dist file and save it to database	2014-05-10 18:59:13 +08:00
fengmk2	b70c1c421a	disable gzip before #335 has fix	2014-05-04 20:05:55 +08:00
dead_horse	b1b6172892	Release 0.4.3	2014-04-18 16:15:50 +08:00
fengmk2	e5a77a4368	Merge pull request #334 from cnpm/fix-permission add permission check to /:name/:tag	2014-04-18 14:34:27 +08:00
dead_horse	b74cccd342	add permission check to /:name/:tag	2014-04-18 14:29:42 +08:00
fengmk2	6aae538f49	Merge pull request #333 from cnpm/issue332-tag add put /:name/:tag, close #332	2014-04-18 14:12:56 +08:00
dead_horse	74c8b25374	fix space	2014-04-18 14:07:49 +08:00
dead_horse	0cec2edea6	add put /:name/:tag, close #332	2014-04-18 12:18:07 +08:00
fengmk2	b59a0a99cf	Release 0.4.2	2014-04-17 17:33:17 +08:00
dead_horse	c7e82809e3	Merge pull request #330 from cnpm/package-size-show fix fav ico and show pkg size on pkg info page. fix #318	2014-04-17 17:31:06 +08:00
fengmk2	206ee505a8	sync interval config	2014-04-17 17:28:27 +08:00
fengmk2	d39838f930	fix fav ico and show pkg size on pkg info page. fix #318	2014-04-17 14:59:38 +08:00
dead_horse	512e21aaf5	Merge pull request #329 from cnpm/fix-stack-over sync work sync one done must wait for a defer.setImmediate. fix #328	2014-04-17 14:12:22 +08:00
fengmk2	f7904ee699	sync work sync one done must wait for a defer.setImmediate. fix #328	2014-04-17 09:11:46 +08:00
dead_horse	7007be6ef4	bump dep versions	2014-04-16 15:17:14 +08:00
dead_horse	70aa3299e5	Merge pull request #326 from cnpm/noattachment if download tarball 404, throw err better than ignore it. fixed #325	2014-04-16 12:00:29 +08:00
fengmk2	a04f5d68eb	if download tarball 404, throw err better than ignore it. fixed #325	2014-04-16 11:44:28 +08:00
fengmk2	7cfe3b58ce	refator sync	2014-04-16 11:19:32 +08:00
fengmk2	afdf0bc653	Merge pull request #323 from cnpm/hot-fix-status hotfix, close #319	2014-04-16 09:39:15 +08:00
fengmk2	42055ac91e	Merge pull request #324 from cnpm/hotfix-dist hotfix, close #321	2014-04-16 09:31:48 +08:00
dead_horse	b93e0dab41	hotfix, close #321	2014-04-16 09:28:22 +08:00
dead_horse	01f2187830	hotfix, close #319	2014-04-16 09:23:59 +08:00
fengmk2	c2f49fcdd9	support custom web home page	2014-04-14 15:14:28 +08:00
dead_horse	3925ef6044	Merge pull request #316 from cnpm/first-full-sync npm get short only can read from cnpm now	2014-04-14 14:04:59 +08:00
fengmk2	85494d2ba0	npm get short only can read from cnpm now	2014-04-14 13:57:04 +08:00
dead_horse	660ca394d6	Merge pull request #315 from cnpm/local-bindding Local bindding and redis fix	2014-04-14 10:47:39 +08:00
fengmk2	ad7eeac00c	if using reverted proxy like nginx, only binding on local host	2014-04-14 10:43:49 +08:00
fengmk2	f63b72891b	fix redis detect logic	2014-04-14 10:27:46 +08:00
				`@@ -0,0 +1 @@`
				`module.exports = require('./lib/scope-package');`