[BUG] npm 7.x does not send Authorization header to download package tarball from private registry

[zenwarr]

Current Behavior:

npm 7 does not send Authorization header when downloading package tarball from private registry even if it DOES send it to get package packument from the same registry.
As a result, it fails to install private packages (at least for Verdaccio-based registries).

Expected Behavior:

Authorization header should be sent to download package tarball from private registry (as in npm 6).

Steps To Reproduce:

1. Set custom registry and access token for some scope in .npmrc:

@example:registry=http://npmjs.example.com/

//npmjs.example.com/:_authToken=ACCESS_TOKEN

2. Try to make npm i in a package that depends on a package from private scope

Example

I've inspected requests that npm6 and npm7 makes to install my package.
Here is request dump from Wireshark (I replaced my private scope name with word PRIVATESCOPE, my access token with ACCESSTOKEN and my private registry domain with PRIVATEDOMAIN)

npm 6 requests package packument (with token):

Hypertext Transfer Protocol
    GET /@PRIVATESCOPE%2flint HTTP/1.1\r\n
    connection: keep-alive\r\n
    user-agent: npm/6.14.8 node/v14.13.0 linux x64\r\n
    npm-in-ci: false\r\n
    npm-scope: @PRIVATESCOPE\r\n
    npm-session: 279c12c706bf8c6b\r\n
    referer: install\r\n
    pacote-req-type: packument\r\n
    pacote-pkg-id: registry:@PRIVATESCOPE/lint\r\n
    accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*\r\n
    authorization: Bearer ACCESS_TOKEN\r\n
    accept-encoding: gzip,deflate\r\n
    Host: PRIVATEDOMAIN\r\n
    \r\n

npm 6 downloads package tarball (with token):

Hypertext Transfer Protocol
    GET /@PRIVATESCOPE%2flint/-/lint-3.0.2.tgz HTTP/1.1\r\n
    connection: keep-alive\r\n
    user-agent: npm/6.14.8 node/v14.13.0 linux x64\r\n
    npm-in-ci: false\r\n
    npm-scope: @PRIVATESCOPE\r\n
    npm-session: 279c12c706bf8c6b\r\n
    referer: install\r\n
    pacote-req-type: tarball\r\n
    pacote-pkg-id: registry:@PRIVATESCOPE/lint@http://PRIVATEDOMAIN/@PRIVATESCOPE%2flint/-/lint-3.0.2.tgz\r\n
    authorization: Bearer ACCESSTOKEN\r\n
    accept: */*\r\n
    Host: PRIVATEDOMAIN\r\n
    \r\n

npm 7 requests package information (with token):

Hypertext Transfer Protocol
    GET /@PRIVATESCOPE%2flint HTTP/1.1\r\n
    npm-in-ci: false\r\n
    user-agent: npm/7.0.0 node/v14.13.0 linux x64\r\n
    pacote-version: 11.1.11\r\n
    pacote-req-type: packument\r\n
    pacote-pkg-id: registry:@PRIVATESCOPE/lint\r\n
    accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*\r\n
    npm-scope: @PRIVATESCOPE\r\n
    npm-session: 6d40b36609415ea8\r\n
    npm-command: install\r\n
    authorization: Bearer ACCESSTOKEN\r\n
    connection: keep-alive\r\n
    Accept-Encoding: gzip,deflate\r\n
    Host: PRIVATEDOMAIN\r\n
    \r\n

npm 7 downloads package tarball (without token):

Hypertext Transfer Protocol
    GET /@PRIVATESCOPE%2flint/-/lint-3.0.2.tgz HTTP/1.1\r\n
    npm-in-ci: false\r\n
    user-agent: npm/7.0.0 node/v14.13.0 linux x64\r\n
    pacote-version: 11.1.11\r\n
    pacote-req-type: tarball\r\n
    pacote-pkg-id: remote:http://PRIVATEDOMAIN/@PRIVATESCOPE%2flint/-/lint-3.0.2.tgz\r\n
    pacote-integrity: sha512-xEfDmvo6XfniCpw7Eoiz+Nf3qJrqcYbeAVvZWHMoPgZXWDLk164p99rGiAC9vc7Gi+OH4fk0reLsbP+U5/RZ0A==\r\n
    npm-scope: @PRIVATESCOPE\r\n
    npm-session: 6d40b36609415ea8\r\n
    npm-command: install\r\n
    connection: keep-alive\r\n
    Accept: */*\r\n
    Host: PRIVATEDOMAIN\r\n
    \r\n

Response to the latest request:

HTTP/1.1 401 Unauthorized
Date: Wed, 14 Oct 2020 07:02:01 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 69
Connection: keep-alive
X-Powered-By: verdaccio/4.0.1
Access-Control-Allow-Origin: *
WWW-Authenticate: Basic, Bearer
Vary: Accept-Encoding

{
  "error": "authorization required to access package @PRIVATESCOPE/lint"
}

Environment:

• OS: Ubuntu 20.04
• Node: 14.13.0
• npm: 7.0.0

[nlf]

thank you for the detailed bug report!

we released 7.0.1 of npm last night that includes a patch that i believe should resolve this for you. when you get a chance can you try updating with npm i -g npm@next-7 and let me know how it goes?

[zenwarr]

Everything works great now, thank you for the quick fix!

[aligon]

@nlf I believe I'm running into this issue still.

npm i is erroring trying to download the tarball from a private registry.
in the debug log I see:

861 http fetch GET 200 my_registry/@nti%2fweb-service 488ms
862 http fetch GET 403 my_registry/@nti%2fweb-service/-/web-service-1.42.0.tgz 89ms

The logs on my_registry, indicate that it got the auth header for my_registry/@nti%2fweb-service , but not for my_registry/@nti%2fweb-service/-/web-service-1.42.0.tgz

Jan 15 18:25:48 npm.nti verdaccio[188473]:  http <-- 200, user: aligon(174.x.x.x via 10.x.x.x), req: 'GET /@nti%2fweb-service', bytes: 0/11395
Jan 15 18:25:48 npm.nti verdaccio[188473]:  http <-- 403, user: undefined(174.x.x.x via 10.x.x.x), req: 'GET /@nti%2fweb-service/-/web-service-1.42.0.tgz', error: unregistered users are not allowed to access package @nti/web-service

Environment:

OS: macOS 11.1
Node: 14.15.3
npm: 7.4.1

.npmrc:

@nti:registry=my_registry/
//my_registry/:_authToken="token"

[juanpicado]

Just for context, the ‘undefined’ means the server is not getting the token, also you can increase log at verdaccio with trace and is more obvious. Get Outlook for iOS<https://aka.ms/o0ukef>

…

________________________________ From: Andrew Ligon <[email protected]> Sent: Friday, January 15, 2021 8:22:05 PM To: npm/cli <[email protected]> Cc: Juan Picado <[email protected]>; Manual <[email protected]> Subject: Re: [npm/cli] [BUG] npm 7.x does not send `Authorization` header to download package tarball from private registry (#1960) @nlf<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnlf&data=04%7C01%7C%7C72d5dbec944a48cfccaf08d8b98ad89f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637463353270788735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=p457b9HoGrzOjvHZy9z6SzpVddtSxvHTnTYsTUQvb6g%3D&reserved=0> I believe I'm running into this issue still. npm i is erroring trying to download the tarball from a private registry. in the debug log I see: 861 http fetch GET 200 my_registry/@nti%2fweb-service 488ms 862 http fetch GET 403 my_registry/@nti%2fweb-service/-/web-service-1.42.0.tgz 89ms The logs on my_registry, indicate that it got the auth header for my_registry/@nti<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnti&data=04%7C01%7C%7C72d5dbec944a48cfccaf08d8b98ad89f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637463353270788735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WUY4fI6kFmqy8mtH8UB1v3Ps%2B23Jw1jXS66iI7xo%2FOs%3D&reserved=0>%2fweb-service , but not for my_registry/@nti<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnti&data=04%7C01%7C%7C72d5dbec944a48cfccaf08d8b98ad89f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637463353270798693%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0vm%2F4amqW41euW62Aji8MIgttknc5PeEOSaY%2FyOnL3A%3D&reserved=0>%2fweb-service/-/web-service-1.42.0.tgz Jan 15 18:25:48 npm.nti verdaccio[188473]: http <-- 200, user: aligon(174.x.x.x via 10.x.x.x), req: 'GET /@nti%2fweb-service', bytes: 0/11395 Jan 15 18:25:48 npm.nti verdaccio[188473]: http <-- 403, user: undefined(174.x.x.x via 10.x.x.x), req: 'GET /@nti%2fweb-service/-/web-service-1.42.0.tgz', error: unregistered users are not allowed to access package @nti/web-service Environment: OS: macOS 11.1 Node: 14.15.3 npm: 7.4.1 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnpm%2Fcli%2Fissues%2F1960%23issuecomment-761137572&data=04%7C01%7C%7C72d5dbec944a48cfccaf08d8b98ad89f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637463353270798693%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=l%2BczOgTyx0%2B9I7ZOkbAyQ07bU1%2B%2F4TksM2TFYb%2BFzOs%3D&reserved=0>, or unsubscribe<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAEINIBYSPUSGVKCK2O3X2DS2CIV3ANCNFSM4SQG5MMQ&data=04%7C01%7C%7C72d5dbec944a48cfccaf08d8b98ad89f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637463353270798693%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tcwxVkzEquVm8FR2%2Bn8tZ6Agn9i2zGvYLrZZxnfORzM%3D&reserved=0>.

[aligon]

GET /@nti%2fweb-service HTTP/1.1
npm-in-ci: false
user-agent: npm/7.4.1 node/v14.15.3 darwin x64
pacote-version: 11.2.1
pacote-req-type: packument
pacote-pkg-id: registry:@nti/web-service
accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*
npm-scope: @nti
npm-session: f63225c4b54dc0b1
npm-command: install
authorization: Bearer {token}
if-none-match: "1cc3a6d0aa908d9899dab4cff580e813"
Accept-Encoding: gzip,deflate
Host: {my_registry}
X-FORWARDED-PROTOCOL: ssl
X-FORWARDED-PROTO: https
X-FORWARDED-SCHEME: https
X-Forwarded-For: x.x.x.x
Connection: close

GET /@nti%2fweb-service/-/web-service-1.42.0.tgz HTTP/1.1
npm-in-ci: false
user-agent: npm/7.4.1 node/v14.15.3 darwin x64
pacote-version: 11.2.1
pacote-req-type: tarball
pacote-pkg-id: registry:@nti/web-service@{my_registry}/@nti%2fweb-service/-/web-service-1.42.0.tgz
pacote-integrity: sha512-BPwrI7TUKZ+g+gxC12z0okX0VDprCPlWKv0sAeErz0AxEkeM8zsWp3W72Atsc7+2aaTkUB4JjNhPJi0xAKJgJw==
npm-scope: @nti
npm-session: f63225c4b54dc0b1
npm-command: install
Accept: */*
Host: {my_registry}
X-FORWARDED-PROTOCOL: ssl
X-FORWARDED-PROTO: https
X-FORWARDED-SCHEME: https
X-Forwarded-For: x.x.x.x
Connection: close