Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] npm config removes _auth from .npmrc #2300

Closed
bradbeck opened this issue Dec 8, 2020 · 13 comments
Closed

[BUG] npm config removes _auth from .npmrc #2300

bradbeck opened this issue Dec 8, 2020 · 13 comments
Assignees
Labels
Bug thing that needs fixing release: next These items should be addressed in the next release Release 7.x work is associated with a specific npm 7 release

Comments

@bradbeck
Copy link

bradbeck commented Dec 8, 2020

Current Behavior:

npm config set <anykey> <anyvalue> will result in _auth=... being removed from .npmrc

Expected Behavior:

npm config set foo bar should not result in _auth=... being removed from .npmrc

Steps To Reproduce:

  1. echo '_auth="xxx"' >> ~/.npmrc
  2. cat ~/.npmrc to see _auth="xxx" is there
  3. npm config set foo bar
  4. cat ~/.npmrc to see _auth="xxx" is gone

Environment:

Docker image node:15.3.0
Node: 15.3.0
npm: 7.0.14

@bradbeck bradbeck added Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release labels Dec 8, 2020
@ljharb
Copy link
Contributor

ljharb commented Dec 8, 2020

Does it still happen with v7.0.15?

@bradbeck
Copy link
Author

bradbeck commented Dec 8, 2020

Not sure, I haven't found a way to update npm in the node docker image.

@ljharb
Copy link
Contributor

ljharb commented Dec 8, 2020

npm install -g npm@7?

@bradbeck
Copy link
Author

bradbeck commented Dec 8, 2020

The node docker image fails to update npm that way. Some permissions issue.

I have confirmed that it still happens for [email protected] on MacOS.

@isaacs
Copy link
Contributor

isaacs commented Dec 10, 2020

This is happening because xxx is not a valid _auth field.

In order for credentials to be saved, a username, email address, and password must all be set, and it is re-saved to the config file scoped only to the proper registry.

This works as expected, for example:

$ echo $'_auth=dXNlcjpwYXNz\[email protected]' > foo.npmrc; node . config set foo=bar --userconfig=foo.npmrc ; cat foo.npmrc
foo=bar
//registry.npmjs.org/:username=user
//registry.npmjs.org/:_password="cGFzcw=="
//registry.npmjs.org/:[email protected]
//registry.npmjs.org/:always-auth=false

@isaacs
Copy link
Contributor

isaacs commented Dec 11, 2020

Note that _auth must be a base64-encoded username:password pair. It's then saved with the username and password as shown.

@bradbeck
Copy link
Author

@isaacs This appears to be a change in behavior relative to versions prior to npm v7. Is the methodology you describe backward compatible? If so, how far back?

@bradbeck
Copy link
Author

bradbeck commented Dec 11, 2020

@isaacs The methodology you describe does not seem to work for ~/.npmrc and npm config set foo=bar. _auth still gets removed but it not replaced with username and password as you describe.

@bradbeck
Copy link
Author

bradbeck commented Dec 11, 2020

In versions prior to npm v7 we used to be able to use the following to configure authentication:

$ npm config set registry http://npm.example.com/
$ npm config set always-auth true
$ npm config set email [email protected]
$ npm config set _auth YWRtaW46YWRtaW4=

With npm v7+ it does not appear to be possible to use npm config set ... to set email or _auth. A sequence like the following is required to get authentication working:

$ npm config set registry http://npm.example.com/
$ echo '[email protected]\n_auth="YWRtaW46YWRtaW4="' >> ~/.npmrc
$ npm config set always-auth true

or

$ npm config set registry http://npm.example.com/
$ npm config set //npm.example.com/:always-auth true
$ npm config set //npm.example.com/:email [email protected]
$ npm config set //npm.example.com/:username admin
$ npm config set //npm.example.com/:_password YWRtaW4=

@isaacs
Copy link
Contributor

isaacs commented Dec 15, 2020

Aha, seems like the issue here is that npm config set email [email protected] is failing, that's the bug here. Email should be able to be set separate from credentials. This works in the meantime:

npm config set registry http://npm.example.com/
npm config set always-auth true
echo "[email protected]" >> ~/.npmrc
npm config set _auth YWRtaW46YWRtaW4=

@isaacs
Copy link
Contributor

isaacs commented Dec 15, 2020

Will be fixed on next npm release, with @npmcli/[email protected]

@isaacs isaacs self-assigned this Dec 15, 2020
@isaacs isaacs added release: next These items should be addressed in the next release and removed Needs Triage needs review for next steps labels Dec 15, 2020
isaacs added a commit that referenced this issue Dec 16, 2020
While digging into #2300, I realized it would be a lot easier if we
could do this:

    npm config set [email protected] _auth=xxxx

and avoid the whole issue of what gets set first.

Also, why not let `npm config get foo bar baz` return just the keys
specified?

Also updates the docs, including the statement that `npm config set foo`
with no value sets it to `true`, when as far as I can tell, that has
never been the case.
isaacs added a commit that referenced this issue Dec 16, 2020
While digging into #2300, I realized it would be a lot easier if we
could do this:

    npm config set [email protected] _auth=xxxx

and avoid the whole issue of what gets set first.

Also, why not let `npm config get foo bar baz` return just the keys
specified?

Also updates the docs, including the statement that `npm config set foo`
with no value sets it to `true`, when as far as I can tell, that has
never been the case.
isaacs added a commit that referenced this issue Dec 16, 2020
While digging into #2300, I realized it would be a lot easier if we
could do this:

    npm config set [email protected] _auth=xxxx

and avoid the whole issue of what gets set first.

Also, why not let `npm config get foo bar baz` return just the keys
specified?

Also updates the docs, including the statement that `npm config set foo`
with no value sets it to `true`, when as far as I can tell, that has
never been the case.
@isaacs
Copy link
Contributor

isaacs commented Dec 16, 2020

So, just to clarify:

  • npm config set _auth=xxx will fail if email is not set.
  • npm config set [email protected] will work, even if _auth is not set.
  • npm config set [email protected] _auth=xxx will always work (ie, adding two configs in one command).
  • in all cases, the authentication settings will still be scoped to a given registry, so it's important to either set that registry config first, or include it in the command cli config, like npm config --registry=https://npm.internal/ set [email protected] _auth=xxx

isaacs added a commit that referenced this issue Dec 18, 2020
While digging into #2300, I realized it would be a lot easier if we
could do this:

    npm config set [email protected] _auth=xxxx

and avoid the whole issue of what gets set first.

Also, why not let `npm config get foo bar baz` return just the keys
specified?

Also updates the docs, including the statement that `npm config set foo`
with no value sets it to `true`, when as far as I can tell, that has
never been the case.

PR-URL: #2362
Credit: @isaacs
Close: #2362
Reviewed-by: @nlf
isaacs added a commit that referenced this issue Dec 18, 2020
* Support setting email without username/password

Fixes: #2300
@isaacs isaacs closed this as completed Dec 18, 2020
@belun
Copy link

belun commented Oct 18, 2022

still happening in npm8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing release: next These items should be addressed in the next release Release 7.x work is associated with a specific npm 7 release
Projects
None yet
Development

No branches or pull requests

4 participants