Fixes npm auth #3774
Fixes npm auth #3774
Conversation
|
We definitely should extract the npmrc/yarnrc config parsing from npm-registry and yarn-registry. |
src/registries/npm-registry.js
Outdated
| const authToken = this.getRegistryOrGlobalOption(registry, '_authToken'); | ||
| if (authToken) { | ||
| return `Bearer ${String(authToken)}`; | ||
| if (baseRegistry === `https://registry.yarnpkg.com/`) { |
There was a problem hiding this comment.
we have constants for these values
There was a problem hiding this comment.
So if package comes from registry.yarnpkg.com then you want to add registry.npmjs.org to the list of registries in the attempt of getting username and password.
That looks like a lazy patch, it would be better to set up getRegistryOrGlobalOption to return same data for yarnpkg and npmjs rather than patch every callsite
src/registries/npm-registry.js
Outdated
|
|
||
| const headers = Object.assign( | ||
| { | ||
| Accept: 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*', | ||
| }, | ||
| opts.headers, | ||
| ); | ||
| if (this.token || (alwaysAuth && isRequestToRegistry(requestUrl, registry, customHostSuffix))) { | ||
|
|
||
| if (alwaysAuth || (packageName || pathname)[0] === `@`) { |
There was a problem hiding this comment.
I don't understand the reason for this change
There was a problem hiding this comment.
From @arcanis:
this.token is undefined
So the codepath is not executed if alwaysAuth is not set
The condition I put tries to set an auth token if alwaysAuth is enabled, or if the package is scoped
There was a problem hiding this comment.
This should go into the code as a comment. Also a helper function named isScoped or needsAuth (or both?) would make the code more readable.
There was a problem hiding this comment.
Also I think the this.token check here was to memoize the token. We may wanna keep that behavior.
There was a problem hiding this comment.
I am not super excited about the fix getting into master this way, let's fix the leaky abstraction that requires us to hardcode domains here and add an automated test.
However I'd like to stabilize 0.27 so I'll cherry-pick this commit there and release a patch today.
src/registries/npm-registry.js
Outdated
|
|
||
| const headers = Object.assign( | ||
| { | ||
| Accept: 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*', | ||
| }, | ||
| opts.headers, | ||
| ); | ||
| if (this.token || (alwaysAuth && isRequestToRegistry(requestUrl, registry, customHostSuffix))) { | ||
|
|
||
| if (alwaysAuth || (packageName || pathname)[0] === `@`) { |
There was a problem hiding this comment.
This should go into the code as a comment. Also a helper function named isScoped or needsAuth (or both?) would make the code more readable.
src/registries/npm-registry.js
Outdated
|
|
||
| const headers = Object.assign( | ||
| { | ||
| Accept: 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*', | ||
| }, | ||
| opts.headers, | ||
| ); | ||
| if (this.token || (alwaysAuth && isRequestToRegistry(requestUrl, registry, customHostSuffix))) { | ||
|
|
||
| if (alwaysAuth || (packageName || pathname)[0] === `@`) { |
There was a problem hiding this comment.
Also I think the this.token check here was to memoize the token. We may wanna keep that behavior.
| if (auth) { | ||
| return `Basic ${String(auth)}`; | ||
| } | ||
| for (const registry of registries) { |
There was a problem hiding this comment.
Is this trying to get an auth token for the first matching registry? If so, I find that a bit dangerous. Should we keep a mapping of registry: token pairs and use the appropriate one when communicating. This would also leak tokens to other registries which may be an important security threat.
There was a problem hiding this comment.
Hence the check to make sure that the npm fallback is only added when the registry is the Yarn registry. The token won't be sent for any other hostname (wich is another issue).
That being said, the whole "multi-registry" logic is flawed, since we only support a single registry implementation (and adding more of them wouldn't make much sense, since it would complexify the codebase for little gain). I'd like to rework it so that we only support a single registry implementation, the npm one, and then make possible to configure what needs to be generic (mostly the hostname). But that's a second step.
There was a problem hiding this comment.
I'm +1 to this until we do the refactor. The code can use a short comment explaining this safe-guard.
|
Sup @arcanis? :) |
| if (this.token || (alwaysAuth && isRequestToRegistry(requestUrl, registry, customHostSuffix))) { | ||
|
|
||
| const packageIdent = packageName || pathname; | ||
| const isScoppedPackage = packageIdent.match(/^@|\/@/); |
There was a problem hiding this comment.
What does the second part cover? (sorry, not very familiar with scoped packages except for the @user/package pattern.
There was a problem hiding this comment.
In some cases packageIdent will be @user/package, and in other cases it will be https://example.org/@user/package.tgz
| const password = this.getRegistryOrGlobalOption(registry, '_password'); | ||
| if (username && password) { | ||
| const pw = new Buffer(String(password), 'base64').toString(); | ||
| return 'Basic ' + new Buffer(String(username) + ':' + pw).toString('base64'); |
There was a problem hiding this comment.
Wow, no idea we did double base64 for the password part.
|
The main issue with e2e test is that it would require a private package somewhere. I have my own test package on my account, but I obviously cannot use it in the Yarn testsuite 😄 Ideally, we should create a new private package on the That, or we build a stub registry server. |
This. Or even better: we just do integration tests via mocks. |
|
I think we should have an end to end installation without stubs at least for one package. |
|
@bestander I'll merge this then since we have filed #3842 |
|
This has broken installing private modules from our company's Bitbucket server. "private-module": "git+ssh://git@git:7999/project/private-module.git"I rolled back to version |
|
@daniel-nagy please raise a new issue. |
This commit should fix #3765. I'm not completely satisfied with hardcoding our registry, maybe that could extended at a later point with an option to "inherit" the auth token from npm. Not sure it would be useful, tho.