Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing support for npm bearer auth and OTP #6206

Closed
bodograumann opened this issue Jan 12, 2021 · 1 comment
Closed

Missing support for npm bearer auth and OTP #6206

bodograumann opened this issue Jan 12, 2021 · 1 comment
Labels
bug priority: next

Comments

@bodograumann
Copy link
Contributor

bodograumann commented Jan 12, 2021
edited
Loading

Version

4.5.10

Environment info

Environment Info:

  System:
    OS: Linux 5.10 Arch Linux
    CPU: (4) x64 Intel(R) Core(TM) i5-7300HQ CPU @ 2.50GHz
  Binaries:
    Node: 15.5.1 - /usr/bin/node
    Yarn: 1.22.10 - ~/.local/bin/yarn
    npm: 6.14.11 - /usr/bin/npm
  Browsers:
    Chrome: Not Found
    Firefox: 84.0.2
  npmGlobalPackages:
    @vue/cli: 4.5.10

Steps to reproduce

I am using the npm registry on an Azure DevOps server (formerly known as Microsoft TeamFoundation Server; TFS). To authenticate, it is neccesary to use basic authentication, which is not possible with vue-cli.

This becomes apparent when running vue ui, vue create or vue upgrade in such an environment.

What is expected?

vue-cli should be able to access package information on the azure package feed

What is actually happening?

ERROR Failed to get response from https://myserver/tfs/mycollection/_packaging/packages/npm/registry/vue-cli-version-marker

As described in the npm registry docs, authentication with an npm registry is possible via basic auth, bearer auth and in both cases an optional OTP.
vue-cli only supports bearer auth without otp:

vue-cli/packages/@vue/cli/lib/util/ProjectPackageManager.js

Lines 279 to 312 in 027386e

async getMetadata (packageName, { full = false } = {}) {
const scope = extractPackageScope(packageName)
const registry = await this.getRegistry(scope)
const metadataKey = `${this.bin}-${registry}-${packageName}`
let metadata = metadataCache.get(metadataKey)
if (metadata) {
return metadata
}
const headers = {}
if (!full) {
headers.Accept = 'application/vnd.npm.install-v1+json;q=1.0, application/json;q=0.9, */*;q=0.8'
}
const authToken = await this.getAuthToken(scope)
if (authToken) {
headers.Authorization = `Bearer ${authToken}`
}
const url = `${registry.replace(/\/$/g, '')}/${packageName}`
try {
metadata = (await request.get(url, { headers })).body
if (metadata.error) {
throw new Error(metadata.error)
}
metadataCache.set(metadataKey, metadata)
return metadata
} catch (e) {
error(`Failed to get response from ${url}`)
throw e
}
}

In contrast npm info vue-cli-version-marker --json and yarn info vue-cli-version-marker --json work fine, because they implement basic auth.

I wonder why we have to reimplement an npm registry client anyway.

Note: For basic auth the credentials are stored in .npmrc as//registry-url:username=myusername and //registry-url:_password=base64-encoded password. So when sending the password with basic auth, we need to be careful not to double-encode.
@haoqunjiang
Copy link
Member

😂 Well, I reimplemented the registry client because of the poor performance of Windows subprocesses: #4895 (comment)
Didn't expect so many edge cases here…

@bodograumann bodograumann mentioned this issue Jan 12, 2021
Merged
9 tasks
haoqunjiang pushed a commit that referenced this issue Jan 22, 2021
@bodograumann @haoqunjiang
fix: support basic auth for npm registry access (#6207)
cfb3828 
When username and password are configured in the .npmrc for the
respective scope, use basic auth when getting package metadata from the
npm registry.

Closes #6206
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug priority: next
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bodograumann @haoqunjiang