Set of fixes for better npmrc parameters support #12284
Conversation
| // attempt to parse username and password from base64 token | ||
| // to enable Artifactory / Nexus-like repositories support | ||
| const parsedToken = Buffer.from(token, 'base64').toString('ascii'); | ||
| const [extractedUsername, extractedPassword] = parsedToken.split(':'); |
There was a problem hiding this comment.
Looks like it cannot have : in the password. Is this expected? You might want to use this instead:
const delimiter = ':';
const [extractedUsername, ...passwordArr] = parsedToken.split(delimiter);
const extractedPassword = passwordArr.join(delimiter);Just slightly more ugly, but there's no native function that does it.
There was a problem hiding this comment.
true, good point. Thanks for reviewing! I will apply the changes soon
…ter support for private repositories
|
@hansl updated the PR according to your comments and going to sleep :) If you have more comments / there is something more to fix, I'm glad to help |
|
FYI tested with Artifactory, did not work, see: #10624 (comment) |
|
@smnbbrv I found the issue, nothing to do with Artifactory. Your code to parse the username:password from the base64 For example, it works when .npmrc looks like: But not when: |
|
@hansl I added another fix that adds support of whitespaces around '='. Could you, please, revalidate? @mrmaxsteel it's not really my code, I'm just a random stranger who wants the issue to be fixed :D Added fix to your findings. That's really cool that Artifactory works as well 👍 |
|
Validated latest change, all works 👍 |
|
@hansl I can't really understand the ci failures... Does not seem to me like it is the issue connected to the changes I made |
| } | ||
|
|
||
| if (fs.existsSync(perProjectNpmrc)) { | ||
| npmrc = fs.readFileSync(perProjectNpmrc).toString('utf-8'); | ||
| } else { |
There was a problem hiding this comment.
You should parse both .npmrc files because the repository url can be in the per project file and credentials in the user file
There was a problem hiding this comment.
True.
However if we are too picky here we enter the pain zone. First, then we need to support the global npmrc + userconfig flag / env variable as well. Second, we need to properly resolve the collisions between _authToken and _auth (because both could be present and we need to pick). Finally, the current approach is reading npmrc every time the package info is getting resolved which is not a standard npm behavior. Etc.
I'm not yet talking about having two different ways of getting NPM parameters.
The whole approach is not perfect and this PR does not pretend to be a fully working solution; at least it would be way more helpful than the current approach. Probably one needs to deeply rethink the concept.
There was a problem hiding this comment.
I agree. However, IMHO, user file should be read first then because people having open source projects will propably share the project .npmrc without credentials
There was a problem hiding this comment.
The private repos are nearly never used in the open source, hence no auth is required. Also if you change the order of resolving those files then you go in clear conflict with Npm itself
There was a problem hiding this comment.
#10624 is regarding an issue with fontawesome pro, so I guess it's used in open source. and npm don't need authentication nor .npmrc.
There was a problem hiding this comment.
https://fontawesome.com/pro - 60$ per license for 5 seats. What open source projects are you talking about?
There was a problem hiding this comment.
angular-fontawesome for sample
Open source does not means free, anybody can share code on github but use a private repo with tokens they obvioulsly don't want to share.
There was a problem hiding this comment.
OK, I have more arguments, but the discussion went away from the issue. What we discuss is only the cases when there is a project-specific .npmrc which is not containing _auth or _authToken, but there is one in some of the .npmrc above right?
There was a problem hiding this comment.
Exactly, in that case, your PR doesn't fix the issue I guess
|
I'm going to let this in, but we should fix the local/global issue in RC. |
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Heavily related to a hot topic #10624. This issue is really annoying for lots of people.
Targets two points:
.npmrcfile. This is done for the projects that include bundled.npmrcwith readonly permissions, see https://docs.npmjs.com/files/npmrcChanges type:
alwaysAuthis changed toalways-auth, which is a proper name, see https://docs.npmjs.com/misc/config#always-auth_authis normally a base64 encodedtoken:passwordstring => added extracting those credentials from the token and left a fallback token assignment in case something else is stored in_authThank you in advance.