Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(docs): add npmrc docs about scoping auth related config #5378

Merged
merged 2 commits into from
Aug 25, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions docs/content/configuring-npm/npmrc.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,34 @@ consistent across updates. Set fields in here using the `./configure`
script that comes with npm. This is primarily for distribution maintainers
to override default configs in a standard and consistent manner.

### Auth related configuration

The settings `_auth`, `_authToken`, `username` and `_password` must all be
scoped to a specific registry. This ensures that `npm` will never send
credentials to the wrong host.

In order to scope these values, they must be prefixed by a URI fragment.
If the credential is meant for any request to a registry on a single host,
the scope may look like `//registry.npmjs.org/:`. If it must be scoped to a
specific path on the host that path may also be provided, such as
`//my-custom-registry.org/unique/path:`.

```
; bad config
_authToken=MYTOKEN

; good config
@myorg:registry=https://somewhere-else.com/myorg
@another:registry=https://somewhere-else.com/another
//registry.npmjs.org/:_authToken=MYTOKEN
; would apply to both @myorg and @another
; //somewhere-else.com/:_authToken=MYTOKEN
; would apply only to @myorg
//somewhere-else.com/myorg/:_authToken=MYTOKEN1
; would apply only to @another
//somewhere-else.com/another/:_authToken=MYTOKEN2
```

### See also

* [npm folders](/configuring-npm/folders)
Expand Down
14 changes: 12 additions & 2 deletions node_modules/@npmcli/config/lib/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -767,6 +767,11 @@ class Config {
const nerfed = nerfDart(uri)
const creds = {}

const deprecatedAuthWarning = [
'`_auth`, `_authToken`, `username` and `_password` must be scoped to a registry.',
'see `npm help npmrc` for more information.',
].join(' ')

const email = this.get(`${nerfed}:email`) || this.get('email')
if (email) {
creds.email = email
Expand All @@ -780,10 +785,13 @@ class Config {
// cert/key may be used in conjunction with other credentials, thus no `return`
}

const tokenReg = this.get(`${nerfed}:_authToken`) ||
nerfed === nerfDart(this.get('registry')) && this.get('_authToken')
const defaultToken = nerfDart(this.get('registry')) && this.get('_authToken')
const tokenReg = this.get(`${nerfed}:_authToken`) || defaultToken

if (tokenReg) {
if (tokenReg === defaultToken) {
log.warn('config', deprecatedAuthWarning)
}
creds.token = tokenReg
return creds
}
Expand Down Expand Up @@ -818,6 +826,7 @@ class Config {
const userDef = this.get('username')
const passDef = this.get('_password')
if (userDef && passDef) {
log.warn('config', deprecatedAuthWarning)
creds.username = userDef
creds.password = Buffer.from(passDef, 'base64').toString('utf8')
const auth = `${creds.username}:${creds.password}`
Expand All @@ -832,6 +841,7 @@ class Config {
return creds
}

log.warn('config', deprecatedAuthWarning)
const authDecode = Buffer.from(auth, 'base64').toString('utf8')
const authSplit = authDecode.split(':')
creds.username = authSplit.shift()
Expand Down
6 changes: 3 additions & 3 deletions node_modules/@npmcli/config/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@npmcli/config",
"version": "4.2.1",
"version": "4.2.2",
"files": [
"bin/",
"lib/"
Expand Down Expand Up @@ -31,7 +31,7 @@
},
"devDependencies": {
"@npmcli/eslint-config": "^3.0.1",
"@npmcli/template-oss": "3.5.0",
"@npmcli/template-oss": "3.6.0",
"tap": "^16.0.1"
},
"dependencies": {
Expand All @@ -49,6 +49,6 @@
},
"templateOSS": {
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
"version": "3.5.0"
"version": "3.6.0"
}
}
6 changes: 3 additions & 3 deletions package-lock.json
Original file line number Diff line number Diff line change
Expand Up @@ -878,9 +878,9 @@
}
},
"node_modules/@npmcli/config": {
"version": "4.2.1",
"resolved": "https://registry.npmjs.org/@npmcli/config/-/config-4.2.1.tgz",
"integrity": "sha512-iJEnXNAGGr7sGUcoKmeJNrc943vFiWrDWq6DNK/t+SuqoObmozMb3tN3G5T9yo3uBf5Cw4h+SWgoqSaiwczl0Q==",
"version": "4.2.2",
"resolved": "https://registry.npmjs.org/@npmcli/config/-/config-4.2.2.tgz",
"integrity": "sha512-5GNcLd+0c4bYBnFop53+26CO5GQP0R9YcxlernohpHDWdIgzUg9I0+GEMk3sNHnLntATVU39d283A4OO+W402w==",
"inBundle": true,
"dependencies": {
"@npmcli/map-workspaces": "^2.0.2",
Expand Down