Typesync fails with 401 using 0.8.0 when using a private registry but 0.7.0 succeeds

[pjroth]

> typesync

»  TypeSync v0.8.0
✖  Request failed with status code 401
Stack:
Error: Request failed with status code 401

I have a private registry with auth configured via ~/.npmrc.

Forcing the version to 0.7.0 and running typesync I'm able to successfully run.

[jeffijoe]

0.8 reads the registry URL using npm config get registry. Are you using a non-default one?

[pjroth]

@jeffijoe Thanks for the quick response!

I am using a custom registry. Is there other setup I could/should be doing in order to get my configuration to work with 0.8.0?

[jeffijoe]

Currently, a public registry is expected. Would either need to add a way to authenticate a private one or a config option to use the official npm registry.

I never used a private registry before so I don't know how they work.

[pjroth]

I have auth setup to use my private repository already and that works for normal installing of npm packages. The only setup is I have a ~/.npmrc file that has my private registry URL and my credentials (private repo setup).

[pjroth]

If I take the _auth value from my ~/.npmrc file and then use that to make a GET request with a Authorization: Basic _auth_value_here header against my private repository I am properly authenticated and my repository responds with a 200.

[pjroth]

I also looked briefly for a npm package registry SDK/API but I couldn't find one. It's really hard to search for npm and registry. I was assuming that if this SDK exists it will know how to use npm configuration. I'm guessing the way I've configured my auth is not the only way supported by npm is my concern. I would expect this npm registry SDK package must exist but I wasn't able to find it. :(

[jeffijoe]

Would using the public registry not work? Or do you require using the private one?

[pjroth]

@jeffijoe no I can't use the public registry directly. I'm using a private registry for our company. This is because of at least two reasons I know of. First our private code is in the private registry. Second, it ensures that we proxy all calls from developers/CI at the company against our own registry to cut down on traffic to the public registry.

I think a reasonable thing that would be nice is to use the auth in ~/.npmrc (if it exists) when making calls against the registry adding the auth header. Especially since the configured registry is currently being used from that file but not the other config potentially specified there. Using the _auth property in ~/.npmrc seems to be (from what I can tell, I'm not really an npm expert) the standard way to use a registry that requires auth in npm. If there is some other solution using standard npm config I could do that as well I'm just not aware.

Another solution could be to not use the configured custom registry at all (use the public one only) but I'm guessing that change in 0.8.0 was made for a good reason so this might not be an option.

Thanks for all the help! Much appreciate this really nice tool!

[jeffijoe]

I would prefer not to have to read the user's .npmrc for the token as that might end up being a security nightmare. I think the play here is to support passing in the registry URL as config, with "auto" being the default that reads from whatever is configured.

[KagamiChan]

I also encountered this issue, I think it would be better if we support a registry parameter, assuming that private registries usually pull existing packages from public upstreams

[deongroenewald]

The npm cli uses the npm-registry-fetch package which looks like it abstracts the details of fetching from the registry, including authentication. It also uses @npmcli/config for reading configuration which may be useful.

[jeffijoe]

Oh that's neat @deongroenewald !

I've been really swamped at work, but I would be open to a PR that uses that package!

[jeffijoe]

npm-registry-fetch has been incorporated in v0.11, @deongroenewald thanks for the tip!