fix: correctly handle nerf-darted env vars

fixes npm#64 Don't normalize the registry prefix, don't dasherize the leading underscore of the nerfed key (e.g. `_password`) and don't downcase `_authToken`. This will allow you to successfully use env vars to control registry auth, e.g. `npm_config_//reg.example/UP_CASE/:_authToken=secret`
jenseng · Jul 25, 2022 · 30c28cd · 30c28cd
1 parent d825726
commit 30c28cd
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 10 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -366,14 +366,24 @@ class Config {
       if (!/^npm_config_/i.test(envKey) || envVal === '') {
         continue
       }
-      const key = envKey.slice('npm_config_'.length)
-        .replace(/(?!^)_/g, '-') // don't replace _ at the start of the key
-        .toLowerCase()
+      const key = this.normalizeKeyFromEnv(envKey.slice('npm_config_'.length))
       conf[key] = envVal
     }
     this[_loadObject](conf, 'env', 'environment')
   }
 
+  normalizeKeyFromEnv (key) {
+    // nerf-darted keys need slightly more nuanced handling
+    if (/^\/\/.*?:./.test(key)) {
+      // preserve case and dashes within URIs
+      let [uri, k] = key.split(':', 2)
+      k = this.normalizeKeyFromEnv(k)
+      return `${uri}:${k === '_authtoken' ? '_authToken' : k}`
+    }
+    return key.replace(/(?!^)_/g, '-') // don't replace _ at the start of the key
+      .toLowerCase()
+  }
+
   loadCLI () {
     nopt.invalidHandler = (k, val, type) =>
       this.invalidHandler(k, val, type, 'command line options', 'cli')
@@ -691,8 +701,6 @@ class Config {
       this.delete(`_password`, 'user')
       this.delete(`username`, 'user')
     }
-    this.delete(`${nerfed}:-authtoken`, 'user')
-    this.delete(`${nerfed}:_authtoken`, 'user')
     this.delete(`${nerfed}:_authToken`, 'user')
     this.delete(`${nerfed}:_auth`, 'user')
     this.delete(`${nerfed}:_password`, 'user')
@@ -732,8 +740,6 @@ class Config {
     // send auth if we have it, only to the URIs under the nerf dart.
     this.delete(`${nerfed}:always-auth`, 'user')
 
-    this.delete(`${nerfed}:-authtoken`, 'user')
-    this.delete(`${nerfed}:_authtoken`, 'user')
     this.delete(`${nerfed}:email`, 'user')
     if (certfile && keyfile) {
       this.set(`${nerfed}:certfile`, certfile, 'user')
@@ -781,8 +787,6 @@ class Config {
     }
 
     const tokenReg = this.get(`${nerfed}:_authToken`) ||
-      this.get(`${nerfed}:_authtoken`) ||
-      this.get(`${nerfed}:-authtoken`) ||
       nerfed === nerfDart(this.get('registry')) && this.get('_authToken')
 
     if (tokenReg) {

diff --git a/test/index.js b/test/index.js
@@ -394,6 +394,41 @@ loglevel = yolo
       'should return true once again now that values is retrieved from defaults')
   })
 
+  t.test('normalize config env keys', async t => {
+    const env = {
+      npm_config_bAr: 'bAr env',
+      NPM_CONFIG_FOO: 'FOO env',
+      'npm_config_//reg.example/UP_CASE/:username': 'ME',
+      'npm_config_//reg.example/UP_CASE/:_password': 'Shhhh!',
+      'NPM_CONFIG_//reg.example/UP_CASE/:_AUTHTOKEN': 'sEcReT',
+    }
+    const config = new Config({
+      npmPath: `${path}/npm`,
+      env,
+      argv,
+      cwd: `${path}/project`,
+
+      shorthands,
+      definitions,
+    })
+
+    await config.load()
+
+    t.strictSame({
+      bar: config.get('bar'),
+      foo: config.get('foo'),
+      '//reg.example/UP_CASE/:username': config.get('//reg.example/UP_CASE/:username'),
+      '//reg.example/UP_CASE/:_password': config.get('//reg.example/UP_CASE/:_password'),
+      '//reg.example/UP_CASE/:_authToken': config.get('//reg.example/UP_CASE/:_authToken'),
+    }, {
+      bar: 'bAr env',
+      foo: 'FOO env',
+      '//reg.example/UP_CASE/:username': 'ME',
+      '//reg.example/UP_CASE/:_password': 'Shhhh!',
+      '//reg.example/UP_CASE/:_authToken': 'sEcReT',
+    })
+  })
+
   t.test('do not double-load project/user config', async t => {
     const env = {
       npm_config_foo: 'from-env',
@@ -615,7 +650,6 @@ t.test('raise error if reading ca file error other than ENOENT', async t => {
 t.test('credentials management', async t => {
   const fixtures = {
     nerfed_authToken: { '.npmrc': '//registry.example/:_authToken = 0bad1de4' },
-    nerfed_lcAuthToken: { '.npmrc': '//registry.example/:_authtoken = 0bad1de4' },
     nerfed_userpass: {
       '.npmrc': `//registry.example/:username = hello
 //registry.example/:_password = ${Buffer.from('world').toString('base64')}