Skip to content

Authorization bearer token not included in tarball request #5082

New issue
New issue
Closed
Closed
Authorization bearer token not included in tarball request#5082
Labels
Bugthing that needs fixingNeeds Triageneeds review for next stepsRelease 8.xwork is associated with a specific npm 8 release
@johann1301s

Description

@johann1301s
johann1301s
opened on Jun 25, 2022

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

When running npm install there is a request for the json packument. In this request there is a Authorization header present with the token-value defined in ~/.npmrc:

//my.registry/:_authToken=<token>

But when requesting the tarball, using the tarball-url found in the packument, the Authorization header is missing.

It should be possible to authenticate that the request comes from a source that has rights to the tarball. Otherwise the tarball is essentially public, only hidden by obscurity.

Are there any settings i can change to make sure the Authorization header is present in the tarball request?

Expected Behavior

Authorization header should be present in the tarball request.

Steps To Reproduce

No response

Environment

  • npm: 8.13.1
  • Node.js: v16.13.1
  • OS Name: macOS Monterey 12.3.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next stepsRelease 8.xwork is associated with a specific npm 8 release

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions