How to configure npm token via npm_config_* env var?

[mk-pmb]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's going wrong?

npm seems to ignore my npm_config_//registry.npmjs.org/:_authToken environment variable.

I'm trying to restrict the environments where my npm login token is stored. I tried using an environment variable in my .npmrc as described in #8356 but adding that config line makes npm (e.g. npm --help) crash with Error: Failed to replace env in config: ${NPM_TOKEN} in all shells where the var isn't set.
Luckily, "npm is extremely configurable", so I tried the "environment variables" approach. Using the export command as suggested in the docs didn't work because:

bash: export: `npm_config_//registry.npmjs.org/:_authToken=00000000-0000-0000-0000-000000000000': not a valid identifier

… so instead I used env to spawn a new bash that would inherit my variable. Inside it, I used node.js to verify it is set correctly, then tried to publish:

$ env 'npm_config_//registry.npmjs.org/:_authToken=00000000-0000-0000-0000-000000000000' bash
$ # we're now in the inner shell
$ nodejs -p process.env | grep Token
  'npm_config_//registry.npmjs.org/:_authToken': '00000000-0000-0000-0000-000000000000',
$ npm pub .
npm ERR! Linux 3.13.0-108-generic
npm ERR! argv "/usr/bin/nodejs" "/usr/bin/npm" "pub" "."
npm ERR! node v6.9.4
npm ERR! npm  v3.10.10
npm ERR! code ENEEDAUTH
…

(Of course I used a token that worked in my .npmrc just seconds ago, so that should not be the problem.)

How can the CLI team reproduce the problem?

With the commands above, hopefully.

supporting information:

• npm -v prints: 3.10.10
• node -v prints: v6.9.4
• npm config get registry prints: http://registry.npmjs.org/
• Windows, OS X/macOS, or Linux?: Linux (Ubuntu 14.04.5 LTS trusty)
• Network issues:
  • Geographic location where npm was run:
  • I use a proxy to connect to the npm registry.
  • I use a proxy to connect to the web.
  • I use a proxy when downloading Git repos.
  • I access the npm registry via a VPN
  • I don't use a proxy, but have limited or unreliable internet access.
• Container:
  • I develop using Vagrant on Windows.
  • I develop using Vagrant on OS X or Linux.
  • I develop / deploy using Docker.
  • I deploy to a PaaS (Triton, Heroku).

[npm-robot]

We're closing this issue as it has gone seven days without activity and without being labeled. If we haven't even labeled in issue in seven days then we're unlikely to ever read it.

If you are still experiencing the issue that led to you opening this or this is a feature request you're still interested in then we encourage you to open a new issue. If this was a support issue, you may be better served by joining package.communty and asking your question there.

For more information about our new issue aging policies and why we've instituted them please see our blog post.

[sgronblo]

It's very annoying that there is no clear way to specify this as an environment variable

[legodude17]

Can't you use NPM_TOKEN=<your_token>?

[mk-pmb]

@legodude17, the only way I know to provide the NPM token via an env var is to relay it via the .npmrc, as described above and in the other thread. Unfortunately, this has the drawbacks described above and in the other thread.

Independently, a mismatch between a program's behavior and its docs is confusing,

[sgronblo]

Also, the officially recommended way to handle this in the npm documentation is quite annoying:

If you add a .npmrc file that includes a placeholder for an environment variable you now have to define this env var for all environments and it also needs to be present for any npm command run.

So even though you only need it for example for running npm install on a CI server, it will pop up to annoy you also when you do things like npm run even though those commands can be run without the token.

[mk-pmb]

Even worse: Some months ago I ran across a package that installed other packages via npm and didn't pass my environment.

[mkhl]

I believe the cause for this is the way npm translates environment variables to config keys.

When we have an environment variable npm_config_//registry.npmjs.org/:_authToken,
config reads it from the environment and replaces every _ character with a - character, so the config key would be //registry.npmjs.org/:-authToken,
but then when npm tries to find the token, it looks for a config key for the registry that ends in :_authToken, which fails because the underscore was translated.

So at its root there are two parts of the code that disagree on how config keys should be normalised, and it seems to affect all config keys containing underscores (i.e. none of those can be set using an environment variable).
To fix this I would start by extracting a function that performs this normalisation, and then maybe modify config’s get to normalise all keys prior to lookup.

I hope this can get someone started on a fix? I could also work on one but would need guidance.

[legodude17]

@mkhl I would suggest posting this in https://npm.community. Either bugs or ideas, I am not sure.