-
Notifications
You must be signed in to change notification settings - Fork 3k
Auth header is sent to HTTP dependencies #17580
Comments
@CherryDT does this happen with |
With npm@5 and OP's setup instructions, npm sends Test server: import express = require('express');
const app = express();
app.use((req, res) => {
console.log(`${req.method} ${req.url}`);
console.dir(req.headers);
res.sendStatus(404);
})
app.listen(8080); |
As described, everything I'm seeing is that this is working as designed and intended. |
I have also doubted, that it is a bug. Because otherwise |
@zkat @Withw I'm not sure about that - according to the documentation, Now, for me that's needed because my registry is a Sinopia server for internal use which of course requires credentials to access packages, because those packages should be accessible only to us. So far so good. However, it appears that the credentials are also sent when accessing raw package URLs in the dependencies list (not the registry), which is what this issue is about, and which I still believe is wrong and dangerous (because third party packages may sneak in rogue package URLs in their dependencies which sniff your credentials, and this can even work when
I'm not sure what you mean by that - the documentation for
Yes, but I'm not using a registry which points to S3. I have a dependency like this:
I'm not sure I can follow. After applying the fix for this issue, this configuration would still control whether credentials are sent for GET requests to the registry, right? |
@CherryDT If you remove @zkat Correct me if I'm wrong |
@Withw Strange. It appears you are right, I tested it again with npm@5 and it appears that indeed without Does this mean that the flag changed its meaning over time and no longer controls whether the username and password are sent to the registry on GET requests, but instead control whether they are sent elsewhere (contrary to what's written in the docs)? I want to make sure I understand correctly what's going on. |
We're closing this support issue as it has gone three days without activity. The npm CLI team itself does not provide support via this issue tracker, but we are happy when users help each other here. In our experience once a support issue goes dormant it's unlikely to get further activity. If you're still having problems, you may be better served by joining WeAllJS and asking your question in its #npm channel. The npm CLI team is all present there, but there are also lots of other folks who can help you too. For more information about our new issue aging policies and why we've instituted them please see our blog post. |
I'm opening this issue because:
npm is doing something I don't understand and think is wrong.
What's going wrong?
It appears that the user credentials configured in .npmrc (with always-auth) are also sent to HTTP dependencies. I don't think it makes sense, I expect those credentials to be sent to my default registry but definitely not to arbitrary HTTP URLs in dependencies. I think this can even be used to sniff credentials.
This behavior causes another issue, which is the reason I found it in the first place: I was unable to install a package from an Amazon S3 URL. The error was:
After debugging a bit more, I saw that npm is sending an
Authorization
header with my user credentials, and this caused Amazon S3 to respond with a bad request error "Unsupported Authorization Type".Note that it works fine when I create a .npmrc in the current directory (must be a package root) with the contents
//myregistry.com/:always-auth=false
but then I can't install any other packages anymore because the registry does need auth.How can the CLI team reproduce the problem?
npm login
always-auth true
npm install https://s3.amazonaws.com/dotlabs-test/test/npmhttp/testpkg-1.0.0.tgz
Output with loglevel silly
supporting information:
npm -v
prints: 4.1.2node -v
prints: v7.6.0npm config get registry
prints: Our company registryThe text was updated successfully, but these errors were encountered: