Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(config): Deprecate & warn on bare _auth & _authToken #502

Closed
6 tasks done
Tracked by #489
darcyclarke opened this issue May 3, 2022 · 1 comment · Fixed by npm/config#78
Closed
6 tasks done
Tracked by #489

feat(config): Deprecate & warn on bare _auth & _authToken #502

darcyclarke opened this issue May 3, 2022 · 1 comment · Fixed by npm/config#78
Assignees
@nlf
Labels
feature

Comments

@darcyclarke
Copy link
Contributor

darcyclarke commented May 3, 2022
edited by nlf

Summary

Show deprecation warning when these configs are set. The reason behind this was to remove all auth that wasn't scoped to a specific registry (this would increase the safety/security of setting/handling this type of config).

Exit Criteria

  • Discuss with @nlf before moving forward
  • Add deprecation warnings for _auth config
  • Add deprecation warnings for _authToken config
  • Add deprecation warnings for username config
  • Add deprecation warnings for password config
  • Add deprecation warnings for email config email is currently moved to the top level, let's leave this one alone until we can deal with the separation of login/adduser where that config is consumed
@darcyclarke darcyclarke mentioned this issue May 3, 2022
Closed
13 tasks
@darcyclarke darcyclarke changed the title chore(config): deprecate bare <code class="notranslate">_auth` chore(config): deprecate bare _auth May 3, 2022
@darcyclarke darcyclarke changed the title chore(config): deprecate bare _auth feat(config): deprecate bare _auth May 16, 2022
@nlf
Copy link

nlf commented Jul 26, 2022

i'm trying to recall where we were headed with this thought. in doing some thinking just now without having that context, i feel pretty strongly like we should remove all forms of authentication that are not scoped to a specific registry. right now we'll allow a bare _authToken if the registry the request is going to is your default registry, but even that feels a bit wrong since it's trivial to change the registry for one specific command and inadvertently sending your token to a registry you did not expect to send it to.

@darcyclarke darcyclarke changed the title feat(config): deprecate bare _auth feat(config): deprecate bare _auth & _authToken Aug 8, 2022
@darcyclarke darcyclarke changed the title feat(config): deprecate bare _auth & _authToken feat(config): Deprecate & warn on bare _auth & _authToken Aug 22, 2022
@darcyclarke darcyclarke assigned nlf and unassigned fritzy Aug 23, 2022
@nlf nlf mentioned this issue Aug 25, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nlf nlf

Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: warn on bare auth related configs npm/config
3 participants
@fritzy @nlf @darcyclarke