Send auth token if one exists for registry (#167, #105)

[rexxars]

TL;DR: This adds the auth token for requests to registries that npm already knows about. In other words, do an npm adduser first, then use pnpm as you normally would.

Hi!

We're using a private Sinopia registry where I work, which requires authentication. Right now, pnpm can't be used in projects where we have a mixture of "external" and "internal" dependencies, because it doesn't send any auth info (which results in the registry sending a 403).

I've made a simple module that extracts the auth token set in .npmrc (if one exists) and added that as a dependency. I couldn't quite make out the official client signs requests and in which cases always-auth is used. For our internal registry, I have not set always-auth, yet it still authenticates GET-requests. So for now, I'm just always sending the auth token, if it exists.

I also didn't want to send the auth token if the client isn't communicating over HTTPS, since that would be pretty insecure. Not sure if there should be some sort of setting for being able to send it even over HTTP - feedback is welcome.

[rexxars]

I think this one might solve #105, but not 100% sure because I still can't make out exactly how always-auth works.

[rstacruz]

This looks interesting. Can anyone familiar with private npm registries vouch for this? @abhishekisnot

[rstacruz]

I'd love to merge this now, but I'd really like to clarify the always-auth point first. Thanks for the contribution.

[osdevisnot]

We use few private packages which need auth. If this is merged I can probably contribute towards testing this feature.

[rexxars]

It seems like there is a bug in relation to scoped modules and creation of symlinks - are you aware of this @rstacruz? This PR works fine if there is a single scoped module, but often (always?) fails if there is multiple scoped modules within the same scope.

Should I try to reproduce this issue, or is this a known issue?

[rexxars]

Any ideas?

[jrnail23]

Is this issue resolved?
Is it possible to use pnpm to install private modules? If so, how do I do it?

thanks in advance!

[zkochan]

@jrnail23, it should work the same way as the regular npm cli. Try to log in via https://docs.npmjs.com/cli/adduser and then install some of your private packages.

The scoped packages issue described above was fixed as well

[vjpr]

This is not working for me.

I am getting a module not found message.

This is my ./npmrc. Can someone confirm that private modules are working?

@foo:registry = "https://registry.npmjs.org"
always-auth = true
registry = "http://registry.npmjs.org/"
save = false
save-exact = false
save-prefix = "^"
strict-ssl = false

[rexxars]

I think there has been a regression lately - I've experienced the same issue. Don't have time to investigate right now, but maybe @zkochan knows what has changed since this was merged?

[zkochan]

I am sorry guys. I might have broken it because it was not covered with tests and we have rewritten pnpm to use npm-registry-client.

The good news are that now we test pnpm using sinopia and we can cover this with tests I think. So I'll create an issue for that and if it is broken we'll fix it

[zkochan]

I am not sure when I'll be able to look into it (probably tomorrow or maybe tonight). But if someone wants to fix it ASAP the code that needs to be revisited is here and check how authorization works on npm-registry-client

[zkochan]

@vjpr I just published a fix. Install the latest pnpm and private packages should work