403 error while installing scoped packages using yarn

[prasannamestha]

Describe the bug

I am using verdaccio on a DigitalOcean instance and it seems that yarn package manager is not sending the authorization header while fetching the tarball. The GET request before fetching the tarball received the header, but the next request for fetching the tarball does not have the auth token.

Note that this problem only exists with yarn. It works fine with npm package manager. I suspect that the connections are closed after the initial request while installing via yarn (see the screenshot below)

To Reproduce

This bug can be reproduced by publishing a verdaccio instance to a digitalocean server with nginx.

1. publish a scoped package. @myscope/mypackage
2. Make the install access to only authenticated users
3. Use yarn to install the package: yarn add @myscope/mypackage (update the .npmrc to set the authtoken and the registry for the scope)

Expected behavior

The installation should work fine via yarn package manager.

Screenshots

Configuration File (cat ~/.config/verdaccio/config.yaml)
default config

Environment information

ubuntu server 16.0.4

Debugging output

• $ NODE_DEBUG=request verdaccio display request calls (verdaccio <--> uplinks)
• $ DEBUG=express:* verdaccio enable extreme verdaccio debug mode (verdaccio api)
• $ npm -ddd prints:
• $ npm config get registry prints:

[juanpicado]

Have you tried https://verdaccio.org/docs/en/cli-registry#yarn ?

[prasannamestha]

yes, I get the same result. The issue is not with login, but as shown in the screenshot, yarn does not seem to be sending back the authToken (authorization header) while fetching the tarball only. The request before fetching the tarball was successful (and also consisted of the authorization header)

[juanpicado]

I mean if you have always-auth=true in your .npmrc file or .yarnrc

[prasannamestha]

yes. I also have set the correct registry and authToken for the same.

[juanpicado]

In such case, if the package manager is not sending the token, you have few options

• I'd refer to their forum
• I'd try to reproduce with yarn v2
• I'd try to reproduce with npm and pnpm

If the token is no in the request header I cannot do much for helping you.

[prasannamestha]

Well, installing the same package via localhost installs perfectly. But the problem only exists when we deploy the code on a cloud server.

I am going through the codebase of yarn as well, but this could be a bug in verdaccio as well as the connections are closed on a cloud service. Here's a similar bug raised under yarn yarnpkg/yarn#3433 but the same bug persists after deploying the instance to cloud

[prasannamestha]

Okay, this issue occurs when the tarball name does not match with the requested package name.

For example, if you have a scoped package such verdaccio and then you modify a part of your logic to return with the same package when the user requests @verdaccio/verdaccio then yarn does not send the authorization header even though you had set always-auth=true. In order to solve this you need to ensure that the requested package name matches with the tarball name (or at least the package name used in yarn add command should be the same).

Note that this issue only occurs with yarn and is likely an issue with the yarn package manager and the way it makes the requests.

Thank you @juanpicado for your time on this :)