yarn npm login is not compatible with verdaccio

[jeffrson]

Describe the bug

I have a private npm registry implemented by verdaccio which requires login for any access. When a certain user does not yet exist in the registry yarn npm login succeeds. However, as soon as this user tries to relogin with the same command there's a http error 409 (conflict).

I had reported this against verdaccio (verdaccio/verdaccio#1737), since yarn2 login works fine for registry.yarnpkg.com. However, this was before I realized that new users may be created without problems.

To Reproduce

I'm sorry that I don't see like I could provide the repro with Sherlock :-(

1 You would have to install verdaccio, globally or locally, with yarn or npm and run it like this
[yarn run] verdaccio -c conf.yml with this conf.yml:

storage: ./storage

auth:
  htpasswd:
    file: ./htpasswd

security:
  api:
    jwt:
      sign:
        expiresIn: 30d
        notBefore: 0
  web:
    sign:
      expiresIn: 7d

uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    access: $authenticated
    publish: $authenticated
    proxy: npmjs

  '**':
    access: $authenticated
    publish: $authenticated
    proxy: npmjs

logs:
  - {type: file, path: verdaccio.log, level: trace}

2 Furthermore I save this as .yarnrc.yml (you'd have to correct yarnPath, obviously)

yarnPath: "...\\.yarn\\releases\\yarn-berry.js"

unsafeHttpWhitelist:
  - "localhost"

npmRegistryServer: "http://localhost:4873"

3 Execute yarn npm login two times - the first will succeed, the second fail with a message like this:

➤ YN0001: HTTPError: Response code 409 (Conflict)
at EventEmitter. (...\releases\yarn-berry.js:24:327728)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
➤ YN0000: Failed with errors in 4.09s

Environment if relevant (please complete the following information):

• OS: [e.g. OSX, Linux, Windows, ...] windows 10
• Node version [e.g. 8.15.0, 10.15.1, ...] 12.16.1
• Yarn version [e.g. 2.0.0-rc1, ...] 2.0.0rc29

const cp = require('child_process')
const fs = require('fs')


const verdaccioConf=`
storage: ./storage

auth:
  htpasswd:
    file: ./htpasswd

uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    access: $authenticated
    publish: $authenticated
    proxy: npmjs

  '**':
    access: $authenticated
    publish: $authenticated
    proxy: npmjs

logs:
  - {type: stdout, format: pretty, level: http}
`
fs.writeFileSync('config.yaml', verdaccioConf)


const htpasswd = `
test:$6FrCaT/v0dwE:autocreated 2020-06-09T16:43:43.706Z
`
fs.writeFileSync('htpasswd', htpasswd)


const  yarnrc = `
unsafeHttpWhitelist:
  - "localhost"

npmRegistryServer: "http://localhost:4873"
`
fs.writeFileSync('.yarnrc.yml', yarnrc)


await packageJsonAndInstall({
  dependencies: {
    'verdaccio': '4.5.1'
  }
})

cp.spawn('./node_modules/.bin/verdaccio')

await new Promise(resolve => setTimeout(resolve, 5000)) // a bit of a delay

const output = await yarn('yarn', 'npm', 'login') // test, test
expect(output).not.toContain('Response code 409 (Conflict)')

[ringods]

I was able to reproduce this easily with Yarn 2.0.0-rc.31.
I ran verdaccio via the default Docker image:

$ docker run -it --rm --name verdaccio -p 4873:4873 verdaccio/verdaccio

Then first create a user via:

$ npm adduser --registry http://localhost:4873

Then configure the local registry in your .yarnrc.yml file:

npmScopes:
  testscope:
    npmPublishRegistry: "http://localhost:4873"
    npmRegistryServer: "http://localhost:4873"
    npmAlwaysAuth: true
unsafeHttpWhitelist:
  - "localhost"

followed by:

$ yarn npm login -s testscope

If you use the same credentials from adduser, the yarn login will fail and you will see the following error message from the Verdaccio process:

http <-- 409, user: null(172.17.0.1), req: 'PUT /-/user/org.couchdb.user:ringods', error: username is already registered

[jeffrson]

Tried a repro - still I don't know how to simulate input to "yarn npm login". Maybe someone could enlighten me...

I'm not sure if this will help to fix the bug, though.

[jeffrson]

Also it does not seem to allow to start verdaccio...

[jeffrson]

BTW, if I copy the auth-token received by "npm login" into .yarnrc.yml the registry can be accessed without probs.

[therealalexmois]

BTW, if I copy the auth-token received by "npm login" into .yarnrc.yml the registry can be accessed without probs.

Hi! It didn't help me. I add new user into Verdaccio, then copy authToken into .yarnrn.yml and I keep getting http error with code 409.

[bgotink]

The verdaccio logs shows that npm has some extra logic when a 409 is returned:

# yarn npm login -s testscope
 http <-- 409, user: null(172.17.0.1), req: 'PUT /-/user/org.couchdb.user:bram', error: username is already registered

# npm login --registry http://localhost:4873
 http <-- 404, user: null(172.17.0.1), req: 'POST /-/v1/login', bytes: 24/150
 http <-- 409, user: null(172.17.0.1), req: 'PUT /-/user/org.couchdb.user:bram', error: username is already registered
 http <-- 200, user: null(172.17.0.1), req: 'GET /-/user/org.couchdb.user:bram?write=true', bytes: 0/51
 http <-- 201, user: bram(172.17.0.1), req: 'PUT /-/user/org.couchdb.user:bram/-rev/undefined', bytes: 166/85

The logic in question can be found here: https://github.com/npm/npm-profile/blob/6b643238ff7e1e6ec5544b0771142a8d0c537925/index.js#L162

[bgotink]

I've removed the repro tag from the OP. Even though it's probably possible to get it running in sherlock, it would be hard to do and it's easy enough to reproduce manually.

[juanpicado]

I'll give it a try 🤞

[dmoosocool]

any news here?

npmAlwaysAuth: true
npmAuthToken: xxxxMyToken

npmRegistryServer: "http://localhost:4873"

npmScopes:
  myscope:
    npmAlwaysAuth: true
    npmAuthToken: xxxxMyToken
    npmPublishRegistry: "http://localhost:4873"
    npmRegistryServer: "http://localhost:4873"

unsafeHttpWhitelist:
  - localhost

yarn npm login
➤ YN0000: Logging in to http://localhost:4873

✔ Username: · dmoosocool
✔ Password: · *************

➤ YN0001: HTTPError: Response code 409 (Conflict)
    at se.<anonymous> (/.yarn/releases/yarn-sources.cjs:23:10082)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
➤ YN0000: Failed with errors in 11s 413ms

yarn npm whoami
➤ YN0000: undefined
➤ YN0000: Done in 0s 49ms

yarn npm publish
➤ YN0041: Invalid authentication (as an unknown user)
➤ YN0000: Failed with errors in 0s 150ms

[XavierChevalier]

I have exactly the same problem as @dmoosocool, any news?

[XavierChevalier]

I designed a temporary fix.

I created a file named .yarn/publish.sh in which I change the version of Yarn on the fly in the .yarnrc.yml. This allows to publish with the 1.22.10 version and to switch back to the "Berry" version of Yarn.

# This is a temporary fix allowing to publish the package.
# Indeed, there is a bug under Yarn Berry that prevents deployment on Verdaccio.
# @see https://github.com/yarnpkg/berry/issues/1044
# @see https://github.com/verdaccio/verdaccio/issues/1737
sed -i "s/yarnPath: .*/yarnPath: \.yarn\/releases\/yarn-1.22.10.cjs/" .yarnrc.yml
yarn publish
sed -i "s/yarnPath: .*/yarnPath: \.yarn\/releases\/yarn-berry.cjs/" .yarnrc.yml

When you want to publish, do not run yarn npm publish, but rather ./.yarn/publish.sh.

[thefrana]

Any progress on this?

[juanpicado]

I'm removing myself assigning here more details verdaccio/verdaccio#1737 (comment) and here the PR I did open #1848 anyone feel free to keep contributing.

[IhToN]

After playing with Wireshark, a non-https request and Yarn Berry I was able to replicate the same behavior on Postman.

It looks like yarn npm login is not adding the Authorization header but just the user and password in the body request. For whatever reason, that's making verdaccio not use the authorization process but the adduser process.

As extra info, it doesn't launch the authorization nor the adduser process from all the plugins as I'm using verdaccio-azure-ad-login and this one does not display any of the debug messages it displays when using npm login.

[korniychuk]

Temporary workaround:

1. Login with NPM
2. Copy-paste generated token from ~/.npmrc to ~/.yarnrc.yml.

❯ cat ~/.npmrc
//npm.my-project.pro/:_authToken="GAOEuaeouaoEUo+u3=="

❯ cat ~/.yarnrc.yml
npmRegistries:
  "https://npm.my-project.pro":
    npmAuthToken: GAOEuaeouaoEUo+u3==

Then yarn npm publish for verdaccio works fine.

[Jim-Bar]

Same issue with yarn 3.1.1 here and Verdaccio 3.2.0, but I can confirm that the workaround of @korniychuk works.

[v4dkou]

Same issue with yarn 3.2.1 and Verdaccio 4.6.2.

[jeffrson]

Unfortunately, this still is an issue with current Verdaccio 5.17 and yarn 3.3.0 as well as 4.0.0rc30.

Comparing Wireshark logs for npm and yarn with the same prerequisites (no token in .npmrc or .yarnrc.yml) it can be seen, that npm receives "409 conflict (user exists)" just as yarn does. However, while yarn stops at that moment, npm continues in a kind of "login flow", finally creating a token and logging in successfully. This is the relevant source of npm:
https://github.com/npm/npm-profile/blob/main/lib/index.js#L181

OTOH, if there is a token in .npmrc and .yarnrc.yml, npm sends the token with the request while yarn doesn't. Such, there's no "409" for npm, but for yarn it remains.

Essentially, this is what @juanpicado tries to address in the PR - any chance this will be fixed for 4.0?

[Daolot]

Same issue

[usrrname]

Feel like I'm late to the party but discovering this issue in 2023. 😆

[nnmax]

Same issue with yarn 3.6.1 and Verdaccio 5.26.1.

[demurgos]

I was able to fix the issue locally; it works with my private Verdaccio instance. I sent a Yarn PR: #5983