401 when retrieving a package manager binary from an authenticated NPM registry #275
Description
Hi all,
I am running into an issue when trying to the use corepack prepare --all against an authenticated NPM registry.
Within our company we use a our own NPM registry which mirrors registry.npmjs.org to able to resolve packages within our closed infrastructure. Now i found these COREPACK_NPM_REGISTRY, COREPACK_NPM_TOKEN environment variables, which almost seem to work.
What i have noticed (after some debugging) is that the first request to retrieve the metadata of the package managers is an authenticated request. Meaning a request is send to our custom set NPM registry and it contains an Authorization header with the Bearer token.
Now the second request which downloads the actual package manager's binary does not contain an Authorization header, which results into a 401 error as the all of the request to our NPM registry must be authenticated.
When looking into the sources I have noticed that the corepackUtils.ts\installVersion(...) does check if the COREPACK_NPM_REGISTRY is configured and then applies it, but is does not take authentication environment variables COREPACK_NPM_TOKEN, COREPACK_NPM_USERNAME, COREPACK_NPM_PASSWORD into account.
However the npmRegistryUtils.ts\fetchAsJson(...) does apply all environment variables when building the request, which explains why the first request is authenticated.
For us (and I assume more people behind an authenticated NPM registry) it would be great if all requests that use the COREPACK_NPM_REGISTRY environment variable would also check if the COREPACK_NPM_TOKEN, COREPACK_NPM_USERNAME, COREPACK_NPM_PASSWORD environment variables are set. In order to create and Authorization header to be send along with the request.