[BUG] Automatic authentification on private npm repository no longer works

[yvon-dblg]

Current Behavior:

We use a private nexus repository with an .npmrc file on each project.

Our .npmrc looks like (URL changed for this bug report):

registry=https://our-url.example.com/repository/npm/
_auth=${NEXUS_TOKEN_ENV_VAR}

Since the npm v7.11.0 release we have the following error when we do an npm install in our projects:

npm ERR! code E401
npm ERR! Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"

From a user point of view, this error is similar to the one found in v7.7.0, see #2935

Quick code check

It seems that the changes in npm-registry-fetch are not well integrated in the cli project.
The auth.js -> getAuth() seems to need the forceAuth object in that case.

Expected Behavior:

npm install works as expected.

Steps To Reproduce:

Configure a private repository with basics HTTP auth, and use it with a specific .npmrc in the project, like explain above.

Environment:

OS: Ubuntu 20.04

{
  npm: '7.11.0',
  node: '14.16.1',
  v8: '8.4.371.19-node.18',
  uv: '1.40.0',
  zlib: '1.2.11',
  brotli: '1.0.9',
  ares: '1.16.1',
  modules: '83',
  nghttp2: '1.41.0',
  napi: '7',
  llhttp: '2.1.3',
  openssl: '1.1.1k',
  cldr: '37.0',
  icu: '67.1',
  tz: '2020a',
  unicode: '13.0'
}

[ocofaigh]

+1 - works fine on v7.10.0

[wraithgar]

Under the hood npm is supposed to take that _auth entry and apply it only to your default registry. We'll look into why this isn't happening but for now I believe you can get things working by specifying the authToken specifically a la

registry=https://our-url.example.com/repository/npm/
//our-url.example.com/repository/npm/:_authToken=${NEXUS_TOKEN_ENV_VAR}

[isaacs]

It might have to be:

//our-url.example.com/repository/npm/:_auth=${NEXUS_TOKEN_ENV_VAR}

if it's a base64-encoded username:password pair for basic auth (which the error and your initial .npmrc file seem to be indicating).

[yvon-dblg]

Thanks @isaacs you're tips works.

[leepowelldev]

Same issue here, but happening in Azure - pipeline have been failing all day with 7.11.0 release. We are suddenly facing lots of authentication errors in which 7.10.0 and earlier were fine.

[leepowelldev]

Tarball urls in our package-lock.json look like this:

https://my-organisation.pkgs.visualstudio.com/_packaging/my-registry-name/npm/registry/@jest/types/-/types-24.9.0.tgz

However Azure dynamically generate these .npmrc config settings in our build pipeline to authenticate against the registry:

registry = "https://my-organisation.pkgs.visualstudio.com/_packaging/eedc90c7-2459-44eb-9446-86caaab5d245/npm/registry/" 
//my-organisation.pkgs.visualstudio.com/_packaging/eedc90c7-2459-44eb-9446-86caaab5d245/npm/registry/:_authToken = (protected) 

As you can see Azure uses the registry ID instead of it's name my-registry-name. Pre 7.11.0 this has never been an issue but could the 7.11.0 update of not sending auth details based on urls not matching be happening here and causing the auth headers not to be passed?

[wraithgar]

@leepowelldev Are those the only two lines associated w/ your azure auth in your npmrc?

ETA: also can you add a separate _authToken line for your registry name url?