config: accept auth tokens from environment variables

[mkhl]

As discussed on npm.community, the fact that npm registry authentication tokens cannot be defined using environment variables does not seem justified anymore.

The restriction is caused by the config loader translating

• all _ to -
• the whole variable name to lowercase

while the credential checker expects a key ending in :_authToken.

As suggested, this change fixes the problem by limiting the translation by the config loader to the part before the first colon.

Closes npm/npm#15565

[mkhl]

An alternative more limited approach would be to duplicate this block of code that looks for the …:_authToken config key and letting the copy look for …:-authtoken (lowercase and with a hyphen instead of an underscore).

[zkat]

Yeah, I think we would much rather this be a single special-case for _authToken and nothing else. Could you push that version instead?

[mkhl]

Of course, here you go.

[zkat]

Thanks! This looks great to me! 🎉

[iarna]

The windows environment is not case sensitive, so we should take care to ensure that this works regardless of the case of the env var. (I've not yet checked to see if this is or isn't addressed yet, I just wanted to make sure this requirement was stated.)

[mkhl]

The windows environment is not case sensitive, so we should take care to ensure that this works regardless of the case of the env var.

Yes, thank you for bringing this up, it is one of the problems this change works around:
The config loader translates all env var names to lower case,
then the credential checker looks for one ending in :_authToken
and fails in part due to the uppercase letter in there.

With this change it also tries :-authtoken, matching the behaviour of the config loader,
and the (already present) translation to lower case should ensure that the case of env var names doesn’t matter.

[trevorah]

This feature is really great, but I can't seem to get it working.
Latest npm:

$ npm --version
6.7.0

env var gets read ok:

$ env "npm_config_//registry.npmjs.org/:_authToken=my-secret-token" npm config ls
; cli configs
metrics-registry = "https://registry.npmjs.org/"
scope = ""
user-agent = "npm/6.7.0 node/v8.12.0 darwin x64"

; environment configs
//registry.npmjs.org/:-authtoken = "my-secret-token"

; userconfig /Users/trevorah/.npmrc
always-auth = true

; builtin config undefined
prefix = "/usr/local"

; node bin location = /usr/local/bin/node
; cwd = /Users/trevorah/Development/something
; HOME = /Users/trevorah
; "npm config ls -l" to show all defaults.

but valid token doesn't get used:

$ env "npm_config_//registry.npmjs.org/:_authToken=my-secret-token" npm whoami
npm ERR! code E401
npm ERR! 401 Unauthorized - GET https://registry.npmjs.org/-/whoami

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/trevorah/.npm/_logs/2019-01-29T16_44_41_403Z-debug.log

Am I doing something wrong?

EDIT:
something may be messing up the tokens, as it behaves differently if auth is completely missing:

$ npm whoami
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/trevorah/.npm/_logs/2019-01-29T16_52_19_586Z-debug.log

[pvdlg]

Another issue is that (at least on OSX with bash) the variable name in invalid:

$ export npm_config_//registry.npmjs.org/:_authToken=my-secret-token

export: `npm_config_//registry.npmjs.org/:_authToken=my-secret-token': not a valid identifier