Can’t install scoped packages – E401 Unauthorized

registry
priority:critical
triaged

(Mikol Graves) #1

What I Wanted to Do

npm install --save-dev @babel/helper-module-imports

What Happened Instead

npm ERR! code E401
npm ERR! 401 Unauthorized: @babel/helper-module-imports@latest

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/mikol/.npm/_logs/2018-11-28T00_23_06_962Z-debug.log

Reproduction Steps

This seems to be a problem with scoped (@…/…) packages, not others.

Details

0 info it worked if it ends with ok
1 verbose cli [ '/Users/mikol/.nvm/versions/node/v9.8.0/bin/node',
1 verbose cli   '/Users/mikol/.nvm/versions/node/v9.8.0/bin/npm',
1 verbose cli   'install',
1 verbose cli   '--save-dev',
1 verbose cli   '@babel/helper-module-imports' ]
2 info using npm@6.4.1
3 info using node@v9.8.0
4 verbose npm-session a53b71997cb98b00
5 silly install loadCurrentTree
6 silly install readLocalPackageData
7 http fetch GET 401 https://registry.npmjs.org/@babel%2fhelper-module-imports 239ms
8 silly fetchPackageMetaData error for @babel/helper-module-imports@latest 401 Unauthorized: @babel/helper-module-imports@latest
9 timing stage:rollbackFailedOptional Completed in 1ms
10 timing stage:runTopLevelLifecycles Completed in 1512ms
11 verbose stack Error: 401 Unauthorized: @babel/helper-module-imports@latest
11 verbose stack     at fetch.then.res (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/pacote/lib/fetchers/registry/fetch.js:42:19)
11 verbose stack     at tryCatcher (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/util.js:16:23)
11 verbose stack     at Promise._settlePromiseFromHandler (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:512:31)
11 verbose stack     at Promise._settlePromise (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:569:18)
11 verbose stack     at Promise._settlePromise0 (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:614:10)
11 verbose stack     at Promise._settlePromises (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:693:18)
11 verbose stack     at Async._drainQueue (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:133:16)
11 verbose stack     at Async._drainQueues (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:143:10)
11 verbose stack     at Immediate.Async.drainQueues [as _onImmediate] (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:17:14)
11 verbose stack     at runCallback (timers.js:763:18)
11 verbose stack     at tryOnImmediate (timers.js:734:5)
11 verbose stack     at processImmediate (timers.js:716:5)
12 verbose cwd /Users/mikol/src/com/styra/ui
13 verbose Darwin 16.7.0
14 verbose argv "/Users/mikol/.nvm/versions/node/v9.8.0/bin/node" "/Users/mikol/.nvm/versions/node/v9.8.0/bin/npm" "install" "--save-dev" "@babel/helper-module-imports"
15 verbose node v9.8.0
16 verbose npm  v6.4.1
17 error code E401
18 error 401 Unauthorized: @babel/helper-module-imports@latest
19 verbose exit [ 1, true ]

Platform Info

$ npm --versions
{ 'styra-ui': '0.0.0',
  npm: '6.4.1',
  ares: '1.13.0',
  cldr: '32.0.1',
  http_parser: '2.7.0',
  icu: '60.2',
  modules: '59',
  napi: '2',
  nghttp2: '1.29.0',
  node: '9.8.0',
  openssl: '1.0.2n',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.2',
  v8: '6.2.414.46-node.21',
  zlib: '1.2.11' }
$ node -p process.platform
darwin

E401 Unauthorized - Node 6
error 401 when installing eslint
error 401when installing packages
(Ian Remmel) #2

Someone on my team reported a similar issue and said that npm logout/npm login fixed it for him. I haven’t had a chance to confirm, but hopefully that gets you unstuck until someone at npm can investigate.


(Ian Remmel) #3

I’m unable to reproduce the issue with an anonymous user or with a new token. I don’t seem to have any machines that were previously logged in


(Jeff Lembeck) #4

I’m curious if npm whoami returns a value for you.

That being said, logging out and logging back in should do the trick. This looks like a case of a bad token.


(Mikol Graves) #5

I don’t believe that I have ever signed in from the CLI…

 > npm whoami
npm ERR! code EAUTHUNKNOWN
npm ERR! Unable to authenticate, need: Basic, Bearer

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/mikol/.npm/_logs/2018-11-28T06_54_48_496Z-debug.log

And I’m not sure how I’d sign out.

The scoped packages I am trying to install are public, if that makes a difference.


(Mikol Graves) #6
 > npm logout
npm ERR! code EAUTHUNKNOWN
npm ERR! Unable to authenticate, need: Basic, Bearer

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/mikol/.npm/_logs/2018-11-28T06_58_41_076Z-debug.log

(Mikol Graves) #7

Okay, strangely… Though I have never npm login, I did so. I was able to install the public scoped package. I then npm logout, and I was able to install the same package.

Wondering why this happened at all?! I’ve been using npm for years, never logged in once and never saw anything like this before. :thinking:

Thanks for your help!


(Will Butler) #8

Looks like we have a workaround, but this is still an issue. I’ve never had to log in to download public scoped packages in the past.


(Øyvind Bø) #9

This also happens in all our Travis builds during npm audit. Seems to be related.


(Bhaskara) #10

I am getting a similar error for npm audit.

Debug log

7 http fetch POST 401 https://registry.npmjs.org/-/npm/v1/security/audits 187ms
8 verbose stack Error: Unable to authenticate, need: Bearer
8 verbose stack     at res.buffer.catch.then.body (/usr/local/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:89:17)
8 verbose stack     at <anonymous>
8 verbose stack     at process._tickCallback (internal/process/next_tick.js:188:7)

npm audit works if I delete the token from the .npmrc file.


(Erick Wilder) #11

I have the same with npm audit - Is this something related to the vulnerabilities found with event-stream this week? I’ve revoked all my tokens, created new ones and our CI server is still having issues to run npm audit


(Keith Jackson) #12

I have had exactly the same issue - I’ve never logged in as everything I use or publish is public. Unable to access scoped packages.


(Roman Nuritdinov) #13

Hmm, that’s strange. I have also the issue, but status.npmjs.org told me all things are OK.

UPD

npm logout and npm login made that fixing magic.


(Erick Wilder) #14

Unfortunately, this is not working for us. Our CI is docker-based and the images doesn’t have any reference of the user owning the token. The simple presence of it would be enough to guarantee that we can interact with NPM servers. I can also confirm that this issue is not limited to npm audit as we can’t install our own private (scoped) packages as well.


(Mark Pradhan) #15

There is an issue with yarn as well:



(Josh Duff) #16

I observed this as well.

I attempted to install a public user-scoped package with npm@6.4.1 while not logged in, and got a 401.

After logging in, the same install command completed without any errors.


(Josh Duff) #17

A buddy sitting next to me was able to install the same package with npm@5 while not logged in.

In the package.community npm chat, @fharper said “We made architectural changes that return 401 with invalid token even if the action didn’t require you to be logged”

This suggests that npm@6 is sending an invalid token while trying to install user-scoped packages while not logged in, while npm@5 is not sending a token in that same case.


(Josh Duff) #18

I worked through the issue with @fharper’s help.

When this error happens, it’s not because you are not logged in - it is because you were logged in at some point in the past, but the locally-stored auth token is expired/invalid.

If you run into this error, you probably don’t even have to npm login in order to install the package - you just need to npm logout to clear the bad token.


(Ian Remmel) #19

So, how did these tokens go invalid?

Might it be that they’ve been invalid since the event a few months ago, but since they were being used in requests that didn’t need auth, their invalid status was ignored by the API?


(Aron Braggans) #20

Not sure this is the only reason, our docker image for our build process never logs in. I also just did a npm logout, yarn logout and I still get the 401’s . @fharper