npm@6.6.0 broke authentication with npm-registry-couchapp

What I Wanted to Do

Run npm-registry-couchapp and publish a package.

What Happened Instead

With npm@6.6.0, npm publish return the error npm ERR! 403 Forbidden - PUT http://localhost:25986/registry/_design/app/_rewrite/publish - forbidden

Reproduction Steps

  • Install npm-registry-couchapp and create a user (or use the docker image from https://github.com/semantic-release/npm-registry-docker)
  • Create a package.json and a .npmrc file with _auth (user/pass created on npm-registry-couchapp formatted as <username>:password in base64) and email (email of the user created on npm-registry-couchapp)
  • run npm publish --registry http://localhost:25986/registry/_design/app/_rewrite

With npm@6.5.0 the package is published. With npm@6.6.0 the 403 error is returned.

Details

The problem come from the missing the missing name under _npmUser in the JSON sent to the registry.

In npm@6.5.0 the JSON sent to the registry is:

"versions": {
  "1.0.0": {
    "_id": "publish@1.0.0",
    "_nodeVersion": "11.4.0",
    "_npmUser": {
      "email": "integration@test.com",
      "name": "integration"
  },
  "_npmVersion": "6.5.0",
  "dist": {...},
  "maintainers": [
    {
      "email": "integration@test.com",
      "name": "integration"
    }
  ],
  ...
  }
}

While in npm@6.6.0 the JSON sent to the registry is:

"versions": {
  "1.0.0": {
    "_id": "publish@1.0.0",
    "_nodeVersion": "11.4.0",
    "_npmUser": {
      "email": "integration@test.com"
  },
  "_npmVersion": "6.6.0",
  "dist": {...},
  "maintainers": [
    {
      "email": "integration@test.com"
    }
  ],
  ...
  }
}

Thanks for reporting this, and including so much detail! We expected some surprise breakage because 6.6.0 includes a fairly major refactor/rewrite of internal components, and some stuff didn’t get caught in the (long) prerelease period. I’ve made an internal ticket for this and expedited it. I don’t have a timeline for you but I intend to have this fixed.

If you or anyone else wants to take a look at this, it’s probably an issue in npm-registry-fetch's authentication logic.

1 Like

@zkat I created a PR https://github.com/npm/libnpmpublish/pull/3 to fix this.

1 Like

I’ve merged the PR and updated npm’s deps. It will be included in npm@6.7.0 when it gets released.

I tried again with npm@6.7.0 and the problem is still the same, the _npmUser contains only email.

The PR https://github.com/npm/libnpmpublish/pull/3 doesn’t solve the problem it just change the property username to name. The problem is that property, wither named name or username end up not being present in the JSON sent to the repo.

I imagine in the cause of a legacy token that auth.username end up being undefined.

Posted my hunch here about how to solve it properly.

1 Like

@pvdlg @evocateur I published a new version of npm-registry-fetch with changes to make it understand foo:bar-encoded _auth, which I believe was the missing piece when I ported getCredentialsByURI.

I’ve also published a new canary as npmc@6.7.0-canary.0 which SHOULD resolve this, I believe. I’ve also written a test for libnpmpublish that I believe verifies this behavior.

You can try out the canary with npx npmc@latest publish.

1 Like

Awesome @zkat, thanks for the quick turnaround!

Thanks @zkat! It’s working now.

Great! I’m probably not gonna rush out a release for this one but we’re planning a release next week. Are you ok using the canary in the meantime? It’s just 6.7.0 plus this patch right now.

no problem, man

It’s not really urgent, next week is really fine. Thanks!

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.