From c26d708428a96da530092759b5ff6d67c7282348 Mon Sep 17 00:00:00 2001 From: sosoba Date: Wed, 30 Nov 2022 23:36:56 +0100 Subject: [PATCH] fix: validate username at get-identity (#5884) Fix for #5867 (prevent undefined username) Co-authored-by: nlf --- lib/utils/get-identity.js | 4 +++- test/lib/commands/whoami.js | 25 +++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/lib/utils/get-identity.js b/lib/utils/get-identity.js index 41d882473ab7b..d8f59da14247a 100644 --- a/lib/utils/get-identity.js +++ b/lib/utils/get-identity.js @@ -12,7 +12,9 @@ module.exports = async (npm, opts) => { // No username, but we have other credentials; fetch the username from registry if (creds.token || creds.certfile && creds.keyfile) { const registryData = await npmFetch.json('/-/whoami', { ...opts }) - return registryData.username + if (typeof registryData?.username === 'string') { + return registryData.username + } } // At this point, even if they have a credentials object, it doesn't have a diff --git a/test/lib/commands/whoami.js b/test/lib/commands/whoami.js index a4532390bc66b..8291b092dc167 100644 --- a/test/lib/commands/whoami.js +++ b/test/lib/commands/whoami.js @@ -1,6 +1,7 @@ const t = require('tap') const { load: loadMockNpm } = require('../../fixtures/mock-npm') const MockRegistry = require('@npmcli/mock-registry') +const nock = require('nock') const username = 'foo' const auth = { '//registry.npmjs.org/:_authToken': 'test-auth-token' } @@ -67,3 +68,27 @@ t.test('not logged in', async t => { }) await t.rejects(npm.exec('whoami', []), { code: 'ENEEDAUTH' }) }) + +t.test('non-string username in response', async t => { + nock.disableNetConnect() + t.teardown(() => { + nock.enableNetConnect() + }) + + const server = nock('https://registry.npmjs.org', { + reqheaders: { + authorization: 'Bearer abcd1234', + }, + }) + .get('/-/whoami') + .reply(200, { username: null }) + + const { npm } = await loadMockNpm(t, { + config: { + '//registry.npmjs.org/:_authToken': 'abcd1234', + }, + }) + + await t.rejects(npm.exec('whoami', []), { code: 'ENEEDAUTH' }) + t.ok(server.isDone()) +})