[BUG] npm config removes _auth from .npmrc

[bradbeck]

Current Behavior:

npm config set <anykey> <anyvalue> will result in _auth=... being removed from .npmrc

Expected Behavior:

npm config set foo bar should not result in _auth=... being removed from .npmrc

Steps To Reproduce:

1. echo '_auth="xxx"' >> ~/.npmrc
2. cat ~/.npmrc to see _auth="xxx" is there
3. npm config set foo bar
4. cat ~/.npmrc to see _auth="xxx" is gone

Environment:

Docker image node:15.3.0
Node: 15.3.0
npm: 7.0.14

[ljharb]

Does it still happen with v7.0.15?

[bradbeck]

Not sure, I haven't found a way to update npm in the node docker image.

[ljharb]

npm install -g npm@7?

[bradbeck]

The node docker image fails to update npm that way. Some permissions issue.

I have confirmed that it still happens for npm@7.0.15 on MacOS.

[isaacs]

This is happening because xxx is not a valid _auth field.

In order for credentials to be saved, a username, email address, and password must all be set, and it is re-saved to the config file scoped only to the proper registry.

This works as expected, for example:

$ echo $'_auth=dXNlcjpwYXNz\nemail=i@izs.me' > foo.npmrc; node . config set foo=bar --userconfig=foo.npmrc ; cat foo.npmrc
foo=bar
//registry.npmjs.org/:username=user
//registry.npmjs.org/:_password="cGFzcw=="
//registry.npmjs.org/:email=i@izs.me
//registry.npmjs.org/:always-auth=false

[isaacs]

Note that _auth must be a base64-encoded username:password pair. It's then saved with the username and password as shown.

[bradbeck]

@isaacs This appears to be a change in behavior relative to versions prior to npm v7. Is the methodology you describe backward compatible? If so, how far back?

[bradbeck]

@isaacs The methodology you describe does not seem to work for ~/.npmrc and npm config set foo=bar. _auth still gets removed but it not replaced with username and password as you describe.

[bradbeck]

In versions prior to npm v7 we used to be able to use the following to configure authentication:

$ npm config set registry http://npm.example.com/
$ npm config set always-auth true
$ npm config set email my@example.com
$ npm config set _auth YWRtaW46YWRtaW4=

With npm v7+ it does not appear to be possible to use npm config set ... to set email or _auth. A sequence like the following is required to get authentication working:

$ npm config set registry http://npm.example.com/
$ echo 'email=my@example.com\n_auth="YWRtaW46YWRtaW4="' >> ~/.npmrc
$ npm config set always-auth true

or

$ npm config set registry http://npm.example.com/
$ npm config set //npm.example.com/:always-auth true
$ npm config set //npm.example.com/:email my@example.com
$ npm config set //npm.example.com/:username admin
$ npm config set //npm.example.com/:_password YWRtaW4=

[isaacs]

Aha, seems like the issue here is that npm config set email my@example.com is failing, that's the bug here. Email should be able to be set separate from credentials. This works in the meantime:

npm config set registry http://npm.example.com/
npm config set always-auth true
echo "email=my@example.com" >> ~/.npmrc
npm config set _auth YWRtaW46YWRtaW4=

[isaacs]

Will be fixed on next npm release, with @npmcli/config@1.2.8

[isaacs]

So, just to clarify:

• npm config set _auth=xxx will fail if email is not set.
• npm config set email=x@y.com will work, even if _auth is not set.
• npm config set email=x@y.com _auth=xxx will always work (ie, adding two configs in one command).
• in all cases, the authentication settings will still be scoped to a given registry, so it's important to either set that registry config first, or include it in the command cli config, like npm config --registry=https://npm.internal/ set email=x@y.com _auth=xxx

[belun]

still happening in npm8