fix(config): use redact on config output

lib/commands/config.js

@@ -7,6 +7,7 @@ const pkgJson = require('@npmcli/package-json')
 const { defaults, definitions } = require('@npmcli/config/lib/definitions')
 const { log, output } = require('proc-log')
 const BaseCommand = require('../base-cmd.js')
+const { redact } = require('@npmcli/redact')
 
 // These are the configs that we can nerf-dart. Not all of them currently even
 // *have* config definitions so we have to explicitly validate them here.
@@ -53,7 +54,7 @@ const keyValues = args => {
  return kv
 }
 
-const publicVar = k => {
+const publicVar = (k, v) => {
  // _password
  if (k.startsWith('_')) {
  return false
@@ -73,6 +74,10 @@ const publicVar = k => {
  }
  }
  }
+ // Hide proxy url if it contains basic auth
+ if (k === 'proxy') {
+ return redact(v) === v
+ }
  return true
 }
 
@@ -206,7 +211,8 @@ class Config extends BaseCommand {
 
  const out = []
  for (const key of keys) {
- if (!publicVar(key)) {
+ const val = this.npm.config.get(key)
+ if (!publicVar(key, val)) {
  throw new Error(`The ${key} option is protected, and can not be retrieved in this way`)
  }
 
@@ -338,14 +344,14 @@ ${defData}
  continue
  }
 
- const keys = Object.keys(data).sort(localeCompare)
+ const keys = Object.entries(data).sort(([a], [b]) => localeCompare(a, b))
  if (!keys.length) {
  continue
  }
 
  msg.push(`; "${where}" config from ${source}`, '')
- for (const k of keys) {
- const v = publicVar(k) ? JSON.stringify(data[k]) : '(protected)'
+ for (const [k, value] of keys) {
+ const v = publicVar(k, value) ? JSON.stringify(value) : '(protected)'
  const src = this.npm.config.find(k)
  const overridden = src !== where
  msg.push((overridden ? '; ' : '') +
@@ -374,9 +380,10 @@ ${defData}
  const pkgPath = resolve(this.npm.prefix, 'package.json')
  msg.push(`; "publishConfig" from ${pkgPath}`)
  msg.push('; This set of config values will be used at publish-time.', '')
- const pkgKeys = Object.keys(content.publishConfig).sort(localeCompare)
- for (const k of pkgKeys) {
- const v = publicVar(k) ? JSON.stringify(content.publishConfig[k]) : '(protected)'
+ const entries = Object.entries(content.publishConfig)
+ .sort(([a], [b]) => localeCompare(a, b))
+ for (const [k, value] of entries) {
+ const v = publicVar(k, value) ? JSON.stringify(value) : '(protected)'
  msg.push(`${k} = ${v}`)
  }
  msg.push('')
@@ -389,11 +396,12 @@ ${defData}
  async listJson () {
  const publicConf = {}
  for (const key in this.npm.config.list[0]) {
- if (!publicVar(key)) {
+ const value = this.npm.config.get(key)
+ if (!publicVar(key, value)) {
  continue
  }
 
- publicConf[key] = this.npm.config.get(key)
+ publicConf[key] = value
  }
  output.standard(JSON.stringify(publicConf, null, 2))
  }

test/lib/commands/config.js

@@ -503,6 +503,20 @@ t.test('config get private key', async t => {
  /_password option is protected/,
  'rejects with protected string'
  )
+
+ await npm.exec('config', ['set', 'proxy', 'https://proxy.npmjs.org'])
+
+ await t.resolves(
+ npm.exec('config', ['get', 'proxy']),
+ 'https://proxy.npmjs.org'
+ )
+
+ await npm.exec('config', ['set', 'proxy', 'https://username:password@proxy.npmjs.org'])
+
+ await t.rejects(
+ npm.exec('config', ['get', 'proxy']),
+ /proxy option is protected/
+ )
 })
 
 t.test('config edit', async t => {