fix: warn on bare auth related configs (#78)

npm · Aug 25, 2022 · d4e582a · d4e582a
1 parent 3586d4b
commit d4e582a
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 7 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -767,6 +767,11 @@ class Config {
  const nerfed = nerfDart(uri)
  const creds = {}
 
+ const deprecatedAuthWarning = [
+ '`_auth`, `_authToken`, `username` and `_password` must be scoped to a registry.',
+ 'see `npm help npmrc` for more information.',
+ ].join(' ')
+
  const email = this.get(`${nerfed}:email`) || this.get('email')
  if (email) {
  creds.email = email
@@ -780,10 +785,13 @@ class Config {
  // cert/key may be used in conjunction with other credentials, thus no `return`
  }
 
- const tokenReg = this.get(`${nerfed}:_authToken`) ||
-  nerfed === nerfDart(this.get('registry')) && this.get('_authToken')
+ const defaultToken = nerfDart(this.get('registry')) && this.get('_authToken')
+ const tokenReg = this.get(`${nerfed}:_authToken`) || defaultToken
 
  if (tokenReg) {
+ if (tokenReg === defaultToken) {
+ log.warn('config', deprecatedAuthWarning)
+ }
  creds.token = tokenReg
  return creds
  }
@@ -818,6 +826,7 @@ class Config {
  const userDef = this.get('username')
  const passDef = this.get('_password')
  if (userDef && passDef) {
+ log.warn('config', deprecatedAuthWarning)
  creds.username = userDef
  creds.password = Buffer.from(passDef, 'base64').toString('utf8')
  const auth = `${creds.username}:${creds.password}`
@@ -832,6 +841,7 @@ class Config {
  return creds
  }
 
+ log.warn('config', deprecatedAuthWarning)
  const authDecode = Buffer.from(auth, 'base64').toString('utf8')
  const authSplit = authDecode.split(':')
  creds.username = authSplit.shift()

diff --git a/test/index.js b/test/index.js
@@ -1005,18 +1005,27 @@ t.test('nerfdart auths set at the top level into the registry', async t => {
  email,
  }],
  // handled invalid/legacy cases
- 'username, no _password': [`username=${username}`, {}],
- '_password, no username': [`_password=${_password}`, {}],
+ 'username, no _password': [`username=${username}`, {}, true],
+ '_password, no username': [`_password=${_password}`, {}, true],
  // de-nerfdart the email, if present in that way
  'nerf-darted email': [`//registry.npmjs.org/:email=${email}`, {
  email,
- }],
+ }, true],
  }
 
+ const logs = []
+ const logHandler = (...args) => logs.push(args)
+ process.on('log', logHandler)
+ t.teardown(() => {
+ process.removeListener('log', logHandler)
+ })
  const cwd = process.cwd()
- for (const [name, [ini, expect]] of Object.entries(cases)) {
+ for (const [name, [ini, expect, noWarn]] of Object.entries(cases)) {
  t.test(name, async t => {
- t.teardown(() => process.chdir(cwd))
+ t.teardown(() => {
+ process.chdir(cwd)
+ logs.length = 0
+ })
  const path = t.testdir({
  '.npmrc': ini,
  'package.json': JSON.stringify({}),
@@ -1041,6 +1050,10 @@ t.test('nerfdart auths set at the top level into the registry', async t => {
  const c = new Config(opts)
  await c.load()
  t.same(c.list[3], expect)
+ if (!noWarn) {
+ t.equal(logs.length, 1, 'logged 1 message')
+ t.match(logs[0], /must be scoped to a registry/, 'logged auth warning')
+ }
  })
  }
 })