fix: correctly handle nerf-darted env vars #74
Conversation
|
Interestingly enough |
|
Also let me know if you have any thoughts/recommendations around how much to surface this in the docs. And of course, env vars for this kind of thing definitely aren't the most user friendly approach (e.g. depending on your shell, you may have to do something like |
|
You will need to run |
|
I created a separate PR for the eslint fixes, since they're happening on |
jenseng
force-pushed
the
fix-nerfed-env-handling
branch
from
30c28cd
to
ba6b1c3
Compare
|
This PR is on my radar and I plan on getting to it this week. Thank you. |
|
Thanks @wraithgar! |
lib/index.js
Outdated
| if (/^\/\/.*?:./.test(key)) { | ||
| // preserve case and dashes within URIs | ||
| let [uri, k] = key.split(':', 2) | ||
| k = this.normalizeKeyFromEnv(k) | ||
| return `${uri}:${k === '_authtoken' ? '_authToken' : k}` | ||
| } |
There was a problem hiding this comment.
| if (/^\/\/.*?:./.test(key)) { | |
| // preserve case and dashes within URIs | |
| let [uri, k] = key.split(':', 2) | |
| k = this.normalizeKeyFromEnv(k) | |
| return `${uri}:${k === '_authtoken' ? '_authToken' : k}` | |
| } | |
| let [uri, k] = key.split(':') | |
| if (uri.startsWith('//') && k) { | |
| // preserve case and dashes within URIs | |
| k = this.normalizeKeyFromEnv(k) | |
| return `${uri.slice(2)}:${k === '_authtoken' ? '_authToken' : k}` | |
| } |
This is maybe a 7/10 on the suggestion scale. If you really think the regex is more appropriate here please push back. We tend to default to not adding new regex (and removing existing regex) when possible, given the amount of bugs it's led to in npm the past.
Also, are we intentionally supporting //uri:_authtoken (lower case _authtoken)? If we're not mucking with the case on uris do we still need to do this?
There was a problem hiding this comment.
disclaimer: I freehand typed that code, it may have linting/syntax errors. You may want to test and commit it locally. I do not care about credit.
There was a problem hiding this comment.
After sleeping on this I realized that this will eat any urls with ports in them. We probably need to take another stab at this so that doesn't happen.
npm_config_//my.server:4242/foo:_authToken=asdf
This isn't a problem we've had to solve yet because of the way we search through nerf-darted configs right now, (i.e. by url specifically).
lastIndexOf is likely the tool for the job.
if (key.startsWith('//') && key.includes(':')) {
// preserve case and dashes within URIs
const uri = key.slice(2, key.lastIndexOf(':'))
let k = key.slice(key.lastIndexOf(':') + 1)
k = this.normalizeKeyFromEnv(k)
return `${uri}:${k === '_authtoken' ? '_authToken' : k}`
}There was a problem hiding this comment.
Sounds great, I've been offline for a couple days but will push a patch in the next day or so
There was a problem hiding this comment.
re: //uri:_authtoken on that line, it's moreso that I was maintaining the existing "keys are case-insensitive" functionality where possible ... i.e. a nerfed key could have any case coming in (e.g. //uri:_PASSWORD=...), so we normalizeKeyFromEnv the sub-key on the next line. But then _authtoken then needs to be changed to _authToken since that's what various things downstream expect 😅
It's definitely a little weird, so if we're ok with saying that nerfed keys are case sensitive that could simplify this a bit... no need to normalize the sub-key or have special handling for _authToken. WDYT?
There was a problem hiding this comment.
so if we're ok with saying that nerfed keys are case sensitive
Yes please. It's net new so it doesn't break anything existing.
There was a problem hiding this comment.
re case sensitivity: Windows is going to be the place to make sure things work as expected. I know you can read from process.env ignoring case, but if you are iterating its keys, does it retain what was originally used to set it?
There was a problem hiding this comment.
Yes, when iterating the keys in Windows you get the original value, e.g. under the Output env and Output env 2 steps here you can see the results of doing for (let key in process.env) console.log(key) under PowerShell and CMD.exe respectively, variable names like mixed_CASE and something_//really-weird.LOL:_ok are preserved
There was a problem hiding this comment.
Ok updated, it's much simpler now 😅
|
Thanks for your patience here, I ended up doing a deep dive on |
fixes npm#64 Preserve them verbatim since: 1. The URI path may be case sensitive 2. The URI may have underscores that should not be dasherized 3. The "_" sub-key prefix should not be dasherized 4. The sub-key should not be downcased (i.e. npm-registry-fetch expects `...:_authToken`, not `...:_authtoken` This will allow you to successfully use env vars to control registry auth, e.g. ``` env npm_config_//reg.example/UP_CASE/:_authToken=secret npm install ``` Although Windows env variable lookups are case insensitive, key retrieval/ iteration is case preserving, so we can reliably get the originally set key.
jenseng
force-pushed
the
fix-nerfed-env-handling
branch
from
ba6b1c3
to
6592c0d
Compare
Preserve nerf-darted keys verbatim, since the downcasing and dasherizing can mess up both the URIs and the sub-keys themselves.
This will allow you to successfully use env vars to control registry auth, e.g.
npm_config_//reg.example/UP_CASE/:_authToken=secretwill result in a//reg.example/UP_CASE/:_authTokenconfigSee #64 for more context, but the key details to note are:
_passwordbecomes-password), whichnpm-registry-fetchdoes not handle.authToken... althoughgetCredentialsByURIhas some handling aroundauthtoken(and the-prefix), it doesn't really matter becausenpm-registry-fetchdoes not, so it won't get used.References
Fixes #64