Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

missing authorization header when .npmrc scoped registry is configured with root path #9056

Open
synox opened this issue May 3, 2024 · 1 comment

Comments

@synox
Copy link

synox commented May 3, 2024

Using yarn 1.22.19 on macos 14.4.1 (23E224). It seems yarn does not honor the .npmrc config for domains, and only matches the exact path.

https://docs.npmjs.com/cli/v10/configuring-npm/npmrc#auth-related-configuration specifies to that we can configure at the domain level:

@myorg:registry=https://somewhere-else.com/myorg
@another:registry=https://somewhere-else.com/another
//registry.npmjs.org/:_authToken=MYTOKEN

; would apply to both @myorg and @another
; //somewhere-else.com/:_authToken=MYTOKEN

; would apply only to @myorg
//somewhere-else.com/myorg/:_authToken=MYTOKEN1

; would apply only to @another
//somewhere-else.com/another/:_authToken=MYTOKEN2

Let's recreate this config and reproduce the problem:

  • create a new project:
  • run yarn init
  • create ~/.npmrc: (replaced somewhere-else.com with localhost)
@myorg:registry=http://localhost/myorg
@another:registry=http://localhost/another

; would apply to both @myorg and @another
//localhost/:_authToken=MYTOKEN
  • run a dummy webserver: sudo -i, then while true; do echo -e "HTTP/1.1 200 OK\n\n $(date)" | nc -l 80 ; done.
  • run yarn add @myorg/test1
    output:
❯ yarn  add @myorg/test1 --verbose
yarn add v1.22.19
...
warning package.json: "test" is also the name of a node core module
verbose 0.100344417 Checking for configuration file "/Users/user/.npmrc".
...
verbose 0.10390275 current time: 2024-05-03T03:06:11.576Z
info No lockfile found.
warning test@1.0.0: "test" is also the name of a node core module
[1/4] 🔍  Resolving packages...
verbose 0.121385792 Performing "GET" request to "http://localhost/myorg/@myorg%2ftest1".
verbose 0.130306959 Error: http://localhost/myorg/@myorg%2ftest1: Parse Error: Expected HTTP/
...
error An unexpected error occurred: "http://localhost/myorg/@myorg%2ftest1: Parse Error: Expected HTTP/".
...

Request in the HTTP output is misssing authorization header:

GET /myorg/@myorg%2ftest1 HTTP/1.1
User-Agent: yarn/1.22.19 npm/? node/v20.12.2 darwin arm64
Accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*
host: localhost
accept-encoding: gzip, deflate
Connection: keep-alive

However, when running the same command with npm: npm install @myorg/test1 it has the correct authorization header.

GET /myorg/@myorg%2ftest1 HTTP/1.1
user-agent: npm/10.5.0 node/v20.12.2 darwin arm64 workspaces/false
pacote-version: 17.0.6
pacote-req-type: packument
pacote-pkg-id: registry:@myorg/test1
accept: application/json
npm-auth-type: web
npm-command: install
authorization: Bearer MYTOKEN
Accept-Encoding: gzip,deflate
Host: localhost
connection: keep-alive
@synox synox changed the title not sending authorization header when .npmrc scoped registry is configured with root path missing authorization header when .npmrc scoped registry is configured with root path May 3, 2024
@georgekaz
Copy link

Hi. @synox did you find a solution for this problem? I think I have the same issue. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants