Skip to content

Commit

Permalink
Merge pull request #8453 from dependabot/deivid-rodriguez/npm8-auth
Browse files Browse the repository at this point in the history 
Fix private registry authentication for NPM 8 or higher
  • Loading branch information
@deivid-rodriguez
deivid-rodriguez authored Nov 30, 2023
2 parents ea7ad41 + 2285cdc commit 16616cb
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 54 deletions.
61 changes: 35 additions & 26 deletions npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,17 @@ def npmrc_content
build_npmrc_content_from_lockfile
end

return initial_content || "" unless registry_credentials.any?
final_content = initial_content || ""

([initial_content] + credential_lines_for_npmrc).compact.join("\n")
return final_content unless registry_credentials.any?

credential_lines_for_npmrc.each do |credential_line|
next if final_content.include?(credential_line)

final_content = [final_content, credential_line].reject(&:empty?).join("\n")
end

final_content
end

# PROXY WORK
Expand Down Expand Up @@ -105,15 +113,7 @@ def npmrc_global_registry_auth_line
token = global_registry.fetch("token", nil)
return "" unless token

if token.include?(":")
encoded_token = Base64.encode64(token).delete("\n")
"_auth = #{encoded_token}\n"
elsif Base64.decode64(token).ascii_only? &&
Base64.decode64(token).include?(":")
"_auth = #{token.delete("\n")}\n"
else
"_authToken = #{token}\n"
end
auth_line(token, global_registry.fetch("registry")) + "\n"
end

def yarnrc_global_registry_auth_line
Expand All @@ -122,12 +122,12 @@ def yarnrc_global_registry_auth_line

if token.include?(":")
encoded_token = Base64.encode64(token).delete("\n")
"npmAuthIdent: \"#{encoded_token}\"\n"
"npmAuthIdent: \"#{encoded_token}\""
elsif Base64.decode64(token).ascii_only? &&
Base64.decode64(token).include?(":")
"npmAuthIdent: \"#{token.delete("\n")}\"\n"
"npmAuthIdent: \"#{token.delete("\n")}\""
else
"npmAuthToken: \"#{token}\"\n"
"npmAuthToken: \"#{token}\""
end
end

Expand Down Expand Up @@ -230,18 +230,7 @@ def credential_lines_for_npmrc
token = cred.fetch("token", nil)
next unless token

# We need to ensure the registry uri ends with a trailing slash in the npmrc file
# but we do not want to add one if it already exists
registry_with_trailing_slash = registry.sub(%r{\/?$}, "/")
if token.include?(":")
encoded_token = Base64.encode64(token).delete("\n")
lines << "//#{registry_with_trailing_slash}:_auth=#{encoded_token}"
elsif Base64.decode64(token).ascii_only? &&
Base64.decode64(token).include?(":")
lines << %(//#{registry_with_trailing_slash}:_auth=#{token.delete("\n")})
else
lines << "//#{registry_with_trailing_slash}:_authToken=#{token}"
end
lines << auth_line(token, registry)
end

return lines unless lines.any? { |str| str.include?("auth=") }
Expand All @@ -250,6 +239,26 @@ def credential_lines_for_npmrc
["always-auth = true"] + lines
end

def auth_line(token, registry = nil)
auth = if token.include?(":")
encoded_token = Base64.encode64(token).delete("\n")
"_auth=#{encoded_token}"
elsif Base64.decode64(token).ascii_only? &&
Base64.decode64(token).include?(":")
"_auth=#{token.delete("\n")}"
else
"_authToken=#{token}"
end

return auth unless registry

# We need to ensure the registry uri ends with a trailing slash in the npmrc file
# but we do not want to add one if it already exists
registry_with_trailing_slash = registry.sub(%r{\/?$}, "/")

"//#{registry_with_trailing_slash}:#{auth}"
end

def npmrc_scoped_registries
return [] unless npmrc_file

Expand Down
45 changes: 17 additions & 28 deletions npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -332,9 +332,8 @@
it "adds a global registry line, and auth details" do
expect(npmrc_content)
.to eq("registry = https://npm.fury.io/dependabot\n" \
"_authToken = my_token\n" \
"always-auth = true\n" \
"//npm.fury.io/dependabot/:_authToken=my_token")
"//npm.fury.io/dependabot/:_authToken=my_token\n" \
"always-auth = true")
end

context "and an npmrc file" do
Expand All @@ -346,9 +345,8 @@
"strict-ssl = true\n" \
"//npm.fury.io/dependabot/:_authToken=secret_token\n" \
"registry = https://npm.fury.io/dependabot\n" \
"_authToken = my_token\n" \
"always-auth = true\n\n" \
"//npm.fury.io/dependabot/:_authToken=my_token")
"//npm.fury.io/dependabot/:_authToken=my_token\n" \
"always-auth = true\n")
end

context "that uses environment variables everywhere" do
Expand All @@ -360,9 +358,8 @@
"platform-npm/:always-auth=true\n" \
"always-auth = true\n" \
"registry = https://npm.fury.io/dependabot\n" \
"_authToken = my_token\n" \
"always-auth = true\n\n" \
"//npm.fury.io/dependabot/:_authToken=my_token")
"//npm.fury.io/dependabot/:_authToken=my_token\n" \
"always-auth = true\n")
end
end
end
Expand All @@ -383,9 +380,8 @@
it "adds a global registry line based on the lockfile details" do
expect(npmrc_content)
.to eq("registry = https://npm.fury.io/dependabot\n" \
"_authToken = my_token\n" \
"always-auth = true\n" \
"//npm.fury.io/dependabot/:_authToken=my_token")
"//npm.fury.io/dependabot/:_authToken=my_token\n" \
"always-auth = true")
end
end
end
Expand Down Expand Up @@ -632,9 +628,8 @@
it "adds a global registry line, and token auth details" do
expect(npmrc_content)
.to eq("registry = https://npm.fury.io/dependabot\n" \
"_authToken = my_token\n" \
"always-auth = true\n" \
"//npm.fury.io/dependabot/:_authToken=my_token")
"//npm.fury.io/dependabot/:_authToken=my_token\n" \
"always-auth = true")
end

context "with basic auth credentials" do
Expand All @@ -654,10 +649,8 @@
it "adds a global registry line, and Basic auth details" do
expect(npmrc_content)
.to eq("registry = https://npm.fury.io/dependabot\n" \
"_auth = c2VjcmV0OnRva2Vu\n" \
"always-auth = true\n" \
"always-auth = true\n" \
"//npm.fury.io/dependabot/:_auth=c2VjcmV0OnRva2Vu")
"//npm.fury.io/dependabot/:_auth=c2VjcmV0OnRva2Vu\n" \
"always-auth = true")
end
end

Expand All @@ -670,9 +663,8 @@
"strict-ssl = true\n" \
"//npm.fury.io/dependabot/:_authToken=secret_token\n" \
"registry = https://npm.fury.io/dependabot\n" \
"_authToken = my_token\n" \
"always-auth = true\n\n" \
"//npm.fury.io/dependabot/:_authToken=my_token")
"//npm.fury.io/dependabot/:_authToken=my_token\n" \
"always-auth = true\n")
end

context "with basic auth credentials" do
Expand All @@ -695,10 +687,8 @@
"strict-ssl = true\n" \
"//npm.fury.io/dependabot/:_authToken=secret_token\n" \
"registry = https://npm.fury.io/dependabot\n" \
"_auth = c2VjcmV0OnRva2Vu\n" \
"always-auth = true\n\n" \
"always-auth = true\n" \
"//npm.fury.io/dependabot/:_auth=c2VjcmV0OnRva2Vu")
"//npm.fury.io/dependabot/:_auth=c2VjcmV0OnRva2Vu\n" \
"always-auth = true\n")
end
end
end
Expand Down Expand Up @@ -873,10 +863,9 @@
expect(npmrc_content)
.to eq(<<~NPMRC.chomp)
registry = https://npm.pkg.github.com
_authToken = my_token
//npm.pkg.github.com/:_authToken=my_token
always-auth = true
@dsp-testing:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=my_token
NPMRC
end
end
Expand Down

0 comments on commit 16616cb

Please sign in to comment.