Unable to get auth working against artifactory about npm HOT 8 CLOSED

I added logging of the auth (https://github.com/SimenB/npm-1/commit/77f31ce8eddcae08898dd670bece7c0d67de1a67) and the output is correct:

{ username: '[secure]',
  password: 'redacted',
  email: '[secure]',
  alwaysAuth: true }

Other ideas about what I can test?

from npm.

Some more horrible logging shows that the structure of the auth object is different between npm and this module.

This module:

verb request https://artifacts.schibsted.io/artifactory/api/npm/npm-virtual/@finn-no%2Ftest-semantic-release
verb request { auth: 
verb request    { username: '[secure]',
verb request      password: 'redacted',
verb request      email: '[secure]',
verb request      alwaysAuth: true },
verb request   method: 'GET',
verb request   authed: true }

npm:

npm verb request https://artifacts.schibsted.io/artifactory/api/npm/npm-virtual/@finn-no%2ftest-semantic-release
npm verb request { auth: 
npm verb request    { scope: '//artifacts.schibsted.io/artifactory/api/npm/npm-virtual/',
npm verb request      email: '[secure]',
npm verb request      alwaysAuth: true,
npm verb request      token: undefined,
npm verb request      username: '[secure]',
npm verb request      password: '[secure]',
npm verb request      auth: '[secure]' },
npm verb request   method: 'GET',
npm verb request   authed: true }

So it seems like npm adds scope, as well as auth. Interesting fact is that travis puts secret for everything npm does, but not the password from this module. Meaning that the auth is actually exported already as secrets into the travis runtime, and I shouldn't have to authenticate manually...

I tried adding scope and that didn't help, so I think I may have to try to set auth. I think I'm done for the day, though.

Ideas?

from npm.

My shot in the dark is that you have to copy basically all of the login in here: https://github.com/npm/npm/blob/0cc9d89ed2d46745f91d746fda9d205fd39d3daa/lib/config/get-credentials-by-uri.js

from npm.

I set up auth like this: curl -u $ARTIFACTORY_USER:$ARTIFACTORY_PWD https://artifacts.schibsted.io/artifactory/api/npm/npm-virtual/auth/finn-no > .npmrc. I know this works as yarn right after it (which includes fetching dependencies only available on that Artifactory instance) succeeds.

Why doing that?

The plugin works, as documented, by setting NPM_USERNAME, NPM_PASSWORD and NPM_EMAIL.

So just set NPM_USERNAME to the value of ARTIFACTORY_USER, NPM_PASSWORD to the value of ARTIFACTORY_PWD and NPM_EMAIL with the email of your Artifcatory user.

Then in your .npmrc just write:

always-auth = true

In addition we do not recommend to write your username and password in .npmrc as it's a security risk. Anything else running on your CI would be able to read those value.
It might not be an issue in a private CI environment, but it is for everyone else.

from npm.

See PR

from npm.

Why doing that?

NPM_USERNAME, NPM_PASSWORD and NPM_EMAIL are specifics for this plugin. I still have to have auth for yarn/npm to work.

So just set NPM_USERNAME to the value of ARTIFACTORY_USER, NPM_PASSWORD to the value of ARTIFACTORY_PWD and NPM_EMAIL with the email of your Artifcatory user.

I do that now. I had some weird setup before. Thanks for the help!

Then in your .npmrc just write:

I think that part's unnecessary, as npmrc has always-auth for the registry I'm talking with. But setting it works. I'll try to send a PR 🙂

In addition we do not recommend to write your username and password in .npmrc as it's a security risk. Anything else running on your CI would be able to read those value.

This is a private CI, but I don't get why it's a risk (beyond what's currently possible). How is cat .npmrc worse than echo $NPM_PASSWORD?

from npm.

This is a private CI, but I don't get why it's a risk (beyond what's currently possible). How is cat .npmrc worse than echo $NPM_PASSWORD?

Because anyone can send a PR that will trigger a build and potentially expose the credentials wilt cat .npmrc. That wouldn't be possible with echo $NPM_PASSWORD as CI providers do not make environment variables available for PR with a base branch that comes from a different repo.

In addition writing credentials to .npmrc makes it really easy to commit them by mistake. For example if you run semantic-release --dry-run then git add . and commit you would expose your credentials.

from npm.

The curl happens on CI, not my local machine, sorry if that wasn't clear

from npm.