Issues with header/personal token

[jbergstroem]

Spent too much time debugging an issue today so I thought I'd share my findings. TBH not sure this is a bug in verdaccio-gitlab or in verdaccio itself, but this oneliner fixed it:

diff --git a/src/gitlab.js b/src/gitlab.js
index eb93b3e..a191482 100644
--- a/src/gitlab.js
+++ b/src/gitlab.js
@@ -98,7 +98,7 @@ export default class VerdaccioGitLab implements IPluginAuth {

     const GitlabAPI = new Gitlab({
       url: this.config.url,
-      token: password
+      token: password.trim()
     });

     GitlabAPI.Users.current().then(response => {

Steps to reproduce:

1. use user/password-style or _auth authentication in your .npmrc:

   @test:registry=http://localhost:4873/
   //localhost:4873/:_auth=myBase64string

2. attempt to install packages: npm i @test/foo

3. you will now see something like:

   $ cross-env BABEL_ENV=registry babel src/ --out-dir build/ --copy-files --ignore ___tests___ --source-maps
   src/authcache.js -> build/authcache.js
   src/gitlab.js -> build/gitlab.js
   src/index.js -> build/index.js
   src/verdaccio.js -> build/verdaccio.js
   ✨  Done in 1.69s.
   warn --- config file  - /Users/jbergstroem/.config/verdaccio/config.yaml
   info --- [gitlab] url: https://myhostedgitlabinstance.com
   info --- [gitlab] initialized auth cache with ttl: 300 seconds
   info --- [gitlab] publish control level: $maintainer
   warn --- Plugin successfully loaded: gitlab
   warn --- http address - http://0.0.0.0:4873/ - verdaccio/3.8.6
   info <-- 127.0.0.1 requested 'GET /@test%2ffoo'
   info --- basic authentication is deprecated, please use JWT instead
   trace--- [gitlab] authenticate called for user: jbergstroem
   trace--- [gitlab] user: jbergstroem not found in cache
   error--- [gitlab] user: jbergstroem error querying gitlab user data: TypeError [ERR_INVALID_CHAR]: Invalid character in header content ["private-token"]
   debug--- [gitlab] deny access to package: @ci-reuse/fastify-core
   http <-- 401, user: null(127.0.0.1), req: 'GET /@test%2ffoo, error: access denied, user not authenticated and anonymous access disabled
   http <-- 401, user: null(127.0.0.1), req: 'GET /@test%2ffoo', error: access denied, user not authenticated and anonymous access disabled

   (note: I updated the gitlab library hence the slightly better debugging)

It appears that my personal access token gets a newline appended to it somehow.

4. this is tested with both latest git head (which would install verdaccio 3.x) and the dockerfile (verdaccio 4.0.0 alpha)

[bufferoverflow]

Thanks for the report! I would appreciate a PR

[jbergstroem]

@bufferoverflow Thanks for the report! I would appreciate a PR

I'll update the issue and potentially file a PR if there is a problem in this plugin, which I'm still not sure of :(

• if i switch to _auth: it seems to work (without patching), but some versions of npm has a bug using it (namely 6.7.0)
• i suspect this is about how upstream verdaccio handles deprecated auth mechanisms

[jbergstroem]

Going to close until I can reproduce properly (and send a patch to where it belongs).