feat: Support for custom registries

[jordanbertasso]

It would be nice if cotton could support fetching packages from an arbitrary url instead of only https://registry.npmjs.org/.

I see two things to implement here:

1. A global custom registry - https://docs.npmjs.com/cli/v7/using-npm/config#registry
2. Custom registry's for scoped packages - https://docs.npmjs.com/cli/v7/using-npm/scope#associating-a-scope-with-a-registry

In addition to the above, it would make sense to add in the ability to authenticate to these registries with provided credentials

[nicovogel-philips]

I also just wanted to see the speed difference for our project (uses pnpm), but because we have everything in a custom registry, I cannot test it. Really looking forward to it.

I did not look into the current implementation (never coded rust), but a feature to handle auth with registry might also be needed 🙂

[danielhuang]

Initial support has been implemented. To use custom registries, save them into cotton.toml. For example:

[[registry]]
scope = "@example/"
url = "https://registry.example.com"
auth = { token = "insert_token_here" }

[[registry]]
scope = "@example2/"
url = "https://registry2.example.com"
auth = { from_env = "TOKEN" }

[[registry]]
url = "https://default-registry.example.com"
auth = { from_env = "TOKEN2" }

More specific registries (such as those with scopes) should be placed first, as priority is considered in order.

[jordanbertasso]

This is awesome work!

Although unfortunately I'm still unable to use cotton for my use case because the registry I need to authenticate to requires that I do it using a username and password (defined here) instead of a token.

[danielhuang]

Registries can now be used with usernames and passwords:

[[registry]]
url = "https://registry.npmjs.org"
auth = { username = "user", password = "password" }

It can also come from the environment:

[[registry]]
url = "https://registry.npmjs.org"
auth = { username = { from_env = "USERNAME" }, password = { from_env = "PASSWORD" } }

[jordanbertasso]

Wow thank you!

I've tried it out with this private registry https://jfrog.com/artifactory/ - It's still unhappy with the package locations (getting 404s). I might try and figure it out when I get a chance

[danielhuang]

Can you run the current package manager with verbose output to find the actual metadata URLs? There might be a mismatch between how the URL is resolved.