Remove standard http ports from registry URL when writing authToken

drone-plugins / drone-npm

Drone plugin for publishing packages to NPM

http://plugins.drone.io/drone-plugins/drone-npm

Apache License 2.0

20 stars 18 forks source link

Remove standard http ports from registry URL when writing authToken #62

Closed rhiaxion closed 2 years ago

rhiaxion commented 2 years ago

The latest release of this plugin included an update of the NPM client from v6 to v8, which changed the authentication behaviour of the client.

If a private registry URL contains standard http port 80 or 443 when performing an npm login / adduser command the port number is removed when writing the authToken to the .npmrc file. If the port remains in the authToken registry URL then the token is ignored when running commands like npm whoami or npm publish and results in an error asking to run npm adduser.

Because this plugin writes the .npmrc file directly we need to remove the port from the registry URL before writing.

Example:

# Configure registry
npm config set registry https://private.registry.com:443

Invalid .npmrc authToken

//private.registry.com:443/:_authToken=$TOKEN

Valid .npmrc authToken

//private.registry.com/:_authToken=$TOKEN

bradrydzewski commented 2 years ago

out of curiosity, what happens if the npm registry is running on a non-standard port like :3000 ? port 443 and 80 can be inferred based on https or http, so was just wondering how this works with non-standard ports ...

donny-dont commented 2 years ago

I think this might be the relevant commit https://github.com/npm/npm-registry-fetch/commit/cc11cc15c9f457c01159a69ce342dc99dea12456

rhiaxion commented 2 years ago

What NPM servers have you tested this on?

I'm testing this against Artifactory with a reverse proxy in front, which for some reason is very opinionated about the use of port 443 when resolving dependencies in package-lock.json files, so I explicitly add the port to the registry URL for resolving and publishing.

out of curiosity, what happens if the npm registry is running on a non-standard port like :3000 ? port 443 and 80 can be inferred based on https or http, so was just wondering how this works with non-standard ports ...

You're quite right that the issue relates to use of standard ports. I started a container with plugins/npm and tested npm login against a registry with a standard and non standard port.

npm login --registry https://private.registry.com:443/ resulted in //private.registry.com/:_authToken=
npm login --registry https://private.registry.com:8443/ resulted in //private.registry.com:8443/:_authToken=

I would assume that port 80 results in the same issue. So it seems the Node URL parsing and token URL matching is not the same for all ports. I'll update this PR to account for port 80 and 443 to match the NPM 8 client behaviour.

donny-dont commented 2 years ago

Thanks for verifying @rhiaxion ! If @bradrydzewski is happy I think this is good to go.