Add Ability to use url based authentication for registries

npm / npm-registry-client

ISC License

264 stars 108 forks source link

Add Ability to use url based authentication for registries #134

Closed bobbynewmark closed 8 years ago

bobbynewmark commented 8 years ago

It is easier in some cases not to have to manually login to a private npm server with npm adduser instead use the standard http uri auth format protocol://username:password@url

The change is a simple addition to the authify to allow the auth parameters of the parsed uri to pass through to the request.

Also added some unit tests over the authify function.

I have tested it with npm install -reg https://username:password@somehost/npm/ mymodule which is my main use case.

Also bumped the version, not sure if I was meant to do that.

othiym23 commented 8 years ago

If you take a look at npm-registry-client's documentation, HTTP Basic authentication is already supported by npm-registry-client. Until the primary npm registry switched to using bearer-token-based auth sometime after the release of npm@2, basic auth was the only way to access protected resources on a registry.

To use basic auth against a host that always requires credentials from npm is pretty simple:

npm login --registry=http://somehost/npm/ --always-auth
npm install --registry=http://somehost/npm/ (or, if you're going to be installing from that registry by default, npm config set registry http://somehost/npm/)

That's it! npm saves credentials by the registry URL, so you only have to log in once to each protected registry.

As this is something already implemented by npm, I'm going to close this pull request. Thanks for your time!

bobbynewmark commented 8 years ago

But this is exactly the use case I was trying to prevent, I want to be able to do this on a clean build machine without user intervention. Unless there is some why to specifiy the username and password on the commandline to npm login, or maybe the even as environment variables I am missing.

Given the .npmrc file only ever base64 encodes the password, it seems more prudent not to store that password on disk.

othiym23 commented 8 years ago

You can pass in auth in npmrc by creating an .npmrc where you've logged in via the registry URL you want to hit at build time, and then editing the .npmrc to look like the following:

//somehost/npm/:user=${NPM_USER}
//somehost/npm/:_password=${NPM_PASSWORD}
//somehost/npm/:always-auth=true
//somehost/npm/:email=foo@example.com

(The value of the email address doesn't matter, and with some versions of npm doesn't even need to be there, but a dummy value is safest.)

and then put the username in the environment variable NPM_USER and the base64-encoded value of _password in NPM_PASSWORD.

bobbynewmark commented 8 years ago

My problem is the magic file, with passing it all on the command line, I eliminate the need for the setup of such a file.

othiym23 commented 8 years ago

This isn't something the CLI team is prepared to change. Among other things, having usernames and passwords show up in the process table is at least as insecure as having them base64-encoded on disk, since anyone with access to the instance can recover those.

bobbynewmark commented 8 years ago

Cool. Thanks for listening.