search

yarnpkg / yarn

The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
https://classic.yarnpkg.com
Other
41.4k stars 2.73k forks source link

missing authorization header when .npmrc scoped registry is configured with root path #9056

Open synox opened 4 months ago

synox commented 4 months ago

Using yarn 1.22.19 on macos 14.4.1 (23E224). It seems yarn does not honor the .npmrc config for domains, and only matches the exact path.

https://docs.npmjs.com/cli/v10/configuring-npm/npmrc#auth-related-configuration specifies to that we can configure at the domain level:

@myorg:registry=https://somewhere-else.com/myorg
@another:registry=https://somewhere-else.com/another
//registry.npmjs.org/:_authToken=MYTOKEN

; would apply to both @myorg and @another
; //somewhere-else.com/:_authToken=MYTOKEN

; would apply only to @myorg
//somewhere-else.com/myorg/:_authToken=MYTOKEN1

; would apply only to @another
//somewhere-else.com/another/:_authToken=MYTOKEN2

Let's recreate this config and reproduce the problem:

; would apply to both @myorg and @another //localhost/:_authToken=MYTOKEN

- run a dummy webserver: sudo -i, then `while true; do echo -e "HTTP/1.1 200 OK\n\n $(date)" | nc -l 80 ; done`. 
- run `yarn  add @myorg/test1`
output:

❯ yarn add @myorg/test1 --verbose yarn add v1.22.19 ... warning package.json: "test" is also the name of a node core module verbose 0.100344417 Checking for configuration file "/Users/user/.npmrc". ... verbose 0.10390275 current time: 2024-05-03T03:06:11.576Z info No lockfile found. warning test@1.0.0: "test" is also the name of a node core module [1/4] 🔍 Resolving packages... verbose 0.121385792 Performing "GET" request to "http://localhost/myorg/@myorg%2ftest1". verbose 0.130306959 Error: http://localhost/myorg/@myorg%2ftest1: Parse Error: Expected HTTP/ ... error An unexpected error occurred: "http://localhost/myorg/@myorg%2ftest1: Parse Error: Expected HTTP/". ...


Request in the HTTP output is misssing `authorization` header:

GET /myorg/@myorg%2ftest1 HTTP/1.1 User-Agent: yarn/1.22.19 npm/? node/v20.12.2 darwin arm64 Accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, / host: localhost accept-encoding: gzip, deflate Connection: keep-alive


**However**, when running the same command with npm: `npm install  @myorg/test1` it  has the correct `authorization` header.

GET /myorg/@myorg%2ftest1 HTTP/1.1 user-agent: npm/10.5.0 node/v20.12.2 darwin arm64 workspaces/false pacote-version: 17.0.6 pacote-req-type: packument pacote-pkg-id: registry:@myorg/test1 accept: application/json npm-auth-type: web npm-command: install authorization: Bearer MYTOKEN Accept-Encoding: gzip,deflate Host: localhost connection: keep-alive