Using `npm_config__auth` environtment variable in v8 to authorize private repository

[manuel-buchner]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I want to add dist-tags using npm dist-tag add ... in a private repository.

As of NPM v6.14.15 it was possible, to authorize the user using the npm_config__auth environment variable.
I think that was done by this line: https://github.com/npm/cli/blob/v6.14.15/node_modules/npm-registry-fetch/auth.js#L22

When upgrading to v8.1.0 the environment variable will be ignored and only the repo based _auth key is used
Like this line: https://github.com/npm/cli/blob/v8.1.0/node_modules/npm-registry-fetch/auth.js#L81

Is it on purpose to ignore _auth for private repos and only use repo based e.g. //artifactory.company.com/artifactory/api/npm/npm/:_auth key?
Unfortunately i cannot provide this key using environment variable, because _ will be converted to -

However, when checking the user using npm whoami it resolves to the right user.
I think because of this: https://github.com/npm/cli/blob/release/v8.1.0/node_modules/%40npmcli/config/lib/index.js#L719

Expected Behavior

Be able to authorize private repository using npm_config__auth environment variable.

Steps To Reproduce

1. Setup Private Repository
2. Run node:16-alpine container
3. Provide Private Repository with .npmrc file (but no _auth key)
4. Provide _auth via npm_config__auth environment variable
5. Run npm dist-tag add @scope/tool@3.0.0-feature.10 feature

Environment

• OS: Alpine 3.13.6
• Node: 16.13.0
• npm: 8.1.0

[argenstijn]

Can this be fixed asap. Should work.

[MetalArend]

Our team is experiencing the same issue. Is this a bug, or is it because there is a new way of doing this with environment variables that is not yet documented? Or is there a workaround available?

[wraithgar]

The way to get environment variables into the new registry-specific auth is to reference them in your .npmrc file like this

//artifactory.company.com/artifactory/api/npm/npm/:_auth=${NPM_AUTH}

You can then set $NPM_AUTH in your environment and npm will use that

See https://docs.npmjs.com/cli/v7/configuring-npm/npmrc#files for more info on how npmrc is loaded.

[babbottscott]

The way to get environment variables into the new registry-specific auth is to reference them in your .npmrc file like this

This is a particularly unsatisfying solution. Until v8, we have not needed to create an .npmrc to publish, being able to configure npm solely via environment variables. Requiring a file creation is a pretty big regression. Strongly urge reopening.

[MetalArend]

That is indeed the current workaround we are using, but that is all it is, a workaround. The docs at https://docs.npmjs.com/cli/v8/using-npm/config#environment-variables describe behaviour that is not working for every environment variable, so this is still a bug, and is not yet fixed.

[jenseng]

The pull request above will make it so you can set registry-scoped auth via env vars, for example:

env NPM_CONFIG_//my.registry/npm/:_authToken=secret npm publish

Note that you may need to use something like env/cross-env to set it... while environment variable names can have pretty much any character, shells are less forgiving.

In the meantime, there is a pure-env-var workaround that doesn't require writing an .npmrc file:

NPM_AUTH_TOKEN=secret \
  NPM_CONFIG_USERCONFIG=<(echo '//my.registry/npm/:_authToken=${NPM_AUTH_TOKEN}') \
  npm publish

Caveats: 1. ~/.npmrc won't get used, 2. a project-level .npmrc could override this, and 3. process substitution might not be available on your platform.