No way to configure that we should always authenticate to NPM

[pbomb]

My scenario is that our NPM server is a locally-running Artifactory instance and every interaction with is requires authentication - even reads. I'm getting a 403 during the call to get the last release. This call configures the npm client with the auth property, but does not set alwaysAuth: true and does not provide a way for me to configure this plugin to do that. I've tested it locally and adding that option solves my issue.

I assume that we don't want to set always set that to true for all users, but at least providing a way to configure this plugin to operate in that mode would help me. I could start working on a pull request if you think adding this is the right thing to do. Thanks.

[pvdlg]

Thanks for the report!
I think you can configure this option in a .npmrc file at the root of your project:

always-auth = true

The config is read get-last-release.js#L9.
We prefer to configure all npm options in the .npmrc rather than adding new options to the plugin.

Let us know if that work. If it doesn't work, the proper fix will be to make sure we read this property from .npmrc.

On a side note it would be good to add some comments about that in the README.

[pvdlg]

Looking at it more in details the alwaysAuth has to be configured in the auth object when calling the client and not in the regular config.

So the client call should be something along those lines:

const auth = NPM_TOKEN ? {token: NPM_TOKEN} : {username: NPM_USERNAME, password: NPM_PASSWORD, email: NPM_EMAIL};
auth.alwaysAuth = config.get('always-auth');
const data = await promisify(client.get.bind(client))(uri, {auth});

PR with tests is welcome!

[pbomb]

Thanks for taking a look. I tested your latest code snippet and it does work! I didn't realize I could pull the always-auth field from the config. Thanks for the tip. I'll start working on a PR.

[pbomb]

FYI, I created #7 to address this issue.

[pvdlg]

Are you authenticating with a token or with username / password and email? Just wondering.

Looking at the client code it seems that in the case of a call that set the token the request is always authenticated no matter the always-auth parameter.

The always-auth param seems to be used only in the case of a legacy auth (user/pass/mail). See https://github.com/npm/npm-registry-client/blob/c1f1f431550d5faf86dc6cfb2e7e0d094194021b/lib/authify.js#L11

[pbomb]

That's right. We're using username + password. It looks like we have an older style auth token that uses _auth, not _authToken, so it doesn't seem to work with these libraries

[pvdlg]

@pbomb I'm working on the PR #10 in order to officially support the the legacy authentication (_auth). We would like to mention in the docs the private repository product that use legacy and auth and do not support the _authToken.

Would you mind letting us know what repository product and version you are using?

Thanks!

[pbomb]

@pvdlg That's great. We're using Artifactory Version 5.3.1.

[pvdlg]

Thanks for the info!