Support for private packages #521
Comments
jamiebuilds
changed the title
|
We already have npm login and auth logic here. Just need to sort out the workflow. |
|
Private registry doesn't always need auth token. For example we access our private registry through corporate VPN. |
|
^^ Agreed. Allowing for the association of a separate registry per scope is sufficient for us (and I suspect many others). |
|
|
When we say "we already have this logic" - I don't see any path where an Authorization header would be sent to a registry. If there was one, perhaps there'd be a temporary workaround to make this all work while something more final is sorted out. Am I missing something? |
|
+1 looks like scoped packages even if they are public seem to fail. |
|
To further @djforth's comment, I just installed from master, and I'm getting the same error - scoped packages are failing. It converts the e.g. |
|
That's the way it fails if auth is required. I got it to work for public scoped packages |
Sends the auth token for scoped packages, which may be private. Fixes yarnpkg#1134 and yarnpkg#521.
Sends the auth token for scoped packages, which may be private. Fixes yarnpkg#1134 and yarnpkg#521.
|
@devongovett I ran into a few issues: This is the check for whether auth should be used: if (this.token || (alwaysAuth && requestUrl.startsWith(registry))) {
headers.authorization = this.getAuth(pathname);
}If registry is I had So the fix for me was: //if (this.token || (alwaysAuth && requestUrl.startsWith(registry))) {
if (this.token || (alwaysAuth)) {I was also getting an initial call to the |
|
Yes, currently it replaces https://registry.npmjs.com/ with https://registry.yarnpkg.com/ here, which confuses the check here. |
|
EDIT: Ignore this post - it just started working for some reason. I had to make sure to login to the When I run:
My npm looks like this:
getAuth(packageName: string): string {
if (this.token) {
return this.token;
}
for (let registry of [this.getRegistry(packageName), '', DEFAULT_REGISTRY]) {
registry = registry.replace(/^https?:/, '');
// Check for bearer token.
console.log({registry})
let auth = this.getScopedOption(registry, '_authToken');
if (auth) {
return `Bearer ${String(auth)}`;
}
// Check for basic auth token.
auth = this.getScopedOption(registry, '_auth');
if (auth) {
return `Basic ${String(auth)}`;
}
// Check for basic username/password auth.
const username = this.getScopedOption(registry, 'username');
const password = this.getScopedOption(registry, '_password');
if (username && password) {
const pw = new Buffer(String(password), 'base64').toString();
return 'Basic ' + new Buffer(String(username) + ':' + pw).toString('base64');
}
}
return '';
}It ends up using the authorization header |
|
Hey, |
|
Is a fix on the way for private packages? The problem @devongovett described above just bit me in CI. My current workaround is to |
|
I'm also running in the issue that |
|
Another use case I haven't seen mentioned: git repositories can be fetched via https or ssh. If the repo is private, you need credentials (duh). When deploying to Heroku, |
|
@rovansteen |
|
I am also having the same issue with Sinopia. Did anyone find a solution for this? |
|
It does not work properly in all environments with .npmrc located at On my local machine it outputs: While inside of Docker it outputs: So it looks like it does not execute As temporary workaround for this, in Docker I just copy |
|
found here https://github.com/uber/react-map-gl |
|
I am also having the same issue with kendo-angular components.
|
|
It should be fixed now. |
|
Awesome @bestander! What's the minimum yarn version where it’s expected to work? |
|
There were multiple fixes across versions.
0.26 should have them all
…On Tue, 23 May 2017 at 19:44, Alexander Kachkaev ***@***.***> wrote:
Awesome @bestander <https://github.com/bestander>! What's the minimum
yarn version where it’s expected to work?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#521 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ACBdWC90PKrW5LAg7HyY3l7c8ZoKaWtyks5r8yb9gaJpZM4KPd0N>
.
|
|
I can confirm that private scoped packages with scope and registry defined in |
|
|
yarn install v0.24.6 |
|
Looks like you can't connect to telerik.com, is http proxy configured? |
|
The problem is yarn are searching by http://registry.npm.telerik.com, when I have configured yarn with strict-ssl to true: info yarn config Previously I've configured the login with npm: "npm login --registry=https://registry.npm.telerik.com/ --scope=@progress" It is neccesary that yarn searching for by "https" (https://registry.npm.telerik.com) :-) Any idea what is the problem? |
|
I don't have much experience using private registries :(
If someone sets up an account and a project package.json/yarn.lock for me
to test I could help out.
…On 30 May 2017 at 10:53, beatrizaldaz ***@***.***> wrote:
The problem is yarn are searching by http://registry.npm.telerik.com,
when I have configured yarn with strict-ssl to true:
info yarn config
{ 'version-tag-prefix': 'v',
'version-git-tag': true,
'version-git-sign': false,
'version-git-message': 'v%s',
'init-version': '1.0.0',
'init-license': 'MIT',
'save-prefix': '^',
'ignore-scripts': false,
'ignore-optional': false,
registry: 'https://registry.yarnpkg.com',
'strict-ssl': true,
'user-agent': 'yarn/0.24.6 npm/? node/v6.9.5 win32 x64',
lastUpdateCheck: 1496137030541 }
info npm config
{ 'strict-ssl': true,
***@***.*** <https://github.com/progress>:registry': '
https://registry.npm.telerik.com/',
'//registry.npm.telerik.com/:_authToken': '......' }
Done in 0.04s.
Previously I've configured the login with npm: "npm login --registry=
https://registry.npm.telerik.com/ ***@***.***
<https://github.com/progress>"
It is neccesary that yarn looking for by "https" (
https://registry.npm.telerik.com) :-)
Any idea what is the problem?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#521 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ACBdWA3GrsEnpn64ppJRL2cvJ-ayhvh5ks5r--cFgaJpZM4KPd0N>
.
|
|
OK, I will create a project, with a telerik trial account, to test the problem and I will send you the project link in github. |
|
That would be great, @beatrizaldaz. |
|
About @beatrizaldaz post / Telerik. I've got same issue. In detail I've made some attemps |
|
So I just ran into this yesterday ( |
|
One more note, if it's even relevant, when attempting |
|
Related: #2738 |
|
Hi, |
|
For future travellers, |
and others
In order to allow installing private packages Yarn will need to send a token to the headers of the request.
Private packages are
@scoped/packagesthat were published withnpm publish --access=restricted. The permissions of packages are managed throughnpm accessandnpm teamwhich are not yet addedIn the npm client, this token comes from the
.npmrcand looks like this:And it gets sent as this header:
There's a package for retrieving the token. Although we may not want to store the token the same way npm does.
This token gets added to
.npmrconnpm login. Butyarn logindoesn't even authenticate (it only stores username and email), so we may want to force the user to authenticate on install (in which case we need to solve scripting these installs for CI servers through some kind of environment variable).We also need to make sure that Yarn users don't accidentally publish something publicly.
The text was updated successfully, but these errors were encountered: