Skip to content

Fix missing credentials when fetching tarballs #622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Dec 11, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -233,7 +233,7 @@ export const startPackageServer = (): Promise<string> => {
[version as string]: Object.assign({}, packageVersionEntry!.packageJson, {
dist: {
shasum: await getPackageArchiveHash(name, version),
tarball: localName === `unconventional-tarball`
tarball: (localName === `unconventional-tarball` || localName === `private-unconventional-tarball`)
Copy link
Contributor Author

@rtsao rtsao Dec 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was also considering something like this (along the same lines of localName.startsWith(`private`)):

Suggested change
tarball: (localName === `unconventional-tarball` || localName === `private-unconventional-tarball`)
tarball: localName.endsWith(`unconventional-tarball`)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's ok for now - if we need to add more private packages we will just move the whitelist into a set 👍

? (await getPackageHttpArchivePath(name, version)).replace(`/-/`, `/tralala/`)
: await getPackageHttpArchivePath(name, version),
},
Expand Down Expand Up @@ -377,7 +377,7 @@ export const startPackageServer = (): Promise<string> => {
} else if (match = url.match(/^\/(?:(@[^\/]+)\/)?([^@\/][^\/]*)\/(-|tralala)\/\2-(.*)\.tgz$/)) {
const [, scope, localName, split, version] = match;

if (localName === `unconventional-tarball` && split === `-`)
if ((localName === `unconventional-tarball` || localName === `private-unconventional-tarball`) && split === `-`)
return null;

return {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
/* @flow */

module.exports = require(`./package.json`);

for (const key of [`dependencies`, `devDependencies`, `peerDependencies`]) {
for (const dep of Object.keys(module.exports[key] || {})) {
// $FlowFixMe The whole point of this file is to be dynamic
module.exports[key][dep] = require(dep);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"name": "@private/unconventional-tarball",
"version": "1.0.0"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
/* @flow */

module.exports = require(`./package.json`);

for (const key of [`dependencies`, `devDependencies`, `peerDependencies`]) {
for (const dep of Object.keys(module.exports[key] || {})) {
// $FlowFixMe The whole point of this file is to be dynamic
module.exports[key][dep] = require(dep);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"name": "private-unconventional-tarball",
"version": "1.0.0"
}
57 changes: 57 additions & 0 deletions packages/acceptance-tests/pkg-tests-specs/sources/auth.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,63 @@ describe(`Auth tests`, () => {
),
);

test(
`it should install unconventional scoped packages which require authentication if an authentication token is configured`,
makeTemporaryEnv(
{
dependencies: {[`@private/unconventional-tarball`]: `1.0.0`},
},
async ({path, run, source}) => {
await writeFile(`${path}/.yarnrc.yml`, `npmAuthToken: "${AUTH_TOKEN}"\n`);

await run(`install`);

await expect(source(`require('@private/unconventional-tarball')`)).resolves.toMatchObject({
name: `@private/unconventional-tarball`,
version: `1.0.0`,
});
},
),
);

test(
`it should install unconventional scoped packages which require authentication if npmAlwaysAuth is set to true and an authentication ident is present`,
makeTemporaryEnv(
{
dependencies: {[`@private/unconventional-tarball`]: `1.0.0`},
},
async ({path, run, source}) => {
await writeFile(`${path}/.yarnrc.yml`, `npmAuthIdent: "${AUTH_IDENT}"\nnpmAlwaysAuth: true\n`);

await run(`install`);

await expect(source(`require('@private/unconventional-tarball')`)).resolves.toMatchObject({
name: `@private/unconventional-tarball`,
version: `1.0.0`,
});
},
),
);

test(
`it should install unconventional unscoped packages which require authentication if npmAlwaysAuth is set to true and an authentication ident is present`,
makeTemporaryEnv(
{
dependencies: {[`private-unconventional-tarball`]: `1.0.0`},
},
async ({path, run, source}) => {
await writeFile(`${path}/.yarnrc.yml`, `npmAuthIdent: "${AUTH_IDENT}"\nnpmAlwaysAuth: true\n`);

await run(`install`);

await expect(source(`require('private-unconventional-tarball')`)).resolves.toMatchObject({
name: `private-unconventional-tarball`,
version: `1.0.0`,
});
},
),
);

test(
`it should fail when an invalid authenticaation token is used`,
makeTemporaryEnv(
Expand Down
6 changes: 4 additions & 2 deletions packages/plugin-npm/sources/NpmHttpFetcher.ts
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
import {Fetcher, FetchOptions, MinimalFetchOptions} from '@yarnpkg/core';
import {Locator, MessageName} from '@yarnpkg/core';
import {httpUtils, structUtils, tgzUtils} from '@yarnpkg/core';
import {structUtils, tgzUtils} from '@yarnpkg/core';
import semver from 'semver';
import {URL} from 'url';

import {PROTOCOL} from './constants';
import * as npmHttpUtils from './npmHttpUtils';

export class NpmHttpFetcher implements Fetcher {
supports(locator: Locator, opts: MinimalFetchOptions) {
Expand Down Expand Up @@ -50,8 +51,9 @@ export class NpmHttpFetcher implements Fetcher {
if (archiveUrl === null)
throw new Error(`Assertion failed: The archiveUrl querystring parameter should have been available`);

const sourceBuffer = await httpUtils.get(archiveUrl, {
const sourceBuffer = await npmHttpUtils.get(archiveUrl, {
configuration: opts.project.configuration,
ident: locator,
});

return await tgzUtils.convertToZip(sourceBuffer, {
Expand Down
9 changes: 8 additions & 1 deletion packages/plugin-npm/sources/npmHttpUtils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,14 @@ export async function get(path: string, {configuration, headers, ident, authType
if (auth)
headers = {...headers, authorization: auth};

return await httpUtils.get(registry + path, {configuration, headers, ...rest});
let url;
try {
url = new URL(path);
} catch (e) {
url = new URL(registry + path);
}

return await httpUtils.get(url.href, {configuration, headers, ...rest});
}

export async function put(path: string, body: httpUtils.Body, {configuration, headers, ident, authType = AuthType.ALWAYS_AUTH, registry, ...rest}: Options) {
Expand Down