Expose auth property for registry

[lesteenman]

The plugin exposes the authToken property, which will be set during the publish command for the given registry:

      if (reg.authToken.isPresent) add("--//$repo:_authToken=${reg.authToken.get()}")

However, some registries require _auth rather than _authToken. The former is submitted as a basic auth string, the latter as a bearer token.

[mpetuska]

Happy to add support for _auth if you can link me to where it's documented.

[lesteenman]

This is where I got the info myself: https://docs.npmjs.com/cli/v10/configuring-npm/npmrc#auth-related-configuration

The settings _auth, _authToken, username and _password must all be scoped to a specific registry. This ensures that npm will never send credentials to the wrong host.

The full list is:

• _auth (base64 authentication string)
• _authToken (authentication token)
  ...

I can supply a PR if you want.

[mpetuska]

PR would be appreciated if you find the time.

[lesteenman]

It seems like the CLI automatically generates the _auth from the username and _password if supplied, so I'm going with those instead. Working on the PR!

[lesteenman]

Not sure what's going on, but when I use the username and _password properties from npm publish, the password gets sent to the registry incorrectly. As an example, sending "testusername" and "testpassword" results in the following authentication header:

  "authorization": "Basic dGVzdHVzZXJuYW1lOu+/ve+/vS3vv73vv70sworvv70=",

which decodes to garbage after the colon. This happens when I use NPM through the CLI or not. And given that I can't find enough documentation on it... I will implement it with _auth after all, and perform the base64 encoding manually in the plugin.

[lesteenman]

It turns out NPM expects the _password property to be base64 encoded itself as well. I will add a comment with a reference if I can find any, but this doesn't seem to be documentated that well.

#172

[lesteenman]

https://github.com/npm/cli/blob/3b8b11161ee2f88817dcc19b4770040d5bc73261/workspaces/arborist/README.md?plain=1#L42

this is the line that gave me the idea. However, it's not documentation of the CLI itself, but another NPM package it publishes from the same repository.

[lesteenman]

Hi @mpetuska , any updates on a new release so we can use this?

[mpetuska]

3.5.0 is out with this. Apologies for the long delay, could not find time to sit with the project before holidays.