include non-registry-scoped auth configs at load, scoped to default registry

Author: isaacs

lib/index.js

@@ -282,6 +282,15 @@ class Config {
     // symbols, as that module also does a bunch of get operations
     this[_loaded] = true
 
+    process.emit('time', 'config:load:credentials')
+    const reg = this.get('registry')
+    // console.error('registry', reg, this)
+    const creds = this.getCredentialsByURI(reg)
+    // ignore this error because a failed set will strip out anything that
+    // might be a security hazard, which was the intention.
+    try { this.setCredentialsByURI(reg, creds) } catch (_) {}
+    process.emit('timeEnd', 'config:load:credentials')
+
     // set proper globalPrefix now that everything is loaded
     this.globalPrefix = this.get('prefix')
 

test/index.js

@@ -851,3 +851,71 @@ t.test('setting username/password/email individually', async t => {
     auth: Buffer.from('admin:admin').toString('base64'),
   })
 })
+
+t.test('nerfdart auths set at the top level into the registry', async t => {
+  const registry = 'https://registry.npmjs.org/'
+  const _auth = Buffer.from('admin:admin').toString('base64')
+  const username = 'admin'
+  const _password = Buffer.from('admin').toString('base64')
+  const email = '[email protected]'
+  const _authToken = 'deadbeefblahblah'
+
+  // TODO(isaacs): We should NOT be requiring that email be nerfdarted.
+  // It's not particularly secret, and is only included in the "credentials"
+  // concept as an accident of history, because the old couchdb reg used it.
+  // It should be treated just like any other plain old config field.
+
+  // name: [ini, expect]
+  const cases = {
+    // TODO: should not require email
+    // '_auth only, no email': [ `_auth=${_auth}`, {
+    //   '//registry.npmjs.org/:username': username,
+    //   '//registry.npmjs.org/:_password': _password,
+    // }],
+    '_auth with email': [ `_auth=${_auth}\nemail=${email}`, {
+      '//registry.npmjs.org/:username': username,
+      '//registry.npmjs.org/:_password': _password,
+      // TODO: change to just 'email': email
+      '//registry.npmjs.org/:email': email,
+    }],
+    '_authToken alone': [ `_authToken=${_authToken}`, {
+      '//registry.npmjs.org/:_authToken': _authToken,
+    }],
+    '_authToken and email': [ `_authToken=${_authToken}\nemail=${email}`, {
+      '//registry.npmjs.org/:_authToken': _authToken,
+      // TODO: should include (un-nerf-darted) email
+      // email,
+    }],
+    // TODO: should not require email
+    // 'username and _password': [ `username=${username}\n_password=${_password}`, {
+    //   '//registry.npmjs.org/:username': username,
+    //   '//registry.npmjs.org/:_password': _password,
+    // }],
+    'username, password, email': [ `username=${username}\n_password=${_password}\nemail=${email}`, {
+      '//registry.npmjs.org/:username': username,
+      '//registry.npmjs.org/:_password': _password,
+      '//registry.npmjs.org/:email': '[email protected]',
+    }],
+    // handled invalid cases
+    'username, no _password': [`username=${username}`, {}],
+    '_password, no username': [`_password=${_password}`, {}],
+  }
+
+  for (const [name, [ini, expect]] of Object.entries(cases)) {
+    //console.log({name, ini, expect})
+    t.test(name, async t => {
+      const path = t.testdir({ '.npmrc': ini })
+      const opts = {
+        shorthands: {},
+        argv: ['node', __filename, `--userconfig=${path}/.npmrc`, `--globalconfig=${path}/npmrc`],
+        definitions: {
+          registry: { default: registry },
+        },
+        npmPath: process.cwd(),
+      }
+      const c = new Config(opts)
+      await c.load()
+      t.same(c.list[3], expect)
+    })
+  }
+})