fix(plugin-npm-cli): fix login flow with the registry

[juanpicado]

What's the problem this PR addresses?

Add the missing logic the registry requires to login a user already registered.

Fixes #1044

How did you fix it?

Add missing request to perform a full login. The flow is like this:

• User log in and the registry is supposed to return error 409 if exist already:
  • The request does not send the npmAuthToken on the first request
  • The registry will try to add a new user and if exist return 409 by design.
• The CLI will request the logged user:
  • The CLI must send the npmAuthToken and registry will rely on that to return the logged user
  • If token is not being send then should throw an error
  • The response only includes a text, so we need to rely on the HTTP status and ok message.
• If the previous step is success, a third request (PUT) to log in user:
  • The npmAuthToken must be send
  • If token is valid will successfully log in the user
  • If it fails, we throw an error.

Checklist

• I have read the Contributing Guide.

• I have set the packages that need to be released for my changes to be effective.

• I have verified that all automated PR checks pass.

[juanpicado]

I'd need some help to improve the code, not sure where to put things or create methods and so on and test updates/create are missing

[arcanis]

Thanks for looking into it! Quick questions before discussing the implementation:

• Do you see a way to split user creation out of user authentication? I don't like the idea of having a login command that does either. I realize npm doesn't make the distinction, but I think we should 🤔

• Since the login works on the npm registry, do you think there is something that Verdaccio should do? Perhaps as an enhancement rather than a bugfix, so that we could do the new user registration on a different command, cf first point.

[juanpicado]

Thanks for looking into it! Quick questions before discussing the implementation:

• Do you see a way to split user creation out of user authentication? I don't like the idea of having a login command that does either. I realize npm doesn't make the distinction, but I think we should 🤔
• Since the login works on the npm registry, do you think there is something that Verdaccio should do? Perhaps as an enhancement rather than a bugfix, so that we could do the new user registration on a different command, cf first point.

I need to look into those points then. For point one I'd like to do that, actually npm adduser is a useless command for most of the registries implementation, only verdaccio gives sense to that command allowing create a brand new user. I know there is a legacy npm/npm-profile@9710475 that's the unique hint I found by far.

It maybe fixed at Verdaccio, but not sure if would be a breaking change, we still support npm5 and I'm not sure side effects.

I'll back when I have more news.

[jounii]

Any news on this? I faced these issues with yarn berry regards this and it makes Vercaddio impossible to use and basically yarn berry useless to publish packages.

I was hoping to get away from Yarn1 + Lerna + sematic-release by using yarn berry and couple of extra scripts or possibly make yarn berry plugin for sematic-release style publish, but seems that is impossible currently if using Verdaccio. I was going to use Vercaddio as testbed for development and Verdaccio is the internal enterprise registry, so it needs to work.

[juanpicado]

Any news on this?

Still checking, I'm swimming in the amazing world of registries and other pkg manager lately, no clear solution yet.

I faced these issues with yarn berry regards this and it makes Vercaddio impossible to use and basically yarn berry useless to publish packages.

Why? This PR is about yarn login which I doubt you might use via CI`.

I was hoping to get away from Yarn1 + Lerna + sematic-release by using yarn berry and couple of extra scripts or possibly make yarn berry plugin for sematic-release style publish, but seems that is impossible currently if using Verdaccio. I was going to use Vercaddio as testbed for development and Verdaccio is the internal enterprise registry, so it needs to work.

If you enable npmAuthToken and npmAlwaysAuth yarn berry will login you perfectly. I mean, you would still need to create the token via npm login/adduser but, once you have the token you should be not blocked to use yarn berry.

Unless I missing something from your side, let me know.

// .yarnrc.yml
npmRegistryServer: "http://localhost:4873"

unsafeHttpWhitelist:
  - localhost

npmScopes:
  testscope:
    npmPublishRegistry: "http://localhost:4873"
    npmRegistryServer: "http://localhost:4873"
    npmAlwaysAuth: true

npmAuthToken: "xxxxxxHJGSw=="
npmAlwaysAuth: true

ref https://github.com/juanpicado/yarnv2_test

[jounii]

If you enable npmAuthToken and npmAlwaysAuth yarn berry will login you perfectly. I mean, you would still need to create the token via npm login/adduser but, once you have the token you should be not blocked to use yarn berry.

Unless I missing something from your side, let me know.

Thank you for this.

I was able to get the publish work with verdaccio, but it does differ slightly in yarn2 from npm, which I used as a comparison to get better logging. I could not figure out how yarn2 would give more verbose logging.

Following caveats which I had to solve:

• Yarn2 does not pick global npmAuthToken setting from ~/.yarnrc.yml, at least with npmScopes:. NPM does work fine with this (with it's .npmrc of course). Workaround is to copy the npmAuthToken to the repository local .yarnrc.yml file. Maybe there's some configuration syntax which I did not see
• Yarn2 login works only once with Verdaccio, so if you lose/delete your npmAuthToken value, only way to get it back is to remove the user from Verdaccio and login again
• Yarn2 does not respect the npmScopes: values with npm publish for packages which are scoped in their package.json. Either you have to configure the registry to be global before running publish or add publishConfig.registry value to the package.json to force certain registry

Probably just need to add some additional CI steps for this as the "normal" configuration is not enough.

EDIT:

Just to clarify why this configuration. The company internal registry (Verdaccio) is accessed through scoping (and packages are only published to that one) and any other packages are accessed directly from their own registries. Verdaccio is not used as proxy to public registries.

[juanpicado]

I could not figure out how yarn2 would give more verbose logging.

yeah, me neither :( maybe @arcanis @merceyz have an idea. Actually is really helpful for debugging.

[jounii]

Update regards publishing to scoped registry server.

The documentation says that npmPublishRegistry is not needed if npmRegistryServer is given, but this is incorrect.. You have to define npmPublishRegistry separately, otherwise, the global value is used and not the npmScope npmRegistryServer value. I was trusting documentation on this one and didn't remember there was a separate value for publish registry.