[BUG] NPM v7.11.0 private registry authentication 401 with username/password

[apottere]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Private registry authentication seems to have been broken in npm v7.11.0 when installing specific packages with username and password defined in ~/.npmrc instead of _auth. npm ci is unaffected.

Expected Behavior

Private registry authentication should work in >= 7.11.0 the way it did in < 7.11.0. I tried messing with the repo url a little, but I wasn't able to get anything to work. Is this an expected configuration change? If so I couldn't find any documentation about what needs to change.

Steps To Reproduce

My (redacted) ~/.npmrc`:

progress=true
email="name@company.com"

registry=https://artifactory.company.com/artifactory/api/npm/repo-npm
# npm >= 7.x
//artifactory.company.com/artifactory/api/npm/repo-npm/:always-auth=true
//artifactory.company.com/artifactory/api/npm/repo-npm/:username="name@company.com"
//artifactory.company.com/artifactory/api/npm/repo-npm/:password="apiKey | base64"
# npm <= 6.x
//artifactory.company.com/artifactory/api/npm/:always-auth=true
//artifactory.company.com/artifactory/api/npm/:username="name@company.com"
//artifactory.company.com/artifactory/api/npm/:password="apiKey | base64"

$ nvm install
Found '$PWD/.nvmrc' with version <14.15.1>
Downloading and installing node v14.15.1...
Local cache found: ${NVM_DIR}/.cache/bin/node-v14.15.1-darwin-x64/node-v14.15.1-darwin-x64.tar.xz
Checksums match! Using existing downloaded archive ${NVM_DIR}/.cache/bin/node-v14.15.1-darwin-x64/node-v14.15.1-darwin-x64.tar.xz
Now using node v14.15.1 (npm v6.14.8)

$ npm i -g npm@7.4.0
$HOME/.nvm/versions/node/v14.15.1/bin/npm -> $HOME/.nvm/versions/node/v14.15.1/lib/node_modules/npm/bin/npm-cli.js
$HOME/.nvm/versions/node/v14.15.1/bin/npx -> $HOME/.nvm/versions/node/v14.15.1/lib/node_modules/npm/bin/npx-cli.js
+ npm@7.4.0
added 54 packages from 28 contributors, removed 238 packages and updated 196 packages in 8.042s

$ npm i -g npm@7.5.0

changed 14 packages, and audited 255 packages in 6s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm i -g npm@7.6.0

removed 2 packages, changed 14 packages, and audited 254 packages in 3s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm i -g npm@7.7.0

removed 1 package, changed 14 packages, and audited 255 packages in 4s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm i -g npm@7.8.0

removed 2 packages, changed 14 packages, and audited 253 packages in 3s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm i -g npm@7.9.0

changed 14 packages, and audited 253 packages in 4s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm i -g npm@7.10.0

changed 14 packages, and audited 253 packages in 4s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm i -g npm@7.11.0

changed 14 packages, and audited 255 packages in 3s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm i -g npm@7.12.0
npm ERR! code E401
npm ERR! Incorrect or missing password.
npm ERR! If you were trying to login, change your password, create an
npm ERR! authentication token or enable two-factor authentication then
npm ERR! that means you likely typed your password in incorrectly.
npm ERR! Please try again, or recover your password at:
npm ERR!     https://www.npmjs.com/forgot
npm ERR! 
npm ERR! If you were doing some other operation then your saved credentials are
npm ERR! probably out of date. To correct this please try logging in again with:
npm ERR!     npm login

npm ERR! A complete log of this run can be found in:
npm ERR!     $HOME/.npm/_logs/2021-05-21T15_33_39_945Z-debug.log

Environment

• OS: MacOS 11.3.1 (20E241)
• Node: 14.15.1
• npm: 7.11.0 - 7.14.0

[apottere]

The offending URL is:

npm http fetch GET 401 https://artifactory.company.com/artifactory/api/npm/repo-npm/npm 194ms

[apottere]

Per #3130 I switched to using _auth and that worked... Are username and password no longer supported intentionally?

//artifactory.company.com/artifactory/api/npm/repo-npm:always-auth=true
//artifactory.company.com/artifactory/api/npm/repo-npm:_auth="..."

[wraithgar]

afaik username/password auth is still supported via //repo-url:username and //repo-url:_password (note the underscore for password.

[mehulkar]

Same issue here. Downgrading to 7.10 worked. In my case, I get a 404 instead of a 401, but that may be due to some proxying issue in our internal artifactory setup.