How to use npm behing an SSL Nexus registry? - npm

I have installed npm on windows and tried to use it with the company Nexus.
To do that I created the ~/.npmrc
registry = https://mycompany/nexus/content/groups/npm-all/
Then, I set up npm and tried to download a library, but npm throws an error:
C:\git-repos\my-npm_module>npm --loglevel info install grunt
npm info it worked if it ends with ok
npm info using npm#2.15.9
npm info using node#v4.5.0
npm WARN package.json self-service-portal#1.0.0 No README data
npm info addNameTag [ 'grunt', 'latest' ]
npm info attempt registry request try #1 at 09:39:42
npm http request GET https://mycompany/nexus/content/groups/npm-all/grunt
npm info retry will retry, error on last attempt: Error: unable to get local issuer certificate
npm info attempt registry request try #2 at 09:39:52
npm http request GET https://mycompany/nexus/content/groups/npm-all/grunt
npm info retry will retry, error on last attempt: Error: unable to get local issuer certificate
How to use npm behing an SSL Nexus registry?

The solution to my problem was to add the strict-ssl false parameter and ca to empty in .npmrc file
registry = https://mycompany/nexus/content/groups/npm-all/
ca=
strict-ssl=false

Related

how can i fix problem in run npm installation?

by launching the installation of npm in symfony 6, I would have this error:
Failed to remove some directories
code ERR_SSL_CIPHER_OPERATION_FAILED
Invalid response body while trying to fetch https://registry.npmjs.org/typescript: 18180000:error:1C800066:Provider routines:ossl_gcm_stream_update:cipher operation failed:c:\ws\deps\openssl\openssl\providers\implementations\ciphers\ciphercommon_gcm.c:320:
I ran this command: npm cache verify and and restart npm install i have thuis error: ERR_SSL_CIPHER_OPERATION_FAILED
68140000:error:1C800066:Provider routines:ossl_gcm_stream_update:cipher operation failed:c:\ws\deps\openssl\openssl\providers\implementations\ciphers\ciphercommon_gcm.c:320:

NPM Login without manually entering the username, password & email

I have been able to login to my npm registry manually, ie: on my local machine - but for some reason it's not working when it goes through the CI. The problem here is that after I execute the npm login command, the program is waiting for the manual user input (username, password, email) and I couldn't find a way to send these inputs in the pipeline (where I can't make manual user input):
These different approaches I tried:
1. Copy the npm auth token from my local machine into the environment variables of the gitlab CI/CD Settings, and then just copy them into the global .npmrc at the root directory:
This results in an error (unauthenticated):
$ cd ~
$ pwd
/root
$ echo "//<my_registry_url>:_authToken=$NPM_AUTH_TOKEN" > ~/.npmrc
$ cat .npmrc
<my_registry_url>:_authToken=[MASKED] //<-- the masked value is correct, I had it unmasked before once by mistake...
$ npm whoami
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2021-03-02T14_29_00_728Z-debug.log
Cleaning up file based variables
00:00
ERROR: Job failed: exit code 1
2. Install npm-cli-login and pass the username, password and email in one line with the npm login command
$ npm install -g npm-cli-login
npm WARN deprecated har-validator#5.1.5: this library is no longer supported
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
added 567 packages, and audited 568 packages in 46s
33 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
// trying to login now
$ npm-cli-login -u $USERNAME -p $API_KEY -e $EMAIL -r $REPOSITORY
info attempt registry request try #1 at 6:17:19 AM
http request PUT [MASKED]-/user/org.couchdb.user:<my correct username>
http 201 [MASKED]-/user/org.couchdb.user:<my correct username> // the login seems to have worked, at least I don't get an error
// then I go to the home directory to check the .npmrc file
$ cd ~
$ pwd
/root
$ cat .npmrc
//<my_registry_url>:_authToken=<eyJ...rest of token> // <-- so this was created correctly at my npm-cli-login command
// then I go back to the angular project folder
$ cd /builds/<my path>/app/src/main/ui
$ ls
README.md
angular.json
browserslist
debug.log
e2e
package.json
src
tsconfig.app.json
tsconfig.spec.json
// and when I now run npm install, it says I'm not authenticated
$ npm install
npm WARN deprecated debug#4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated axios#0.20.0: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/reques/request/issues/3142
npm WARN deprecated fsevents#2.1.3: "Please update to latest v2.3 or v2.2"
npm WARN deprecated chokidar#2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated har-validator#5.1.5: this library is no longer supported
npm WARN deprecated fsevents#1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="Artifactory Realm" // <-- HERE IT FAILED
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2021-03-02T06_44_42_972Z-debug.log
Cleaning up file based variables
00:01
ERROR: Job failed: exit code 1
3. Using a here document like this in my gitlab-ci.yml:
- npm login --registry=<my_registry_url> << EOF
- $USERNAME
- $API_KEY
- $EMAIL
- EOF
This results in:
$ npm login --registry=<my_registry_url> << EOF
Username: npm WARN Name may not contain non-url-safe chars
Username: (echo $'\x1b[32;1m$ <my_username>\x1b[0;m') npm ERR! cb() never called!
npm ERR! This is an error with npm itself. Please report this error at:
npm ERR! <https://npm.community>
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2021-03-02T13_54_12_317Z-debug.log
ERROR: Job failed: exit code 1
The methods above were maybe not wrong at all, but somehow it only worked for me after using _auth instead of _authToken value in the .npmrc file.
This method is described here and on the jfrog confluence site.
After running this curl command I received everything that I needed to put into my global .npmrc file:
curl -u ${JFROG_USER}:${JFROG_ENCRYPTED_PASSWORD} https://${JFROG_ORG}.jfrog.io/artifactory/api/npm/auth
For anyone who's interested, the full script in my gitlab ci pipeline stage now looks like this:
script:
- npm -v
6.14.10
- node -v
v14.15.4
- cd ~
- pwd
/root
# install angular globally
- npm i -g #angular/cli
# create the config file '.npmrc' for authenticating at jFrog when running 'npm install'.
- cat > .npmrc
- echo _auth = ${NPM_AUTH_TOKEN} >> .npmrc <- This is the token that I received after running the curl command from the tutorial / link above
- echo always-auth = true >> .npmrc
- echo email = ${EMAIL} >> .npmrc
# the next line makes npm look for the packages that are annotated with #<my-private-repo> at the JFrog Repo.
- echo #<my-private-repo>:registry=${UI_JFROG_REGESTRY} >> .npmrc
# change back to the project folder.
- cd /builds/<my-project-folder>/ui
# install all packages + the <my-private-repo> package from JFrog.
- npm install
Instead of using npm login, which doesn't support non-interactivity, I used the auth URL and npmrc. However, I've only gotten this to work with private NPM repositories, and not with https://registry.npmjs.org/. I'm not sure what the AUTH url is for the public NPM registry. If someone finds the AUTH url for NPM, let me know :).
For private NPM repositories, you can avoid npm login by using:
curl -u $USERNAME:$ACCESS_TOKEN https://company.jfrog.io/artifactory/api/npm/auth > ~/.npmrc
This allows us to avoid unnecessary dependencies, and is a single-line-change to a CI job.
Tips:
You can adjust ~/.npmrc to .npmrc to affect the current project only.
For debugging, you can remove > ~/.npmrc and see what the output from the auth URL is.

resolving NPM packages from a Bintray repo

I've created a private NPM repository on Bintray. I've added the necessary authentication credentials to ~/.npmrc by running
curl -u BINTRAY_USER:BINTRAY_API_TOKEN
https://api.bintray.com/npm/my-company/npm/auth/scope/my-company > ~/.npmrc
I've successfully deployed version 1.0.0 of a package named foo to this NPM repo, and have added it as a dependency to another project's `package.json
"dependencies": {
"#my-company/foo": "1.0.0"
}
But when I run npm install in this project, I get a 404 error
npm ERR! code E401
npm ERR! 401 Unauthorized: #my-company/foo#1.0.0
I can see that version 1.0.0 of foo has deployed when I login to the Bintray app, so why is resolution failing?
401 Unauthorized error usually occurs when wrong user id or credentials use.
it could be cache issue anyhow you can try run npm cache clean first and then re-run npm install or you can try with npm install -verbose which will show more information.
For the reference, the following .npmrc file works:
#my-company:registry=api.bintray.com/npm/my-company/npm
//api.bintray.com/npm/my-company/npm/:_authToken=BINTRAY_API_TOKEN
//api.bintray.com/npm/my-companyl/npm/:username=my.username
//api.bintray.com/npm/my-company/npm/:email=my#email.com
//api.bintray.com/npm/my-company/npm/:always-auth=true

Nexus manager, npm 401 Unauthorized

I'm trying to set up a nexus repository manager.
I have 3 npm repositories, private, proxy and a group of both (see images). Also I attached role's privileges and this is my .npmrc file:
registry = http://127.0.0.1:8081/repository/npm-group/
email = user#mail.com
always-auth = true
_auth = ZGV2OjEyMzQ1Ng==
When I try to do a "npm install" I get this error:
npm ERR! code E401
npm ERR! 401 Unauthorized: gulp-twig#^0.5.0
Without nexus, install ends successfully. I'm using this project template.
Any idea? What I'm missing?
Private repository
Proxy repository
Group repository
Privileges
It was a bug on my npm version (5.0.3), already fixed.
https://github.com/npm/npm/issues/16528

How should I set _auth in .npmrc when using a Nexus https npm registry proxy?

Context
My .npmrc file seems to be correctly read (checked with npm config ls -l both from command line and from Maven build).
the machine on which npm is run cannot connect directly to the net, it can only connect to a Nexus npm registry url. Therefore, proxy properties proxy and https-proxy are not set.
As access to Nexus is restricted, I have generated an access token from within Nexus.
Nexus security tokens are made from a username and a password which both contain characters such as / which usually have to be "url encoded"
as expected, with this configuration, when running npm install detects no proxy.
Nexus npm registry proxy seems to be correctly set (I can both access json files and download tgz files using a web browser after having connected using the token generated)
If I set registry to http://registry.npmjs.org/ and comment _auth, email, always-auth, strict-ssl properties, and add proxy and https-proxy configuration, npm install works as expected (but I won't be able to do it on target environment)
Content of .npmrc file
; Nexus proxy registry pointing to http://registry.npmjs.org/
registry = https://<host>/nexus/content/repositories/npmjs-registry/
; base64 encoded authentication token
_auth = <see question below>
; required by Nexus
email = <valid email>
; force auth to be used for GET requests
always-auth = true
; we don't want to put certificates in .npmrc
strict-ssl = false
loglevel = silly
Question
How should I generate the _auth property properly in order to have npm install work as expected?
I tried so far
base64Encode(<username>:<password>)
results in npm info retry will retry, error on last attempt: Error: socket hang up
base64Encode(urlencode(<username>:<password>))
results in npm info retry will retry, error on last attempt: Error: This request requires auth credentials. Run `npm login` and repeat the request.
base64Encode(urlencode(<username>):urlencode(<password>))
results in npm info retry will retry, error on last attempt: Error: socket hang up
When getting the socket hang up error I have the following stack trace:
http request GET https://<host>/nexus/content/repositories/npmjs-registry/fsevents
sill fetchPackageMetaData Error: socket hang up
sill fetchPackageMetaData at TLSSocket.onHangUp (_tls_wrap.js:1035:19)
sill fetchPackageMetaData at TLSSocket.g (events.js:260:16)
sill fetchPackageMetaData at emitNone (events.js:72:20)
sill fetchPackageMetaData at TLSSocket.emit (events.js:166:7)
sill fetchPackageMetaData at endReadableNT (_stream_readable.js:905:12)
sill fetchPackageMetaData at doNTCallback2 (node.js:441:9)
sill fetchPackageMetaData at process._tickCallback (node.js:355:17)
sill fetchPackageMetaData error for fsevents#^1.0.0 { [Error: socket hang up] code: 'ECONNRESET' }
WARN install Couldn't install optional dependency: socket hang up
verb install Error: socket hang up
verb install at TLSSocket.onHangUp (_tls_wrap.js:1035:19)
verb install at TLSSocket.g (events.js:260:16)
verb install at emitNone (events.js:72:20)
verb install at TLSSocket.emit (events.js:166:7)
verb install at endReadableNT (_stream_readable.js:905:12)
verb install at doNTCallback2 (node.js:441:9)
verb install at process._tickCallback (node.js:355:17)
When getting the This request requires auth credentials error I have the following stack trace:
npm sill fetchPackageMetaData Error: This request requires auth credentials. Run `npm login` and repeat the request.
npm sill fetchPackageMetaData at CachingRegistryClient.authify (<root>\ui\target\node\node_modules\npm\node_modules\npm-registry-client\lib\authify.js:17:14)
npm sill fetchPackageMetaData at CachingRegistryClient.makeRequest (<root>\ui\target\node\node_modules\npm\node_modules\npm-registry-client\lib\request.js:103:17)
npm sill fetchPackageMetaData at <root>\ui\target\node\node_modules\npm\node_modules\npm-registry-client\lib\request.js:66:17
npm sill fetchPackageMetaData at RetryOperation._fn (<root>\ui\target\node\node_modules\npm\node_modules\npm-registry-client\lib\attempt.js:18:5)
npm sill fetchPackageMetaData at null._onTimeout (<root>\ui\target\node\node_modules\npm\node_modules\retry\lib\retry_operation.js:49:10)
npm sill fetchPackageMetaData at Timer.listOnTimeout (timers.js:92:15)
npm sill fetchPackageMetaData error for fsevents#^1.0.0 [Error: This request requires auth credentials. Run `npm login` and repeat the request.]
npm WARN install Couldn't install optional dependency: This request requires auth credentials. Run `npm login` and repeat the request.
npm verb install Error: This request requires auth credentials. Run `npm login` and repeat the request.
npm verb install at CachingRegistryClient.authify (<root>\ui\target\node\node_modules\npm\node_modules\npm-registry-client\lib\authify.js:17:14)
npm verb install at CachingRegistryClient.makeRequest (<root>\ui\target\node\node_modules\npm\node_modules\npm-registry-client\lib\request.js:103:17)
npm verb install at <root>\ui\target\node\node_modules\npm\node_modules\npm-registry-client\lib\request.js:66:17
npm verb install at RetryOperation._fn (<root>\ui\target\node\node_modules\npm\node_modules\npm-registry-client\lib\attempt.js:18:5)
npm verb install at null._onTimeout (<root>\ui\target\node\node_modules\npm\node_modules\retry\lib\retry_operation.js:49:10)
npm verb install at Timer.listOnTimeout (timers.js:92:15)
Sources: https://help.sonatype.com/repomanager3/nexus-repository-administration/formats/npm-registry/npm-security
& https://help.sonatype.com/repomanager3/nexus-repository-administration/formats/npm-registry/publishing-npm-packages
Configure registry (its important doing this before configuring the authentication in step 2, because the authentication settings will be based on the registry):
npm config set registry="http://localhost:8081/repository/npm-internal/"
Configure authentication using a line like the following example:
npm config set _auth="$(echo -n 'username:password' | base64)"
Check the current configuration using the following:
npm config ls
Publish your npm package:
npm publish --registry http://localhost:8081/repository/npm-internal/
If you have authorization token you should not use username:password.
I suggest you:
Generate token
Delete your ~/.npmrc or rename it.
Make sure your env settings like $NPM_CONFIG_* are unset.
Verify that email and other settings are unset by using: npm config list
Log into the npm using: npm login --registry=https://nexus.whatever.registry/respository/npm-whatever-group/
Once you are logged - you are logged. The npm should generate a token for it in your ~/.npmrc. It will look like:
//nexus.whatever.registry/respository/npm-whatever-group/:_authToken=NpmToken.YOUR-LOVELY-TOKEN-IN-HEX
You can use that token in your project, CI pipeline, and other ones. Make sure in your project .npmrc there is:
//nexus.whatever.registry/respository/npm-whatever-group/:_authToken=NpmToken.YOUR-LOVELY-TOKEN-IN-HEX
email = <EMAIL_USED_FOR_TOKEN_GENERATION>
always-auth = true
registry = https://nexus.whatever.registry/respository/npm-whatever-group/
If you have problems with authentication/certs:
add env variable (also to your CI/CD pipline)
$NODE_EXTRA_CA_CERTS to point to /home/wherever/is/your/cert.pem
For CI/CD pipelines (like gitlabs or jenikins):
consider replacing actual values from your .npmrc project file with ${RELEVANT_ENV_VARIABLES}. This way you will make them less visible and always self-updating on change of pipline.
Hope this help.
After having looked at registry-client code I found the answer, here it is. I post it as it may help other people:
base64Encode(<username>:<password>)
By the way, there is an URL encoding, but it's authify.js that takes care of it.
The "socket hang up" problem I'm facing is due to the fact that if a proxy is set in Windows configuration, when launching npm from CLI (and not from a Maven build) all ```.npmrc`` proxy settings seem to be ignored while native proxy exclusions (for corporate urls) are ignored by npm. I'll open a ticket to report this weird behavior.
Before you run npm login, please follow the instructions below :
1) Create an ~/.npmrc file with the following contents:
registry=https://example.com/repository/npm-group/
email=username#example.com
always-auth=true
//example.com/repository/npm-group/:_authToken=
2) run `npm login`
# npm login
Username: firstname.lastname
Password:
Email: (this IS public) firstname.lastname#example.com
Logged in as firstname,lastname on https://example.com/repository/npm-group/.
Use the same password you use to login to example.com
I don't know about Nexus, but we use artifactory as an npm repo, and there I can create my auth token by calling base64encode(username:encryptedPassword) with encryptedPassword being the one I get from my personal artifactory profile.
Maybe this helps.
I just wrote a wrapper that stores the credentials in your systems keychain and provides them on the fly. Check out: https://github.com/Xiphe/npm_keychain_auth