berry: yarn npm login is not compatible with verdaccio
Describe the bug
I have a private npm registry implemented by verdaccio which requires login for any access. When a certain user does not yet exist in the registry yarn npm login succeeds. However, as soon as this user tries to relogin with the same command there’s a http error 409 (conflict).
I had reported this against verdaccio (https://github.com/verdaccio/verdaccio/issues/1737), since yarn2 login works fine for registry.yarnpkg.com. However, this was before I realized that new users may be created without problems.
To Reproduce
I’m sorry that I don’t see like I could provide the repro with Sherlock 😦
1 You would have to install verdaccio, globally or locally, with yarn or npm and run it like this
[yarn run] verdaccio -c conf.yml with this conf.yml:
storage: ./storage
auth:
htpasswd:
file: ./htpasswd
security:
api:
jwt:
sign:
expiresIn: 30d
notBefore: 0
web:
sign:
expiresIn: 7d
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
'@*/*':
access: $authenticated
publish: $authenticated
proxy: npmjs
'**':
access: $authenticated
publish: $authenticated
proxy: npmjs
logs:
- {type: file, path: verdaccio.log, level: trace}
2 Furthermore I save this as .yarnrc.yml (you’d have to correct yarnPath, obviously)
yarnPath: "...\\.yarn\\releases\\yarn-berry.js"
unsafeHttpWhitelist:
- "localhost"
npmRegistryServer: "http://localhost:4873"
3 Execute yarn npm login two times - the first will succeed, the second fail with a message like this:
➤ YN0001: HTTPError: Response code 409 (Conflict) at EventEmitter. (…\releases\yarn-berry.js:24:327728) at processTicksAndRejections (internal/process/task_queues.js:97:5) ➤ YN0000: Failed with errors in 4.09s
Environment if relevant (please complete the following information):
- OS: [e.g. OSX, Linux, Windows, …] windows 10
- Node version [e.g. 8.15.0, 10.15.1, …] 12.16.1
- Yarn version [e.g. 2.0.0-rc1, …] 2.0.0rc29
const cp = require('child_process')
const fs = require('fs')
const verdaccioConf=`
storage: ./storage
auth:
htpasswd:
file: ./htpasswd
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
'@*/*':
access: $authenticated
publish: $authenticated
proxy: npmjs
'**':
access: $authenticated
publish: $authenticated
proxy: npmjs
logs:
- {type: stdout, format: pretty, level: http}
`
fs.writeFileSync('config.yaml', verdaccioConf)
const htpasswd = `
test:$6FrCaT/v0dwE:autocreated 2020-06-09T16:43:43.706Z
`
fs.writeFileSync('htpasswd', htpasswd)
const yarnrc = `
unsafeHttpWhitelist:
- "localhost"
npmRegistryServer: "http://localhost:4873"
`
fs.writeFileSync('.yarnrc.yml', yarnrc)
await packageJsonAndInstall({
dependencies: {
'verdaccio': '4.5.1'
}
})
cp.spawn('./node_modules/.bin/verdaccio')
await new Promise(resolve => setTimeout(resolve, 5000)) // a bit of a delay
const output = await yarn('yarn', 'npm', 'login') // test, test
expect(output).not.toContain('Response code 409 (Conflict)')
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 11
- Comments: 26 (5 by maintainers)
Commits related to this issue
- fix(plugin-npm-cli): fix login flow with registry fix #1044 — committed to juanpicado/berry by juanpicado 4 years ago
- fix(plugin-npm-cli): fix login with Verdaccio This commit fixes `yarn npm login` when the remote registry is Verdaccio. When a user already exists, the registry replies with `409 Conflict`. The offi... — committed to demurgos/berry by demurgos 7 months ago
- fix(plugin-npm-cli): fix login with Verdaccio This commit fixes `yarn npm login` when the remote registry is Verdaccio. When a user already exists, the registry replies with `409 Conflict`. The offi... — committed to demurgos/berry by demurgos 7 months ago
- fix(plugin-npm-cli): fix login with Verdaccio This commit fixes `yarn npm login` when the remote registry is Verdaccio. When a user already exists, the registry replies with `409 Conflict`. The offi... — committed to demurgos/berry by demurgos 7 months ago
- fix(plugin-npm-cli): fix login with Verdaccio This commit fixes `yarn npm login` when the remote registry is Verdaccio. When a user already exists, the registry replies with `409 Conflict`. The offi... — committed to demurgos/berry by demurgos 7 months ago
- fix(plugin-npm-cli): fix login with Verdaccio This commit fixes `yarn npm login` when the remote registry is Verdaccio. When a user already exists, the registry replies with `409 Conflict`. The offi... — committed to demurgos/berry by demurgos 7 months ago
- fix(plugin-npm-cli): fix login with Verdaccio This commit fixes `yarn npm login` when the remote registry is Verdaccio. When a user already exists, the registry replies with `409 Conflict`. The offi... — committed to demurgos/berry by demurgos 7 months ago
- fix(plugin-npm-cli): fix login with Verdaccio This commit fixes `yarn npm login` when the remote registry is Verdaccio. When a user already exists, the registry replies with `409 Conflict`. The offi... — committed to demurgos/berry by demurgos 7 months ago
- fix(plugin-npm-cli): fix login with Verdaccio This commit fixes `yarn npm login` when the remote registry is Verdaccio. When a user already exists, the registry replies with `409 Conflict`. The offi... — committed to demurgos/berry by demurgos 7 months ago
- fix(plugin-npm-cli): fix login with Verdaccio (#5983) **What's the problem this PR addresses?** This commit fixes `yarn npm login` when the remote registry is Verdaccio. - Closes yarnpkg/berry... — committed to yarnpkg/berry by demurgos 7 months ago
- fix(plugin-npm-cli): fix login with Verdaccio (#5983) **What's the problem this PR addresses?** This commit fixes `yarn npm login` when the remote registry is Verdaccio. - Closes yarnpkg/berry#1044... — committed to yarnpkg/berry by demurgos 7 months ago
Temporary workaround:
~/.npmrcto~/.yarnrc.yml.Then yarn npm publish for verdaccio works fine.
Feel like I’m late to the party but discovering this issue in 2023. 😆
I was able to reproduce this easily with Yarn 2.0.0-rc.31. I ran verdaccio via the default Docker image:
Then first create a user via:
Then configure the local registry in your
.yarnrc.ymlfile:followed by:
If you use the same credentials from
adduser, the yarn login will fail and you will see the following error message from the Verdaccio process:Same issue
I designed a temporary fix.
I created a file named
.yarn/publish.shin which I change the version of Yarn on the fly in the.yarnrc.yml. This allows to publish with the1.22.10version and to switch back to the “Berry” version of Yarn.When you want to publish, do not run
yarn npm publish, but rather./.yarn/publish.sh.Same issue with yarn
3.1.1here and Verdaccio3.2.0, but I can confirm that the workaround of @korniychuk works.After playing with Wireshark, a non-https request and Yarn Berry I was able to replicate the same behavior on Postman.
It looks like
yarn npm loginis not adding the Authorization header but just the user and password in the body request. For whatever reason, that’s making verdaccio not use the authorization process but the adduser process.As extra info, it doesn’t launch the authorization nor the adduser process from all the plugins as I’m using verdaccio-azure-ad-login and this one does not display any of the debug messages it displays when using npm login.
I’ll give it a try 🤞
BTW, if I copy the auth-token received by “npm login” into .yarnrc.yml the registry can be accessed without probs.