cli
cli copied to clipboard
npm
[BUG] NPM v7 private registry authentication 401 (v6 works)
Current Behavior:
While trying to install packages from GitHub package repository, I get 401 error when using npm v7 (tried with 7.3 and 7.4.2) while it's working with v6 (6.14.11)
Full error:
npm ERR! code E401
npm ERR! Incorrect or missing password.
npm ERR! If you were trying to login, change your password, create an
npm ERR! authentication token or enable two-factor authentication then
npm ERR! that means you likely typed your password in incorrectly.
npm ERR! Please try again, or recover your password at:
npm ERR! https://www.npmjs.com/forgot
npm ERR!
npm ERR! If you were doing some other operation then your saved credentials are
npm ERR! probably out of date. To correct this please try logging in again with:
npm ERR! npm login
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2021-01-19T01_46_36_935Z-debug.log
My .npmrc is as follows:
//npm.pkg.github.com/:_authToken=<token>
//npm.pkg.github.com/:always-auth=true
@stvad:registry=https://npm.pkg.github.com
Seems very similar to #2183
Expected Behavior:
Packages are successfully installed
Steps To Reproduce:
Do npm install with npm v7, packages hosted in GitHub packages registry and .npmrc as mentioned above
Environment:
Happens to me both on macOS and in several Linux versions inside
- OS macOS 10.15.7/ Debian stretch
- Node: 15.5.1
- npm: 7.4.2
I have the same issue on windows 10 trying to access azure feeds. I currently have:
[email protected]
[email protected]
I also tried some older 7.x.x versions, but none of them worked for me. Only if I downgrade to v6 it starts working again.
I keep getting
npm ERR! code E401
npm ERR! Unable to authenticate, your authentication token seems to be invalid.
npm ERR! To correct this please trying logging in again with:
npm ERR! npm login
I was not able to duplicate this with v7.4.3
My config is as follows:
$ npm config list
@npm:registry = "https://npm.pkg.github.com"
//npm.pkg.github.com/:_authToken = (protected)
//registry.npmjs.org/:_authToken = (protected)
The command I ran was npm install --prefer-online to ensure that this wasn't a case where caching was giving me a false negative. I also did this with no package-lock.json file present.
Is it possible that your package-lock has erroneous resolved urls that point to the registry that are left over from a previous setup/configuration?
I tried again, removed package-lock.json and executed with npm i --prefer-online - same result. :/
presence of package-lock.json does not seem to make a difference.
using npm install --prefer-online seems to help for me. I'm trying npm install on a clean docker image though, so I don't believe there are any cache?
hrm interesting. if I do npm install --prefix-online on a clean image it doesn't work actually. but if I try doing npm install first (it fails) and then npm install --prefix-online it works π
Are there any news on this? --prefer-online doesn't work for me π
Also not if I first try with npm install...
I was having a similar problem as @Stvad. The first npm install would error and output the message of this issue, then, the second npm install would work normally.
Tried to give it a go because of the simpler workspaces implementation, would fit perfectly my use-case, but I was having so much problems that I gave up and will use yarn or nx.dev instead.
We would need more info to debug this, such as the output of the failing install with --verbose and the output of npm config list.
npm install:
C:\workspace\playground\test>npm i --verbose
npm verb cli [
npm verb cli 'C:\\Program Files\\nodejs\\node.exe',
npm verb cli 'C:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js',
npm verb cli 'i',
npm verb cli '--verbose'
npm verb cli ]
npm info using [email protected]
npm info using [email protected]
npm timing config:load:defaults Completed in 3ms
npm timing config:load:file:C:\Users\mru\AppData\Roaming\nvm\v15.6.0\node_modules\npm\npmrc Completed in 2ms
npm timing config:load:builtin Completed in 2ms
npm timing config:load:cli Completed in 2ms
npm timing config:load:env Completed in 1ms
npm timing config:load:file:C:\workspace\playground\test\.npmrc Completed in 0ms
npm timing config:load:project Completed in 1ms
npm timing config:load:file:C:\Users\mru\.npmrc Completed in 2ms
npm timing config:load:user Completed in 2ms
npm timing config:load:file:C:\Program Files\nodejs\etc\npmrc Completed in 1ms
npm timing config:load:global Completed in 1ms
npm timing config:load:cafile Completed in 0ms
npm timing config:load:validate Completed in 1ms
npm timing config:load:setUserAgent Completed in 1ms
npm timing config:load:setEnvs Completed in 0ms
npm timing config:load Completed in 14ms
npm verb npm-session d8af380cdd26f605
npm timing npm:load Completed in 56ms
npm timing arborist:ctor Completed in 1ms
npm timing idealTree:init Completed in 820ms
npm timing idealTree:userRequests Completed in 0ms
npm timing idealTree:#root Completed in 1ms
npm timing idealTree:buildDeps Completed in 4ms
npm timing idealTree:fixDepFlags Completed in 0ms
npm timing idealTree Completed in 852ms
npm timing reify:loadTrees Completed in 1392ms
npm timing reify:diffTrees Completed in 47ms
npm timing reify:retireShallow Completed in 68ms
npm timing reify:createSparse Completed in 24ms
npm timing reify:loadBundles Completed in 0ms
npm http fetch POST 404 https://pkgs.dev.azure.com/myorg/_packaging/feed/npmregistry/-/npm/v1/security/advisories/bulk 886ms
npm http fetch GET 401 https://pkgs.dev.azure.com/myorg/_packaging/feed/npmregistry/uuid/-/uuid-8.3.0.tgz 1046ms
[many more 401]
npm timing reify:rollback:createSparse Completed in 22ms
npm timing reify:rollback:retireShallow Completed in 60ms
npm timing command:install Completed in 3797ms
npm verb stack Error: Unable to authenticate, need: Bearer authorization_uri=https://login.windows.net/5371663e-f24f-e240-aa39-65fb3ad05e3c, Basic realm="https://pkgsprodsu3weu.app.pkgs.visualstudio.com/", TFS-Federated
npm verb stack at C:\Users\mru\AppData\Roaming\nvm\v15.6.0\node_modules\npm\node_modules\npm-registry-fetch\check-response.js:113:17
npm verb stack at processTicksAndRejections (node:internal/process/task_queues:94:5)
npm verb statusCode 401
npm verb pkgid rimraf@https://pkgs.dev.azure.com/myorg/_packaging/feed/npmregistry/rimraf/-/rimraf-2.7.1.tgz
npm verb cwd C:\workspace\playground\test
npm verb Windows_NT 10.0.17763
npm verb argv "C:\\Program Files\\nodejs\\node.exe" "C:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js" "i" "--verbose"
npm verb node v15.6.0
npm verb npm v7.4.0
npm ERR! code E401
npm ERR! Unable to authenticate, your authentication token seems to be invalid.
npm ERR! To correct this please trying logging in again with:
npm ERR! npm login
npm verb exit 1
npm http fetch POST 404 https://pkgs.dev.azure.com/myorg/_packaging/feed/npmregistry/-/npm/v1/security/audits/quick 1126ms
npm verb audit error Error: 404 Not Found - POST https://pkgs.dev.azure.com/myorg/_packaging/feed/npmregistry/-/npm/v1/security/audits/quick
npm verb audit error at C:\Users\mru\AppData\Roaming\nvm\v15.6.0\node_modules\npm\node_modules\npm-registry-fetch\check-response.js:123:15
npm verb audit error at async Map.[getReport] (C:\Users\mru\AppData\Roaming\nvm\v15.6.0\node_modules\npm\node_modules\@npmcli\arborist\lib\audit-report.js:310:21)
npm verb audit error at async Map.run (C:\Users\mru\AppData\Roaming\nvm\v15.6.0\node_modules\npm\node_modules\@npmcli\arborist\lib\audit-report.js:103:19)
npm verb audit error HttpErrorGeneral: 404 Not Found - POST https://pkgs.dev.azure.com/myorg/_packaging/feed/npmregistry/-/npm/v1/security/audits/quick
npm verb audit error at C:\Users\mru\AppData\Roaming\nvm\v15.6.0\node_modules\npm\node_modules\npm-registry-fetch\check-response.js:123:15
npm verb audit error at async Map.[getReport] (C:\Users\mru\AppData\Roaming\nvm\v15.6.0\node_modules\npm\node_modules\@npmcli\arborist\lib\audit-report.js:310:21)
npm verb audit error at async Map.run (C:\Users\mru\AppData\Roaming\nvm\v15.6.0\node_modules\npm\node_modules\@npmcli\arborist\lib\audit-report.js:103:19) {
npm verb audit error headers: [Object: null prototype] {
npm verb audit error 'content-length': [ '29' ],
npm verb audit error 'content-type': [ 'text/plain; charset=utf-8' ],
npm verb audit error p3p: [
npm verb audit error 'CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"'
npm verb audit error ],
npm verb audit error 'x-tfs-processid': [ '89f7068f-965d-4a2c-9d8f-5ca5933f4175' ],
npm verb audit error 'strict-transport-security': [ 'max-age=31536000; includeSubDomains' ],
npm verb audit error 'x-tfs-serviceerror': [ 'The+resource+cannot+be+found.' ],
npm verb audit error 'request-context': [ 'appId=cid-v1:f5d75a35-28cc-4e72-8007-1cf59e01402f' ],
npm verb audit error 'access-control-expose-headers': [ 'Request-Context' ],
npm verb audit error 'x-content-type-options': [ 'nosniff' ],
npm verb audit error 'x-msedge-ref': [
npm verb audit error 'Ref A: 7905DD0AC4334DFA809BB8F4E1C3D331 Ref B: PRG01EDGE0415 Ref C: 2021-01-19T06:20:49Z'
npm verb audit error ],
npm verb audit error date: [ 'Tue, 19 Jan 2021 06:20:48 GMT' ],
npm verb audit error 'x-fetch-attempts': [ '1' ]
npm verb audit error },
npm verb audit error statusCode: 404,
npm verb audit error code: 'E404',
npm verb audit error method: 'POST',
npm verb audit error uri: 'https://pkgs.dev.azure.com/myorg/_packaging/feed/npmregistry/-/npm/v1/security/audits/quick',
npm verb audit error body: ,
npm verb audit error pkgid: 'quick'
npm verb audit error }
npm timing auditReport:getReport Completed in 2381ms
npm timing reify:audit Completed in 2382ms
npm timing npm Completed in 4413ms
and my .npmrc:
registry=https://pkgs.dev.azure.com/myorg/_packaging/feed/npmregistry/npm/registry/
username=mru
_password=THE_TOKEN
[email protected]
always-auth=true
If I switch back to any npm v6 version the exact same .npmrc works fine. So it does not seem to be an issue with the token/account or azure itself.
@wraithgar I was getting the information for you, but then I had to install npm 7 again, since I had downgraded. Got 7.5.2 instead of 7.4.3 that I had before, and now my problem seems to be gone!
@ianldgs Glad to hear it. ~A bug fix went out in 7.5.2 that had to do with how and when the cli checked if you were logged in during publishes and that is likely why your specific case worked. I'm not totally sure it's related to the original issue yet because the error messages aren't the same as the other bug.~ ETA: it is 7.5.3 that has the bugfix, which is not out yet so now I don't know why your specific case worked, but it's good to know that it did. I'll see what else changed recently to try and find clues as I continue to debug.
I will try to replicate further with the new log/rc info given by @mrucelum
@mrucelum is that the actual output of npm config list? npm pulls from several different places when it builds its final config so just having the contents of one file may not tell the whole story.
Also, is your token newer than 90 days? Azure tokens only live for 90 days by default.
Similar issues as logged here: https://github.com/npm/cli/issues/2619
Our CI pipelines are 401'ing - tokens are provided internally for the CI agents.
Thank you @leepowelldev, we can move the azure-specific conversation there, as this issue was for github packages.
Sure - although the two issues may share similarities in how v7 is following redirects with auth?
I don't believe npm packages does redirects the same way azure does. I get a bare 200 response when fetching https://npm.pkg.github.com/@wraithgar%2fgh-registry-test with my auth token.
When I fetch the tarball urls from the github registry, they do redirect, but the new auth is baked into the query parameters as a signed aws request so it no longer is using my auth token after the redirect.
Yeah, redirects are a guess on my part (I've not had time to investigate), however I don't think this is an issue with Azure as v6 works as expected.
Having the same problem with the E401 immediately after upgrading to 7.5.2. I have a GitHub private store defined in ~/.npmrc. Everything works fine with [email protected]. Other factoids: MacOS 11.2 NVM 0.36.0, Node 14.15.4.
~/.nmprc:
registry=https://npm.pkg.github.com/myprivaterepo //npm.pkg.github.com/:_authToken=myauthtoken
I do not have other .npmrc files (as to my knowledge at least π), but just to be sure: here the original output from npm config list
; "user" config from C:\Users\mru\.npmrc
_password = (protected)
always-auth = true
email = "[email protected]"
registry = "https://pkgs.dev.azure.com/myorg/_packaging/feed/npm/registry/"
username = "mru"
; "cli" config from command line options
omit = []
user-agent = "npm/7.5.1 node/v15.8.0 win32 x64"
; node bin location = C:\Program Files\nodejs\node.exe
; cwd = cwd = C:\workspace\playground\test
; HOME = C:\Users\mru
; Run `npm config ls -l` to show all defaults.
Regarding the token: I am not sure when I created this token exactly, but I usually create tokens that last as long as possible. In case of azure this means 1 year. That doesn't prevent some of them stop working way before that for some reason π€·ββοΈ - but I guess that's not the case here as the token works fine when using v6.
I don't think 7.5.4 had anything change in it that would affect this. Still not able to reproduce this locally w/ the info given which makes it difficult to debug further.
Hi - I've created a fresh Azure account which replicates the problem locally. Happy to share account details so you can login and clone the repo. I can also talk you through how to replicate if it would help.
Any news on this? We're stuck on npm 6.14.11 as we use GitHub Private Packages
@TomBeckett Out of interest do all the urls in your package-lock.json file match the registry address youβre using?
@leepowelldev Assuming I understand correctly...
Nope, almost all are https://registry.npmjs.org with a couple being https://npm.pkg.github.com/download/.
Though our .npmrc in the repo is:
@projekttio:registry=https://npm.pkg.github.com
When using node/npm via GitHub Actions we setup our node like this:
- name: Use Node.js 12
uses: actions/setup-node@master
with:
node-version: "12.x"
registry-url: "https://npm.pkg.github.com"
scope: "@projekttio"
@TomBeckett Could you humour me try manually changing them all to the registry.npmjs.org url (and if that fails try npm.pkg.github.com)? We're seeing similar issues in Azure with mixed urls - even though they resolve to the same endpoint. When I changed ours to the same url as the registry it worked. My feeling is the auth token is valid for one url but not the other.