How To Setup Private NPM Module With Firebase Cloud Functions .npmrc? - node.js

I have created a private typings npm module that I am using for my firebase functions and app projects. When I went to deploy firebase functions, I get a big error for every function that basically says ERR! remote: Invalid username or password.
For what I have read, it looks like I need to create a .npmrc file and put it in the /functions directory. (https://cloud.google.com/functions/docs/writing/specifying-dependencies-nodejs#using_private_modules)
I cannot however find proper instructions on how to do this anywhere. From what I found, I have done the following:
ran npm login
ran npm token create --read-only
This then gave me a token that looks like this: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.
I then create a file called .npmrc in my functions directory, and placed //registry.npmjs.org/:_authToken=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX in it.
Additionally, I saw that the error message was trying to use ssh to install my private repo package, I have not setup ssh and am using https instead, because of this I changed my package file to git+https://github.com/accounts-name/repo#commit-num so that it uses HTTPS.
However, I still get the same error message. What am I missing? The above is what I have strung together from lots of google searching.

It seems that you have made too many different changes while trying to make it work, so let's just go through the whole process step by step.
Check the package.json of your npm module and publish it:
Remove "private" property or set it to false because private modules in the npm are meant to be never published. That is not obvious but that is true.
Next step is to apply restricted access to the package. In order to do that, add such property in the package.json file:
"publishConfig": {
"access": "restricted"
},
Make sure that npm account you use for publishing supports private packages.
Now open the terminal in the root directory of your package, type npm login then sign in to npm. Check if you put the proper version in the package.json.
Run npm publish. The package should be published in few seconds. No worries, thanks to publishConfig property nobody can access it.
Now it is time to allow package installation in your project
Go to the directory of the project and open package.json file
Check that you have the name and version of your package in the dependencies list
Open browser, navigate to https://npmjs.com, login to your account, navigate to settings page of your account and open the tokens tab
Create new token and copy it
Now again go to the directory of your project, on same level where package.json file is situated (that is important!) and create .npmrc file there.
Put such string in the .npmrc file:
//registry.npmjs.org/:_authToken=TOKEN_HERE
You are done!
Deployment with remote CI/CD services
The easiest approach is not add .npmrc into .gitignore. In such case the file will be always in repository, so npm install will run smoothly on any machine where project was cloned
If you don't want to have token string in the repository, you can move it to the environment variable of your CI/CD service and then link .npmrc file to that variable. For example, you can put generated token into the NPM_TOKEN env variable (Just token from npmjs, not the whole string from .npmrc!)
And then change the .npmrc file in the next way:
//registry.npmjs.org/:_authToken=${NPM_TOKEN}.
So, with those steps you should be able to install your restricted packages without any issues. Good luck!

If you are trying to deploy you functions with firebase deploy from a CI and your .npmrc file looks like this.
#acmecorp:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${NPM_REGISTRY_TOKEN}
You will run into the problem even if you have the env var set.
Build failed: Error: Failed to replace env in config: ${NPM_REGISTRY_TOKEN}
Firebase for some reason needs access to that private repo. But the env var is not sent over to firebase.
Solution I've implemented was to replace ${NPM_REGISTRY_TOKEN} in the .npmrc file on every run of the CI pipeline.
sed -i.bak "s/\${NPM_REGISTRY_TOKEN}/${NPM_REGISTRY_TOKEN}/g" .npmrc

This breaks if you use Yarn. Took me a while to find a thread pointing to npm install in the firebase cli predeploy step. If there's no package-lock.json and you only use yarn, this will break. Remove yarn.lock and install using npm to resolve the issue.

Related

Installing private GitHub npm package in Google Cloud Functions does not work

I'm trying to deploy a microservice to GCF, which has a dependency of a private GitHub-hosted package. To gain access to the package, I added a .npmrc file to the function as described here, the file looks like this:
registry=https://npm.pkg.github.com/OWNER
//npm.pkg.github.com/:_authToken=PERSONAL-ACCESS-TOKEN
Also tried using a NPM_TOKEN env variable in the Cloud Function
NPM_TOKEN=PERSONAL-ACCESS-TOKEN
Both result in the following error:
OperationError: code=3, message=Build failed: { error: { canonicalCode: "INVALID_ARGUMENT" }}
npm ERR! 404 Not Found: #packagescope/packagename
Installing locally works fine, so does deploying on Zeit Now.
I just ran into this problem so I'm sharing the fix that works with node v8 and v10 Cloud Functions.
The following is required to use the .npmrc to install packages from a private Github packages registry:
The .npmrc needs to be located in the functions folder at the same level as the package.json file
A registry entry for the your account/org scope is required, including the url like so, assuming Anchorman uses Github: #ronburgundy:registry=https://npm.pkg.github.com/ronburgundy
A Github personal access token is required for authentication, like so //npm.pkg.github.com/:_authToken=ronburgundypersonalaccesstoken
Assuming you follow best practice and do not commit the .npmrc with secrets you will need to ensure that the file is transformed to include the personal access token prior to deploying via firebase cli, as there's no other way to inject the value at runtime.
So the original example would work if it looked like this:
#OWNER:registry=https://npm.pkg.github.com/OWNER
//npm.pkg.github.com/:_authToken=PERSONAL-ACCESS-TOKEN
While Github's docs seem to suggest that you should redirect ALL scoped and unscoped package installs to their registry it appears that Google Cloud Functions does not allow us to redirect all package installs to a private registry, only those that we configure based on scope.

NPM publish to scoped private package without having to login

I am trying to find a way to be able to publish a private npm package without having to login every time to npm. I guess I can achieve that by using an .npmrc file in the root of the project, but I cant find more details on how exactly to achieve that, how to generate the npmrc with the right config.
Any idea? Any help highly appreciated.
I think to publish your private npm-package you need to login to npm once for the first time. After the first successful login, the npm creates a _authToken in your .npmrc file. Until and unless your .npmrc file contains this _authToken with the appropriate value, you don't need to login again to npm to publish next npm-package.
Best of my knowledge, Unless you remove that _authToken Or delete the .npmrc file Or manually logged out from npm I am sure you don't have to login again to publish npm package.
Hope this will help you :)

Read external credentials in package.json

I need to have my common npm module as git dependency and use it in many modules.
I'm trying to use access token for authorize in git. Bit I don't want to store the token in package.json (at least, it's hard to change it in few modules if it change).
Can I do something like this:
package.json
...
"scripts": {
"preinstall": "read-credentials.sh"
}
...
"dependencies": {
...
"my-module": "git+https://$$$token-from-variable$$$:x-oauth-basic#some-repo-url"
...
}
I know about options with private npm modules or make ssh keys for git access, but it isn't a good fit for me. The main point of the question is to figure out if there is a way to set variables from some preinstall script (where I can have access to access tokens) and use them in package.json.
You can have private modules on npm. It costs $7/month and is created for exactly the use case that you have here.
If you don't want to do that for some reason, then you can rely on git-specific environment variables to resolve your dependencies. For example if you use git+ssh://git#SERVER:USER/MODULE.git as a dependency then npm will try to get it with git using the default credentials used by git (which in turn uses the credentials used by ssh). You can even change GIT_SSH environment variable to completely control the SSH session however you want.
For more options see Install node module from own gitlab server.
As I understood, there is no way to create such kind of variables.
My solution for my problem:
Creating other module, which can take a token from external place and which I can put in public git or npm repo.
Add this module in dependency.
Call it in postinstall script.
Get token, build url and install my private-git-module from JS using npm.commands.install.

Error with network connectivity when install Phonegap

I'm trying to install phonegap with command:
npm install -g phonegap.
I get the following error:
Verify that your .npmrc file does not contain any unnecessary configuration. An error like the one you have above states that you are unable to connect with the npm registry. Sometimes that requires configuring a proxy, other times your configuration is just incorrect. Look inside the .npmrc file (which is contained within your home directory -- C:\Users\nir) and verify the configuration settings are correct. Delete any incorrect ones (proxy settings that are invalid, etc), or just rename the file and test it out.
Seems like you have problems with connection.
I've it installed same way right now.

Can I have a package.json but avoid my project from getting published to npm servers?

Basically the thing is I'm working on a project that uses grunt for build tasks and as I have a few dependencies here and there I thought it was a good idea to declare those on a package.json so that my co-workers can npm install without being required to manually install every package at the correct version.
Now the thing is, what if someone "accidentally" runs npm publish? Is there a way to have the package.json while keeping my stuff private?
Yes, set private to true.
If you set "private": true in your package.json, then npm will refuse
to publish it.
This is a way to prevent accidental publication of private
repositories. If you would like to ensure that a given package is only
ever published to a specific registry (for example, an internal
registry), then use the publishConfig hash described below to override
the registry config param at publish-time.
You can set "private" : true in your package.json file
Your CoWorkers will get an error if they try to publish it

Resources