npm publish / npm install - auth token invalidation - node.js

I think NPM is struggling with security a bit today, when I run npm install on a local project, I get:
'npm WARN notice Due to a recent security incident, all user tokens
have been invalidated. Please see
https://status.npmjs.org/incidents/dn7c1fgrr7ng for more details. To
generate a new token, visit https://www.npmjs.com/settings/~/tokens or
run "npm login"
I signed in again with npm login, but I get the same error. Does anyone know of a workaround?

I get same warning even after the new login:
I get that if the package name is incorrect, on top of the 404 error.
If you need to be logged in just log back in.
If you don't need to be logged in just check that you have the correct package name.
In my case react-native-create-app didn't exist.. After adding the correct name: create-react-native-app it worked.

Make sure you have your npmrc file set up ok.
https://docs.npmjs.com/files/npmrc

Steps to follow:
Run npm login
Enter your
Username
Password
Email address
Note: if you don't have this credentials, you have to sign up at https://www.npmjs.com/signup
Run npm install bootstrap --save
This should work.

After performing npm login try to reopen CLI you are using in order to run npm commands. It worked for me

Related

Running 'npm install' causes a 'npm ERR! code E401'

I'm trying to get a co-worker set up so that she can run 'npm install' I'm able to run it fine on my machine.
When she runs the command, it starts and appears to be running successfully for several minutes - and then dies at the very end with:
npm ERR! code E401
npm ERR! Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"
I know that she has a recent version of nodejs installed.
I also know that she has access to our nexus repository and should have all the correct permissions. I'm also a little surprised that it appears to be running fine and then dies right at the end. I would think if there was an authentication error she would get it right away.
Any suggestions?
Thanks
Check: https://blog.npmjs.org/post/180599338975/401-scoped-packages
"How to fix the issue First, you can verify your token by running npm
whoami. If it’s invalid or you got the 401 previously mentioned, run
npm login to create a new token and you are good to go." npm

npm error E401: Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"

I upgraded node version to 12.16.2 and npm version to 6.14.4. After that I am not able to run npm install, as I'm getting this error
code E401
npm ERR! Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"
I even tried deleting node_modules and package-lock.json and running npm install again, but doesn't change anything.
I had similar issue. I resolved it by adding _auth into my ~/.npmrc. See the doc how to encode your nexus credential. I added the encoded credential using npm config set _auth xxx.
You wont be able to see the value using npm config list or npm config get _auth.
In my case, the problem was I've entered another registry address in same Nexus for npm login command.
npm login --registry=http://nexus_url:port/repository/wrong_address
My problem was solved by logging into correct address:
npm login --registry=http://nexus_url:port/repository/correct_address
what worked for me is :
I deleted the .npmrc file under C/users/ folder.
and ran npx vsts-npm-auth -config .npmrc command to create a new file in the users folder
Deleted the .npmrc file under C/users/ folder
npm set registry=http....
npm set _auth=(login:pass in base64):
I found a way out. With this new npm version they are enforcing authentication to access certain packages. We realised we don't need to use authentication for any of the packages we were downloading, hence the auth code we had was unnecessary. So we just removed it and it all worked.
vsts-npm-auth -config .npmrc -F
Is the only solution I found;
Edit: make sure to run npm install -g vsts-npm-auth before
You can remove package-lock.json .. it works with me
I'm run set's command from the post and add in nexus "Active realms" profile "npm Bearer Token Realm". Links: https://help.sonatype.com/repomanager3/system-configuration/access-control/realms
My problem was solved.
I encountered this error when running an npm install that was pulling some dependencies from a non-public registry located on a self-hosted Azure DevOps (AzDo) server.
I had a .npmrc file in the project, and a .npmrc file in my user profile dir with an AzDo personal access token (PAT) that had allowed access previously. The AzDo UI reported my token as still being valid.
PS C:\src\app> npm install
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="{INTERNAL_REGISTRY_URL}", Negotiate, NTLM
In my case, the solution was to regenerate the AzDo PAT and update the .npmrc found in my user profile directory.
What worked for me was running npm login, then entering my Username, Password, and Email to log in to the registry defined in .npmrc. I then proceeded with npm installing the packages I needed and it worked.
Had the same issue while doing npm i for a private npm registry. Solved it by removing the _authToken parameter from some lines in my .npmrc file in my user's root directory:
Before:
//registry.npm.example.com/:_authToken=NpmToken.XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX
//npm.artifacts.example.io/:_authToken=NpmToken.XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX
update-notifier=false
registry=https://npm.artifacts.example.io/
After:
//registry.npm.example.com/
//npm.artifacts.example.io/
update-notifier=false
registry=https://npm.artifacts.example.io/
In my case the Nexus Authentication and project I am using requires Node version: 12.8.1.
I was using node version: 16.13.2
I use NVM to install 12.8.1 with nvm install 12.8.1
Then nvm use 12.8.1
This will now work on my machine and environment.
if the .npmrc file config like this
//registry.npm.example.com/:_auth="base64(username:psw)"
try this
//registry.npm.example.com/:_authToken="base64(username:psw)"
In my case, npmjs expected a Base64 encoded Personal Access Token in the .npmrc file, and I had forgotten to Base64 encode it before pasting it into the user .npmrc file.
You can try downgrading the current node version, 16, to 14.20.0.
My steps to fix this issue.
Earlier I had configured NODE_HOME under "Environment variable".
I removed it.
Only configured the path.
Created a new folder in the "C" drive and pasted the node files.
(System variable)Path = "C:\Node\node-v14.20.0-win-x64"
I had same issue as I had configured my auth through the .npmrc file by adding the below details to it:
_auth=xxx
always-auth=true
email=example#mail.com
The error was:
npm ERR! code E401
npm ERR! Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"
then got resolved after removing underscore (_) from auth in the .npmrc file:
auth=xxx
always-auth=true
email=example#mail.com

NPM install fails with private repo

npm login.
I enter username, password and e-mail --> I'm succesfully logged in.
I make change to a package.
I run npm publish and the (org) package gets published and I can browse it (when I'm logged in) at NPM website.
5. But when I try to install the same package like: npm install #my_handle/package_name I get the error: 404. Not found: #my_handle/package_name#latest
When I run a: npm config edit it contains the following:
//registry.npmjs.org/:_authToken=my_token
#my_handle=https://registry.npmjs.org/
#my_handle:registry=https://registry.npmjs.org/
always-auth=true
When I login to NPM, click Settings and the try to run the package via the green link ">_try on RunKit" --> It is also saying that the package is missing!? What? I have now clicked the "report" button...thus I don't get was is happening?
Solved!
The issue was - that I found an old ".npmrc" file in the root of the directory I tried to run the npm install from (and it contained an invalid AUTH token). Because I logged into the console and publish worked out fine...I didn't realize this issue before many hours later...

Authentication error on publishing to private NPM repository on Nexus

I am having authentication problem when publishing to my private npm registry hosted on my private Nexus.
My Nexus setup is I have npm-proxy, npm-registry (hosted npm with allowRepublish=false), npm-snapshots (hosted npm with allowRepublish=true) and npm-public (group with all other three repositories).
Since I am developing a library, I am using my snapshot repository, so I can redeploy same version constantly (something like snapshot in maven world).
In my library project I have set this option in package.json
"publishConfig": {
"registry": "https://my.nexus.com/repository/npm-snapshots/"
}
Next, I created .npmrc file with following content:
registry=https://my.nexus.com/repository/npm-public/
_auth=RVhBTVBMRQ==
And with this setup I can publish project with no problem. However, what bothers me, is that I have my password (which is just base64 encoded) stored in file, that should be commited, but I can't commit it, due to credentials in it.
I have tried to instead login to npm registry and removed the auth line from .npmrc
npm adduser --registry=https://my.nexus.com/repository/npm-snapshots --always-auth
I got response Logged in as myusername on https://my.nexus.com/repository/npm-snapshots.
However, when I try to run npm publish I get:
npm ERR! code E401
npm ERR! Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"
npm verb exit [ 1, true ]
npm timing npm Completed in 6867ms
npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\XXXX\AppData\Roaming\npm-cache\_logs\2019-07-30T19_31_01_598Z-debug.log
Now in my other project (which is using this library), I simply created .npmrc file with content registry=https://nexus.mjamsek.com/repository/npm-public/ and run command npm adduser --registry=https://my.nexus.com/repository/npm-public --always-auth and I was able to download the published package.
However, the publish still won't work and I don't know why.
EDIT 31.7.2019: On my list of active realms I also have npm Bearer Token Realm
When you do npm login or npm adduser the NPM client creates an authentication token that will be used in future request to the registry. Default NXRM configuration allows only Local Authenticating Realm which doesn't recognise NPM's token. Please make sure you have npm Bearer Token Realm active.
You need a trailing slash on the end of the registry URL passed into npm adduser, otherwise npm will chop off the last segment of the URL, and it won't work.
_auth= replaced with output of btoa('username:userpassword') and it worked for me.
I did use this btoa from chrome as below.
I encountered this problem today, my solution was to delete all registry entry from my npmrc file:
registry=https://my.nexus.com/repository/npm-snapshots/
Idealy delete anything superfluous, back it up before-hand, in my case my file contained only:
strict-ssl=false
Then you can
npm login --registry=https://my.nexus.com/repository/npm-public/ again.
If that's not working, you also bypass npm login with curl, look at this life saving post.
Make sure the _auth token is correct. In my case I changed my system credentials and forgot to generate new _auth token. I was getting the exact same error i.e.
"npm ERR! code E401
npm ERR! Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"
once i fixed it, the issue was resolved.
For those who are looking for the command to generate _auth. It is:
btoa('username:userpassword')
I had same problem, my solution was to delete my global .npmrc file, and after login npm login.
I had ended with three versions of node on my machine. It turned out that the ones i installed later had their own local .npmrc files in the node_modules folders. They didn't use the global .npmrc even after i removed the local one so i had to copy it.
I was struggling about this problem last two days, finally the solution was to delete .npmrc file from root (user) directory.
When npm tried to login, it used the creds inside this file and ignore your pass login.
I've had a similar issue. I also have our credentials stored in an npmrc file in my user directory. When set up with node16/npm7, I would receive the error
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`
If I use nvm to downgrade to node12/npm6, it works. I'd prefer a working solution without downgrading, but for now it lets me move on.
UPDATE:
We finally figured it out (a while ago, but I forgot about this answer). In our .npmrc files in our user directories, we needed to add/change our authorization config entry.
Before:
_auth={base64 encoded username:password}
After:
//{path to private repository}:_auth={base64 encoded username:password}
Just enable anonymous access in the nexus dashboard, it will pull from your private registry.

What are authentication tokens in npm?

I am learning to the npm package manager, but I am stuck to understand security tokens ( using this documentation ).
As we already know: when we login to any website, a session is created.
So I understand that the tokens are sessions. But after deleting the token, the npm login session is still active, which means token plays different role than the sessions in npm.
Then: said documentation is saying that the tokens can also be used to use the packages outside the npm from the current login session. Can anyone please tell me in more simple examples what tokens are in npm and how they are useful?
How it says: the tokens can also be used to use the packages outside the npm from the current login session.
Example 1: If you have a project with CI, the environment where you will execute your jobs, will not be logged into npm registry, so if you are working with private packages, you will not be able to download those packages. (when your job execute npm install, you will get 403 error for private packages). Commonly, you will need to set an env variable with your npm token, like NPM_TOKEN="your npm token"
Example 2: Other example could be when you create a docker container, your docker images will not have a session for npm, so if you run npm i inside your docker container, you will no be able to download the private packages.
With authentication tokens, you will be able to access to your private packages without using npm login.

Resources