Support legacy authentication

[pvdlg]

We are supporting legacy npm authentication as we use npm-registry-couchapp for integration tests which doesn't support token authentication.
But it wasn't intended to be used in production.

It seems there is several private npm registry solution that supports only legacy authentication.
See semantic-release/semantic-release#500 and #6.

This PR improve our support of the legacy auth and mention it in the documentation.

Fix semantic-release/semantic-release#500

[gr2m]

maybe instead of

some npm private registry

it would be better to list the one we know? I think it’s only Artifactory right now? Maybe sth like this?

The legacy authentication is supported as the alternative npm registry Artifactory only supports that form of authentication at this point.

[pvdlg]

There is also https://github.com/npm/npm-registry-couchapp.

[gr2m]

how about tthis

The legacy authentication is supported as the alternative npm registries Artifactory and npm-registry-couchapp only supports that form of authentication at this point.

[pvdlg]

I made the change

[gr2m]

CI failed, but PR looks good 👍

[pvdlg]

I keep getting a lot of Couldn't start npm-docker-couchdb after 2 min.
It happened to me 3 or 4 times. Each time on Node 9. While the Node 8 build was passing...

That's going to be a tricky one to figure out...

[gr2m]

yeah debugging CI is the worst :(

[pvdlg]

I check the availability of the the registry here.
Basically I wait for /registry/_design/app to return a 200...So not sure what could go wrong...

[SimenB]

I'm trying to make this work, perfect timing :D

Have you tested this against artifactory? I can't seem to make it work properly, but I don't get why it's failing. Tried semantic-release --debug but that didn't help much. AFAICT I'm on the latest of everything as of 10 minutes ago (including 2.2.0 of this module).

Variables part:

Setting environment variables from repository settings
$ export NPM_TOKEN=[secure]
$ export ARTIFACTORY_CONTEXT=https://artifacts.schibsted.io/artifactory
$ export ARTIFACTORY_NPM_SECRET=[secure]
$ export [secure]=[secure]
$ export ARTIFACTORY_USER=[secure]
$ export AWS_ACCOUNT_NAME=infra-pro
$ export SPT_ENGPROD_REPORT_KEY=[secure]
$ export SPT_ENGPROD_REPORT_SECRET=[secure]

Setting environment variables from .travis.yml
$ export GITHUB_URL=https://github.schibsted.io
$ export GITHUB_PREFIX=https://github.schibsted.io/api/v3
$ export NPM_EMAIL=$ARTIFACTORY_USER
$ export NPM_OLD_TOKEN=$ARTIFACTORY_NPM_SECRET
$ export GH_TOKEN=[secure]

Any ideas about what I should try to debug this?

For all I know the token really isn't valid, I haven't used it before.

But it would be great if --debug added some information that it actually tried to use legacy instead of new one, etc.

(Artifactory version 4.16.0)

EDIT: I just noticed a NPM_TOKEN from the repo settings when I pasted it here... Lemme try to remove my own token stuff

EDIT2: Didn't help...

[pvdlg]

The logs mention Wrote NPM_TOKEN to .npmrc which mean you have an environment variable called NPM_TOKEN and therefore the plugin uses the token authentication.

From the README:

Use either NPM_TOKEN for token authentication or NPM_USERNAME, NPM_PASSWORD and NPM_EMAIL for legacy authentication

[SimenB]

Yeah, I just noticed that... But that is set globally on Travis for us (tried removing my own ""), so I'd be surprised if it was wrong. I can ask the guys who put it there, but is there anything I can do myself to debug more?

Or a way I can force the legacy version?

[SimenB]

npm/lib/verify.js

Lines 9 to 13 in 5fb0b09

	try {
	await execa('npm', ['whoami', '--registry', registry]);
	} catch (err) {
	throw new SemanticReleaseError('Invalid npm token.', 'EINVALIDNPMTOKEN');
	}

For all I know I get a 404 or something, some more information than "no matter what fails with whoami it's auth failure" would be awesome in this case.

Or maybe I'm missing some other variable so it doesn't use the correct registry

[pvdlg]

It seems you want to configure the legacy auth. But you have an NPM_TOKEN which tells the plugin to use the token auth.

If you want to use the legacy auth configure it according to the doc with NPM_USERNAME , NPM_PASSWORD and NPM_EMAIL, without NPM_TOKEN.

[SimenB]

A - export NPM_TOKEN="" seems to have done it! And not calling it NPM_OLD_TOKEN, but NPM_PASSWORD. I'm now getting an error from calling github, but that's not related to this repo.

Thanks for the help!

[pvdlg]

Probably because of your GITHUB_PREFIX configuration. It should be a prefix and not the full URL.

[SimenB]

Yup, I noticed, thanks! Opened up semantic-release/github#10 for it.

Now I'm stuck at semantic-release/semantic-release#540, but I feel like I'm getting closer at least.

Thanks for the help!