Support for private packages

[jamiebuilds]

In order to allow installing private packages Yarn will need to send a token to the headers of the request.

Private packages are @scoped/packages that were published with npm publish --access=restricted. The permissions of packages are managed through npm access and npm team which are not yet added

In the npm client, this token comes from the .npmrc and looks like this:

@nameofscope:registry=https://registry.npmjs.com/
//registry.npmjs.com/:_authToken=abc123

And it gets sent as this header:

Authorization: Bearer abc123
# alternatively:
Authorization: Basic username:password # <= base64

There's a package for retrieving the token. Although we may not want to store the token the same way npm does.

This token gets added to .npmrc on npm login. But yarn login doesn't even authenticate (it only stores username and email), so we may want to force the user to authenticate on install (in which case we need to solve scripting these installs for CI servers through some kind of environment variable).

We also need to make sure that Yarn users don't accidentally publish something publicly.

[sebmck]

We already have npm login and auth logic here. Just need to sort out the workflow.

[chicoxyzzy]

Private registry doesn't always need auth token. For example we access our private registry through corporate VPN.

[knksmith57]

^^ Agreed. Allowing for the association of a separate registry per scope is sufficient for us (and I suspect many others).

[jmonster]

in which case we need to solve scripting these installs for CI servers through some kind of environment variable

• http://blog.npmjs.org/post/118393368555/deploying-with-npm-private-modules
• https://circleci.com/docs/npm-private-module-dependency/

[djMax]

When we say "we already have this logic" - I don't see any path where an Authorization header would be sent to a registry. If there was one, perhaps there'd be a temporary workaround to make this all work while something more final is sorted out. Am I missing something?

[djforth]

+1 looks like scoped packages even if they are public seem to fail.

[frederickfogerty]

To further @djforth's comment, I just installed from master, and I'm getting the same error - scoped packages are failing. It converts the / in the package name into %2f, which means the request to npm to find the package fails.

e.g. Error: https://registry.yarnpkg.com/@company%2fdata: Not found

[djMax]

That's the way it fails if auth is required. I got it to work for public scoped packages