fix: remove support for legacy auth

BREAKING CHANGE: legacy authentication using `NPM_USERNAME` and `NPM_PASSWORD` is no longer supported. Use `NPM_TOKEN` instead.

Author: gr2m

README.md

@@ -47,13 +47,8 @@ Both the [token](https://docs.npmjs.com/getting-started/working_with_tokens) and
 | Variable | Description |
 | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
 | `NPM_TOKEN` | Npm token created via [npm token create](https://docs.npmjs.com/getting-started/working_with_tokens#how-to-create-new-tokens) |
-| `NPM_USERNAME` | Npm username created via [npm adduser](https://docs.npmjs.com/cli/adduser) or on [npmjs.com](https://www.npmjs.com) |
-| `NPM_PASSWORD` | Password of the npm user. |
-| `NPM_EMAIL` | Email address associated with the npm user |
 | `NPM_CONFIG_USERCONFIG` | Path to non-default .npmrc file |
 
-Use either `NPM_TOKEN` for token authentication or `NPM_USERNAME`, `NPM_PASSWORD` and `NPM_EMAIL` for legacy authentication
-
 ### Options
 
 | Options | Description | Default |

index.js

@@ -1,7 +1,6 @@
 import { castArray, defaultTo } from "lodash-es";
 import AggregateError from "aggregate-error";
 import { temporaryFile } from "tempy";
-import setLegacyToken from "./lib/set-legacy-token.js";
 import getPkg from "./lib/get-pkg.js";
 import verifyNpmConfig from "./lib/verify-config.js";
 import verifyNpmAuth from "./lib/verify-auth.js";
@@ -26,8 +25,6 @@ export async function verifyConditions(pluginConfig, context) {
 
  const errors = verifyNpmConfig(pluginConfig);
 
- setLegacyToken(context);
-
  try {
  const pkg = await getPkg(pluginConfig, context);
 
@@ -49,8 +46,6 @@ export async function verifyConditions(pluginConfig, context) {
 export async function prepare(pluginConfig, context) {
  const errors = verified ? [] : verifyNpmConfig(pluginConfig);
 
- setLegacyToken(context);
-
  try {
  // Reload package.json in case a previous external step updated it
  const pkg = await getPkg(pluginConfig, context);
@@ -73,8 +68,6 @@ export async function publish(pluginConfig, context) {
  let pkg;
  const errors = verified ? [] : verifyNpmConfig(pluginConfig);
 
- setLegacyToken(context);
-
  try {
  // Reload package.json in case a previous external step updated it
  pkg = await getPkg(pluginConfig, context);
@@ -100,8 +93,6 @@ export async function addChannel(pluginConfig, context) {
  let pkg;
  const errors = verified ? [] : verifyNpmConfig(pluginConfig);
 
- setLegacyToken(context);
-
  try {
  // Reload package.json in case a previous external step updated it
  pkg = await getPkg(pluginConfig, context);

lib/set-legacy-token.js

@@ -6,11 +6,7 @@ import nerfDart from "nerf-dart";
 import AggregateError from "aggregate-error";
 import getError from "./get-error.js";
 
-export default async function (
- npmrc,
- registry,
- { cwd, env: { NPM_TOKEN, NPM_CONFIG_USERCONFIG, NPM_USERNAME, NPM_PASSWORD, NPM_EMAIL }, logger }
-) {
+export default async function (npmrc, registry, { cwd, env: { NPM_TOKEN, NPM_CONFIG_USERCONFIG }, logger }) {
  logger.log("Verify authentication for registry %s", registry);
  const { configs, ...rcConfig } = rc(
  "npm",
@@ -29,13 +25,7 @@ export default async function (
  return;
  }
 
- if (NPM_USERNAME && NPM_PASSWORD && NPM_EMAIL) {
- await fs.outputFile(
- npmrc,
- `${currentConfig ? `${currentConfig}\n` : ""}_auth = \${LEGACY_TOKEN}\nemail = \${NPM_EMAIL}`
- );
- logger.log(`Wrote NPM_USERNAME, NPM_PASSWORD and NPM_EMAIL to ${npmrc}`);
- } else if (NPM_TOKEN) {
+ if (NPM_TOKEN) {
  await fs.outputFile(
  npmrc,
  `${currentConfig ? `${currentConfig}\n` : ""}${nerfDart(registry)}:_authToken = \${NPM_TOKEN}`

lib/set-npmrc-auth.js

@@ -7,7 +7,7 @@ import path from "path";
 import delay from "delay";
 import pRetry from "p-retry";
 
-const IMAGE = "verdaccio/verdaccio:4";
+const IMAGE = "verdaccio/verdaccio:5";
 const REGISTRY_PORT = 4873;
 const REGISTRY_HOST = "localhost";
 const NPM_USERNAME = "integration";
@@ -16,7 +16,7 @@ const NPM_EMAIL = "integration@test.com";
 const docker = new Docker();
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
-let container;
+let container, npmToken;
 
 /**
  * Download the `npm-registry-docker` Docker image, create a new container and start it.
@@ -57,16 +57,23 @@ export async function start() {
  email: NPM_EMAIL,
  },
  });
+
+ // Create token for user
+ ({ token: npmToken } = await got(`http://${REGISTRY_HOST}:${REGISTRY_PORT}/-/npm/v1/tokens`, {
+ username: NPM_USERNAME,
+ password: NPM_PASSWORD,
+ method: "POST",
+ headers: { "content-type": "application/json" },
+ json: { password: NPM_PASSWORD, readonly: false, cidr_whitelist: [] },
+ }).json());
 }
 
 export const url = `http://${REGISTRY_HOST}:${REGISTRY_PORT}/`;
 
-export const authEnv = {
+export const authEnv = () => ({
  npm_config_registry: url, // eslint-disable-line camelcase
- NPM_USERNAME,
- NPM_PASSWORD,
- NPM_EMAIL,
-};
+ NPM_TOKEN: npmToken,
+});
 
 /**
  * Stop and remove the `npm-registry-docker` Docker container.

test/helpers/npm-registry.js

@@ -10,18 +10,17 @@ import * as npmRegistry from "./helpers/npm-registry.js";
 /* eslint camelcase: ["error", {properties: "never"}] */
 
 // Environment variables used only for the local npm command used to do verification
-const testEnv = {
- ...process.env,
- ...npmRegistry.authEnv,
- npm_config_registry: npmRegistry.url,
- LEGACY_TOKEN: Buffer.from(`${npmRegistry.authEnv.NPM_USERNAME}:${npmRegistry.authEnv.NPM_PASSWORD}`, "utf8").toString(
- "base64"
- ),
-};
+let testEnv;
 
 test.before(async () => {
  // Start the local NPM registry
  await npmRegistry.start();
+
+ testEnv = {
+ ...process.env,
+ ...npmRegistry.authEnv(),
+ npm_config_registry: npmRegistry.url,
+ };
 });
 
 test.after.always(async () => {
@@ -131,7 +130,7 @@ test("Verify npm auth and package", async (t) => {
  {},
  {
  cwd,
- env: npmRegistry.authEnv,
+ env: npmRegistry.authEnv(),
  options: {},
  stdout: t.context.stdout,
  stderr: t.context.stderr,
@@ -150,7 +149,7 @@ test("Verify npm auth and package from a sub-directory", async (t) => {
  { pkgRoot: "dist" },
  {
  cwd,
- env: npmRegistry.authEnv,
+ env: npmRegistry.authEnv(),
  options: {},
  stdout: t.context.stdout,
  stderr: t.context.stderr,
@@ -169,7 +168,7 @@ test('Verify npm auth and package with "npm_config_registry" env var set by yarn
  {},
  {
  cwd,
- env: { ...npmRegistry.authEnv, npm_config_registry: "https://registry.yarnpkg.com" },
+ env: { ...npmRegistry.authEnv(), npm_config_registry: "https://registry.yarnpkg.com" },
  options: { publish: [] },
  stdout: t.context.stdout,
  stderr: t.context.stderr,
@@ -216,7 +215,7 @@ test("Throw SemanticReleaseError Array if config option are not valid in verifyC
 
 test("Publish the package", async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { name: "publish", version: "0.0.0", publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "package.json"), pkg);
 
@@ -241,7 +240,7 @@ test("Publish the package", async (t) => {
 
 test("Publish the package on a dist-tag", async (t) => {
  const cwd = temporaryDirectory();
- const env = { ...npmRegistry.authEnv, DEFAULT_NPM_REGISTRY: npmRegistry.url };
+ const env = { ...npmRegistry.authEnv(), DEFAULT_NPM_REGISTRY: npmRegistry.url };
  const pkg = { name: "publish-tag", version: "0.0.0", publishConfig: { registry: npmRegistry.url, tag: "next" } };
  await fs.outputJson(path.resolve(cwd, "package.json"), pkg);
 
@@ -270,7 +269,7 @@ test("Publish the package on a dist-tag", async (t) => {
 
 test("Publish the package from a sub-directory", async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { name: "publish-sub-dir", version: "0.0.0", publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "dist/package.json"), pkg);
 
@@ -295,7 +294,7 @@ test("Publish the package from a sub-directory", async (t) => {
 
 test('Create the package and skip publish ("npmPublish" is false)', async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { name: "skip-publish", version: "0.0.0", publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "package.json"), pkg);
 
@@ -320,7 +319,7 @@ test('Create the package and skip publish ("npmPublish" is false)', async (t) =>
 
 test('Create the package and skip publish ("package.private" is true)', async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = {
  name: "skip-publish-private",
  version: "0.0.0",
@@ -350,7 +349,7 @@ test('Create the package and skip publish ("package.private" is true)', async (t
 
 test('Create the package and skip publish from a sub-directory ("npmPublish" is false)', async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { name: "skip-publish-sub-dir", version: "0.0.0", publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "dist/package.json"), pkg);
 
@@ -375,7 +374,7 @@ test('Create the package and skip publish from a sub-directory ("npmPublish" is
 
 test('Create the package and skip publish from a sub-directory ("package.private" is true)', async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = {
  name: "skip-publish-sub-dir-private",
  version: "0.0.0",
@@ -440,7 +439,7 @@ test("Throw SemanticReleaseError Array if config option are not valid in publish
 
 test("Prepare the package", async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { name: "prepare", version: "0.0.0", publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "package.json"), pkg);
 
@@ -463,7 +462,7 @@ test("Prepare the package", async (t) => {
 
 test("Prepare the package from a sub-directory", async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { name: "prepare-sub-dir", version: "0.0.0", publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "dist/package.json"), pkg);
 
@@ -521,7 +520,7 @@ test("Throw SemanticReleaseError Array if config option are not valid in prepare
 
 test("Publish the package and add to default dist-tag", async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { name: "add-channel", version: "0.0.0", publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "package.json"), pkg);
 
@@ -557,7 +556,7 @@ test("Publish the package and add to default dist-tag", async (t) => {
 
 test("Publish the package and add to lts dist-tag", async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { name: "add-channel-legacy", version: "1.0.0", publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "package.json"), pkg);
 
@@ -596,7 +595,7 @@ test("Publish the package and add to lts dist-tag", async (t) => {
 
 test('Skip adding the package to a channel ("npmPublish" is false)', async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { name: "skip-add-channel", version: "0.0.0", publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "package.json"), pkg);
 
@@ -619,7 +618,7 @@ test('Skip adding the package to a channel ("npmPublish" is false)', async (t) =
 
 test('Skip adding the package to a channel ("package.private" is true)', async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = {
  name: "skip-add-channel-private",
  version: "0.0.0",
@@ -647,7 +646,7 @@ test('Skip adding the package to a channel ("package.private" is true)', async (
 
 test("Create the package in addChannel step", async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { name: "add-channel-pkg", version: "0.0.0", publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "package.json"), pkg);
 
@@ -670,7 +669,7 @@ test("Create the package in addChannel step", async (t) => {
 
 test("Throw SemanticReleaseError Array if config option are not valid in addChannel", async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "package.json"), pkg);
  const npmPublish = 42;
@@ -706,7 +705,7 @@ test("Throw SemanticReleaseError Array if config option are not valid in addChan
 
 test("Verify token and set up auth only on the fist call, then prepare on prepare call only", async (t) => {
  const cwd = temporaryDirectory();
- const env = npmRegistry.authEnv;
+ const env = npmRegistry.authEnv();
  const pkg = { name: "test-module", version: "0.0.0-dev", publishConfig: { registry: npmRegistry.url } };
  await fs.outputJson(path.resolve(cwd, "package.json"), pkg);