Missing support for npm bearer auth and OTP

[bodograumann]

Version

4.5.10

Environment info

Environment Info:

  System:
    OS: Linux 5.10 Arch Linux
    CPU: (4) x64 Intel(R) Core(TM) i5-7300HQ CPU @ 2.50GHz
  Binaries:
    Node: 15.5.1 - /usr/bin/node
    Yarn: 1.22.10 - ~/.local/bin/yarn
    npm: 6.14.11 - /usr/bin/npm
  Browsers:
    Chrome: Not Found
    Firefox: 84.0.2
  npmGlobalPackages:
    @vue/cli: 4.5.10

Steps to reproduce

I am using the npm registry on an Azure DevOps server (formerly known as Microsoft TeamFoundation Server; TFS). To authenticate, it is neccesary to use basic authentication, which is not possible with vue-cli.

This becomes apparent when running vue ui, vue create or vue upgrade in such an environment.

What is expected?

vue-cli should be able to access package information on the azure package feed

What is actually happening?

ERROR Failed to get response from https://myserver/tfs/mycollection/_packaging/packages/npm/registry/vue-cli-version-marker

---

As described in the npm registry docs, authentication with an npm registry is possible via basic auth, bearer auth and in both cases an optional OTP.
vue-cli only supports bearer auth without otp:

vue-cli/packages/@vue/cli/lib/util/ProjectPackageManager.js

Lines 279 to 312 in 027386e

	async getMetadata (packageName, { full = false } = {}) {
	const scope = extractPackageScope(packageName)
	const registry = await this.getRegistry(scope)
	const metadataKey = `${this.bin}-${registry}-${packageName}`
	let metadata = metadataCache.get(metadataKey)
	if (metadata) {
	return metadata
	}
	const headers = {}
	if (!full) {
	headers.Accept = 'application/vnd.npm.install-v1+json;q=1.0, application/json;q=0.9, */*;q=0.8'
	}
	const authToken = await this.getAuthToken(scope)
	if (authToken) {
	headers.Authorization = `Bearer ${authToken}`
	}
	const url = `${registry.replace(/\/$/g, '')}/${packageName}`
	try {
	metadata = (await request.get(url, { headers })).body
	if (metadata.error) {
	throw new Error(metadata.error)
	}
	metadataCache.set(metadataKey, metadata)
	return metadata
	} catch (e) {
	error(`Failed to get response from ${url}`)
	throw e
	}
	}

In contrast npm info vue-cli-version-marker --json and yarn info vue-cli-version-marker --json work fine, because they implement basic auth.

I wonder why we have to reimplement an npm registry client anyway.

Note: For basic auth the credentials are stored in .npmrc as//registry-url:username=myusername and //registry-url:_password=base64-encoded password. So when sending the password with basic auth, we need to be careful not to double-encode.

[haoqunjiang]

😂 Well, I reimplemented the registry client because of the poor performance of Windows subprocesses: #4895 (comment)
Didn't expect so many edge cases here…