[BUG] npm http fetch GET 403 durign download from azure feed

[stachupl]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

During donwload packages from azure feed using corporate proxy I got lots of 403 errors

npm http fetch GET 403 https://6wovsblobprodsu6weus74.blob.core.windows.net/...&rscd=attachment%3B%20filename%3D%22file-type-4.4.0.tgz%22 44421ms (cache skip)

and finally I got error

npm ERR! code E403
npm ERR! 403 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. - GET https://pyvvsblobprodsu6weus63.blob.core.windows.net/...&rscd=attachment%3B%20filename%3D%22worker-farm-1.7.0.tgz%22
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.

Downloading dependencies from the pkgs.dev.azure.com domain works fine. The problem does not occur on the Node.js version 16.20.2

Expected Behavior

Downloading dependencies correctly

Steps To Reproduce

1. In this environment: Windows with Node.js 20.10.0
2. With this config: npm connecting to registry from Azure feed
3. Run: npm install
4. See error:
   npm ERR! code E403
   npm ERR! 403 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. - GET https://pyvvsblobprodsu6weus63.blob.core.windows.net/...&rscd=attachment%3B%20filename%3D%22worker-farm-1.7.0.tgz%22
   npm ERR! 403 In most cases, you or one of your dependencies are requesting
   npm ERR! 403 a package version that is forbidden by your security policy, or
   npm ERR! 403 on a server you do not have access to.

Environment

• npm: 10.2.3
• Node.js: 20.10.0
• OS Name: Windows
• System Model Name: Hp ZBook
• npm config:

; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc

prefix = "C:\\Users\\USERNAME\\AppData\\Roaming\\npm"

; "project" config from C:\Users\USERNAME\Projects\PROJECT_NAME\.npmrc

//pkgs.dev.azure.com/ORGANIZATION/SPACE/_packaging/PROJECT_NAME/npm/:_password = (protected)
//pkgs.dev.azure.com/ORGANIZATION/SPACE/_packaging/PROJECT_NAME/npm/:email = "npm requires email to be set but doesn't use the value"
//pkgs.dev.azure.com/ORGANIZATION/SPACE/_packaging/PROJECT_NAME/npm/:username = "USERNAME"
//pkgs.dev.azure.com/ORGANIZATION/SPACE/_packaging/PROJECT_NAME/npm/registry/:_password = (protected)
//pkgs.dev.azure.com/ORGANIZATION/SPACE/_packaging/PROJECT_NAME/npm/registry/:email = "npm requires email to be set but doesn't use the value"
//pkgs.dev.azure.com/ORGANIZATION/SPACE/_packaging/PROJECT_NAME/npm/registry/:username = "USERNAME"
always-auth = true
proxy = "http://DOMAIN%5CUSER:PASSWORD@proxy-url:8080"
registry = "http://pkgs.dev.azure.com/ORGANIZATION/SPACE/_packaging/PROJECT_NAME/npm/registry/"
strict-ssl = false

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v20.10.0
; npm local prefix = C:\Users\USERNAME\Projects\PROJECT_NAME
; npm version = 10.2.3
; cwd = C:\Users\USERNAME\Projects\PROJECT_NAME
; HOME = H:\
; Run `npm config ls -l` to show all defaults.

[gitnubster]

Might be a duplicate, see #7024
Does a second npm install work for you @stachupl stachup? Here it does, as a workaround.

[milaninfy]

@stachupl try updating npm to 10.5.0

[stachupl]

I updated npm to version 10.5.0

$ npm --version 10.5.0

but unfortunately I still get the error

`
npm ERR! code E403
npm ERR! 403 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. - GET https://24uvsblobprodsu6weus18.blob.core.windows.net/...&rscd=attachment%3B%20filename%3D%22long-4.2.2.tgz%22
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.

`

Installation using 8.19.4 still works properly.

[gitnubster]

@stachupl node 20.12.0/18.20.0 with npm 10.5.0 seem to have fixed this issue for me.
Maybe the combination of the newer node versions help then? I cleared cache with -f, cleared the existing node_modules folder, and the 403 issue is gone (after a reauthentication/refreshed token b.t.w. ).

Though 20.12.0 shows possible mem leak issue / max listeners exceeded warning.
MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 socket listeners added to [ClientRequest]
But I guess we can ignore it, not a persistent bug, as deleting the package-lock.json before "npm install -> npm cache clear -f -> rd /s node_modules -> npm ci" seems to help.

And 18.20.0 doesn't generate this warning in my tests as far i see now.

But do see alot of open tcp connections when running npm install, which looks like another bug #7072 which for me seems there already in previous versions like npm 9.5.1 (with node 18.16.0).

So, long story short, I can live with the latest version, so far.

[stachupl]

@gitnubster I tried it with node 20.12.0 and npm 10.5.0 and it's still doesn't work for me. I cleared cache and deleted package-lock.json. Can you send me output form npm config list? Maybe I'm missing some additional parameter in the configuration or I have some redundant parameter?

[stachupl]

I changed registry protocol from http to https and it started working. Thanks for your help :)