Yarn doesn't provide authorization header to download private package

[Congelli501]

Type: bug

What is the current behavior?

When using the Verdaccio private npm registry, yarn fail to install a package. It fires a first request to get the packages version & meta, which is authenticated and works.
Then it issues a second request to download the tgz file, which fails, as the request is not authenticated.

On the other hand, npm does the same first request and successfully install the package by authenticating the second request.

You can see included http request dump for more detail.

If the current behavior is a bug, please provide the steps to reproduce.
Install Verdaccio with a test user, on localhost:4873

Init

npm config set @testscope:registry http://localhost:4873/
npm login --registry=http://localhost:4873/ --scope=@testscope

yarn config set @testscope:registry http://localhost:4873/
yarn login --registry=http://localhost:4873/ --scope=@testscope

Publish a test project

mkdir hello12
yarn init
yarn publish # Ok

Create an other test project

mkdir hello42
yarn init

Try to install the hello12 dep, with Yarn

Command

yarn add @testscope/hello12

List package info

GET /@testscope%2fhello12 HTTP/1.1
User-Agent: yarn/0.24.5 npm/? node/v7.10.0 linux x64
Accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*
authorization: Bearer VihB9aJr0Pf7rs684a0dcnBndbg43WYfls0KichewmI=
host: localhost:4873
accept-encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 200 OK\r\n
X-Powered-By: verdaccio/2.1.7\r\n
Content-Type: application/json; charset=utf-8\r\n
ETag: "042a358900e48a580493d1b6d944fe7e"\r\n
Vary: Accept-Encoding\r\n
Content-Encoding: gzip\r\n
X-Status-Cat: http://flic.kr/p/aVuVsF\r\n
Date: Wed, 17 May 2017 08:03:35 GMT\r\n
Connection: keep-alive\r\n
Transfer-Encoding: chunked\r\n
\r\n
{
  "name": "@testscope/hello12",
  "versions": {
    "1.0.6": {
      "name": "@testscope/hello12",
      "version": "1.0.6",
      "main": "index.js",
      "license": "MIT",
      "_id": "@testscope/[email protected]",
      "scripts": {},
      "_shasum": "b4880b9d85a49b5b08cdb5e3cd67fd5eec0e6177",
      "_from": ".",
      "_npmVersion": "4.2.0",
      "_nodeVersion": "7.10.0",
      "_npmUser": {},
      "dist": {
        "shasum": "b4880b9d85a49b5b08cdb5e3cd67fd5eec0e6177",
        "tarball": "http://127.0.0.1:4873/@testscope%2fhello12/-/hello12-1.0.6.tgz"
      }
    },
    "1.0.7": {
      "name": "@testscope/hello12",
      "version": "1.0.7",
      "main": "index.js",
      "license": "MIT",
      "_id": "@testscope/[email protected]",
      "scripts": {},
      "_shasum": "a08c02725c91058d94dfad091fcf98b2a920d8f3",
      "_from": ".",
      "_npmVersion": "4.2.0",
      "_nodeVersion": "7.10.0",
      "_npmUser": {},
      "dist": {
        "shasum": "a08c02725c91058d94dfad091fcf98b2a920d8f3",
        "tarball": "http://127.0.0.1:4873/@testscope%2fhello12/-/hello12-1.0.7.tgz"
      }
    }
  },
  "dist-tags": {
    "latest": "1.0.7"
  },
  "_rev": "9-6457ff279507dc08",
  "readme": "",
  "_attachments": {}
}

Get data request

GET /@testscope%2fhello12/-/hello12-1.0.7.tgz HTTP/1.1\r\n
User-Agent: yarn/0.24.5 npm/? node/v7.10.0 linux x64\r\n
Accept: application/octet-stream\r\n
Accept-Encoding: gzip\r\n
host: 127.0.0.1:4873\r\n
Connection: keep-alive\r\n
\r\n

HTTP/1.1 403 Forbidden\r\n
X-Powered-By: verdaccio/2.1.7\r\n
Content-Type: application/json; charset=utf-8\r\n
Content-Length: 83\r\n
ETag: W/"53-xkyC48nRJ8NiAuPFFqN0L9mVpJA"\r\n
Vary: Accept-Encoding\r\n
X-Status-Cat: http://flic.kr/p/aV6jFK\r\n
Date: Wed, 17 May 2017 08:03:35 GMT\r\n
Connection: keep-alive\r\n
\r\n
{"error": "unregistered users are not allowed to access package @testscope/hello12"}

Install the hello12 dep, with NPM

Command

npm install --save @testscope/hello12

List package info

GET /@testscope%2fhello12 HTTP/1.1\r\n
accept-encoding: gzip\r\n
authorization: Bearer VihB9aJr0Pf7rs684a0dcnBndbg43WYfls0KichewmI=\r\n
version: 4.2.0\r\n
accept: application/json\r\n
referer: install [REDACTED]\r\n
npm-session: 611fc4ee2e2cd241\r\n
npm-in-ci: false\r\n
user-agent: npm/4.2.0 node/v7.10.0 linux x64\r\n
host: localhost:4873\r\n
Connection: keep-alive\r\n
\r\n

{
  "name": "@testscope/hello12",
  "versions": {
    "1.0.6": {
      "name": "@testscope/hello12",
      "version": "1.0.6",
      "main": "index.js",
      "license": "MIT",
      "_id": "@testscope/[email protected]",
      "scripts": {},
      "_shasum": "b4880b9d85a49b5b08cdb5e3cd67fd5eec0e6177",
      "_from": ".",
      "_npmVersion": "4.2.0",
      "_nodeVersion": "7.10.0",
      "_npmUser": {},
      "dist": {
        "shasum": "b4880b9d85a49b5b08cdb5e3cd67fd5eec0e6177",
        "tarball": "http://127.0.0.1:4873/@testscope%2fhello12/-/hello12-1.0.6.tgz"
      }
    },
    "1.0.7": {
      "name": "@testscope/hello12",
      "version": "1.0.7",
      "main": "index.js",
      "license": "MIT",
      "_id": "@testscope/[email protected]",
      "scripts": {},
      "_shasum": "a08c02725c91058d94dfad091fcf98b2a920d8f3",
      "_from": ".",
      "_npmVersion": "4.2.0",
      "_nodeVersion": "7.10.0",
      "_npmUser": {},
      "dist": {
        "shasum": "a08c02725c91058d94dfad091fcf98b2a920d8f3",
        "tarball": "http://127.0.0.1:4873/@testscope%2fhello12/-/hello12-1.0.7.tgz"
      }
    }
  },
  "dist-tags": {
    "latest": "1.0.7"
  },
  "_rev": "9-6457ff279507dc08",
  "readme": "",
  "_attachments": {}
}

Get package

GET /@testscope%2fhello12/-/hello12-1.0.7.tgz HTTP/1.1\r\n
authorization: Bearer VihB9aJr0Pf7rs684a0dcnBndbg43WYfls0KichewmI=\r\n
version: 4.2.0\r\n
accept: application/x-tar, application/vnd.github+json; q=0.1\r\n
referer: install [REDACTED]\r\n
npm-session: cf9f3e7010c7d3f1\r\n
npm-in-ci: false\r\n
user-agent: npm/4.2.0 node/v7.10.0 linux x64\r\n
host: 127.0.0.1:4873\r\n
Connection: keep-alive\r\n
\r\n

HTTP/1.1 200 OK
X-Powered-By: verdaccio/2.1.7
Content-Type: application/octet-stream
Content-Length: 767
X-Status-Cat: http://flic.kr/p/aVuVsF
Date: Wed, 17 May 2017 08:41:59 GMT
Connection: keep-alive

<Some ugly binary data>

What is the expected behavior?
Yarn should act as NPM and send the authorization header to download the tgz file

Versions
OS: Ubuntu 16.04 + updates
Arch: amd64
Node: v7.10.0
Yarn: v0.24.5 (also tested with v0.25.2)
NPM: 4.2.0

[Congelli501]

I made some more checks, and bug is caused by the Verdaccio configuration:
I login to "http://localhost:4873/"
Verdaccio answers with an absolute URL to the tarball, to "http://127.0.0.1:4873/".

When Yarn goes back to the getAuth function, it search a config with the key "//127.0.0.1:4873/:_authToken", with doesn't exist (only //localhost:4873/:_authToken fails).

A good solution would be to resolve the authorization header once per package, and keep using it until full package download.

On yarn 0.26 (master), you need to set the "always-auth" config option to true to make it work.

[bestander]

@Congelli501, what would be the next action then?

[BYK]

Closing due to lack of response. @Congelli501, feel free to reopen with next steps and we'll get the discussion rolling.

[prasannamestha]

Hi, I started encountering the same problem last week. Any solutions to this?

[prasannamestha]

When Yarn goes back to the getAuth function, it search a config with the key "//127.0.0.1:4873/:_authToken", with doesn't exist (only //localhost:4873/:_authToken fails).

This doesn't seem to work even though the URL is resolved properly

[jfly]

(sorry for the necrobump)

@prasannamestha the workaround is to set the "always-auth" setting to true as documented above.

If you read the code, it's actually pretty easy to see the bug. From https://github.com/yarnpkg/yarn/blob/v1.22.22/src/registries/npm-registry.js#L164:

    if (this.token || (isToRegistry && (alwaysAuth || this.isScopedPackage(packageIdent)))) {
      const authorization = this.getAuth(packageIdent);
      if (authorization) {
        headers.authorization = authorization;
      }
    }

If the package isn't scoped, then you need to set alwaysAuth to true in order to add a authorization header.