NPM Login without manually entering the username, password & email

Question

I have been able to login to my npm registry manually, ie: on my local machine - but for some reason it's not working when it goes through the CI. The problem here is that after I execute the npm login command, the program is waiting for the manual user input (username, password, email) and I couldn't find a way to send these inputs in the pipeline (where I can't make manual user input):

These different approaches I tried:

1. Copy the npm auth token from my local machine into the environment variables of the gitlab CI/CD Settings, and then just copy them into the global .npmrc at the root directory: This results in an error (unauthenticated):

 $ cd ~

 $ pwd
 /root

 $ echo "//<my_registry_url>:_authToken=$NPM_AUTH_TOKEN" > ~/.npmrc

 $ cat .npmrc
 <my_registry_url>:_authToken=[MASKED]       //<-- the masked value is correct, I had it unmasked before once by mistake...

 $ npm whoami
 npm ERR! code ENEEDAUTH
 npm ERR! need auth This command requires you to be logged in.
 npm ERR! need auth You need to authorize this machine using `npm adduser`
 npm ERR! A complete log of this run can be found in:
 npm ERR!     /root/.npm/_logs/2021-03-02T14_29_00_728Z-debug.log
 Cleaning up file based variables
 00:00
 ERROR: Job failed: exit code 1

2. Install npm-cli-login and pass the username, password and email in one line with the npm login command

    $ npm install -g npm-cli-login
    npm WARN deprecated [email protected]: this library is no longer supported
    npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
    added 567 packages, and audited 568 packages in 46s
    33 packages are looking for funding
    run `npm fund` for details
    found 0 vulnerabilities
    
    // trying to login now
    $ npm-cli-login -u $USERNAME -p $API_KEY -e $EMAIL -r $REPOSITORY
    info attempt registry request try #1 at 6:17:19 AM
    http request PUT [MASKED]-/user/org.couchdb.user:<my correct username>
    http 201 [MASKED]-/user/org.couchdb.user:<my correct username>  // the login seems to have worked, at least I don't get an error

    // then I go to the home directory to check the .npmrc file 
    $ cd ~

    $ pwd
    /root

    $ cat .npmrc
    //<my_registry_url>:_authToken=<eyJ...rest of token>      // <-- so this was created correctly at my npm-cli-login command

    // then I go back to the angular project folder
    $ cd /builds/<my path>/app/src/main/ui
    $ ls
    README.md
    angular.json
    browserslist
    debug.log
    e2e
    package.json
    src
    tsconfig.app.json
    tsconfig.spec.json
    
    // and when I now run npm install, it says I'm not authenticated
    $ npm install
    npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
    npm WARN deprecated [email protected]: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
    npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/reques/request/issues/3142
    npm WARN deprecated [email protected]: "Please update to latest v2.3 or v2.2"
    npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
    npm WARN deprecated [email protected]: this library is no longer supported
    npm WARN deprecated [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
    npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
    npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
    npm ERR! code E401
    npm ERR! Unable to authenticate, need: Basic realm="Artifactory Realm"    // <-- HERE IT FAILED
    npm ERR! A complete log of this run can be found in:
    npm ERR! /root/.npm/_logs/2021-03-02T06_44_42_972Z-debug.log
    Cleaning up file based variables 
    00:01 
    ERROR: Job failed: exit code 1

3. Using a here document like this in my gitlab-ci.yml:

       - npm login --registry=<my_registry_url> << EOF
       - $USERNAME    
       - $API_KEY
       - $EMAIL    
       - EOF

This results in:

$ npm login --registry=<my_registry_url> << EOF
Username: npm WARN Name may not contain non-url-safe chars 
Username: (echo $'\x1b[32;1m$ <my_username>\x1b[0;m') npm ERR! cb() never called!
npm ERR! This is an error with npm itself. Please report this error at:
npm ERR!     <https://npm.community>
npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2021-03-02T13_54_12_317Z-debug.log
ERROR: Job failed: exit code 1

Answer 1

The methods above were maybe not wrong at all, but somehow it only worked for me after using _auth instead of _authToken value in the .npmrc file.

This method is described here and on the jfrog confluence site.

After running this curl command I received everything that I needed to put into my global .npmrc file:

curl -u ${JFROG_USER}:${JFROG_ENCRYPTED_PASSWORD} https://${JFROG_ORG}.jfrog.io/artifactory/api/npm/auth

For anyone who's interested, the full script in my gitlab ci pipeline stage now looks like this:

script:
  - npm -v
  6.14.10
  - node -v
  v14.15.4
  - cd ~
  - pwd
  /root
  # install angular globally
  - npm i -g @angular/cli
  # create the config file '.npmrc' for authenticating at jFrog when running 'npm install'.
  - cat > .npmrc
  - echo _auth = ${NPM_AUTH_TOKEN} >> .npmrc    <- This is the token that I received after running the curl command from the tutorial / link above
  - echo always-auth = true >> .npmrc
  - echo email = ${EMAIL} >> .npmrc
  # the next line makes npm look for the packages that are annotated with @<my-private-repo> at the JFrog Repo.
  - echo @<my-private-repo>:registry=${UI_JFROG_REGESTRY} >> .npmrc
  # change back to the project folder.
  - cd /builds/<my-project-folder>/ui
  # install all packages + the <my-private-repo> package from JFrog.
  - npm install 

Answer 2

Instead of using npm login, which doesn't support non-interactivity, I used the auth URL and npmrc. However, I've only gotten this to work with private NPM repositories, and not with https://registry.npmjs.org/. I'm not sure what the AUTH url is for the public NPM registry. If someone finds the AUTH url for NPM, let me know :).

For private NPM repositories, you can avoid npm login by using:

curl -u $USERNAME:$ACCESS_TOKEN https://company.jfrog.io/artifactory/api/npm/auth  > ~/.npmrc

This allows us to avoid unnecessary dependencies, and is a single-line-change to a CI job.

Tips:

• You can adjust ~/.npmrc to .npmrc to affect the current project only.
• For debugging, you can remove > ~/.npmrc and see what the output from the auth URL is.