Skip to content

fix: allow specifying an auth token for third-party registries #2721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: allow specifying an auth token for third-party registries #2721

wants to merge 1 commit into from
+27 −7

Conversation

rliljest
Copy link

@rliljest rliljest commented Sep 29, 2025
edited
Loading

Summary

Currently if we are using a third-party registry, we are unable to initialize a react-native project under either of the following conditions:

  1. The registry requires authentication
  2. The registry includes a path (e.g., https://registry.example.com/foo instead of https://registry.example.com)

Related: #2718

Test Plan

I am on an enterprise network with a third-party registry that requires authentication. After making the changes in this PR locally, I was able to initialize a react-native repository locally with the following commands:

  1. yarn install
  2. npm run build
  3. chmod 755 packages/cli/build/bin.js
  4. From another directory: ../../packages/cli/build/bin.js init --auth-token ... MyAwesomeProject

Checklist

  • Documentation is up to date.
  • Follows commit message convention described in CONTRIBUTING.md.
  • For functional changes, my test plan has linked these CLI changes into a local react-native checkout (instructions).

@liamjones
Copy link
Contributor

Do NPM not publish a library that the CLI could be using for registry communication? E.g. one that'd automatically obey .npmrc, etc. settings rather than the CLI doing a raw fetch()?

@rliljest
Copy link
Author

rliljest commented Sep 29, 2025
edited
Loading

Do NPM not publish a library that the CLI could be using for registry communication? E.g. one that'd automatically obey .npmrc, etc. settings rather than the CLI doing a raw fetch()?

That's a good callout: I think I was looking at a very old version of the tool that I had installed locally, and it was using some attributes that were only available via the registry and not npm info. I'll see if I can update my MR to use npm info --json instead.

Or maybe I was looking at a different code branch that we only hit if a specific --version is supplied. I'll dig into it a bit and update my MR

@rliljest
Copy link
Author

I updated my PR. Turns out there are two places where we currently fetch npm registry data (my initial change only updated one). The second one deals with the getTemplateVersion function, which AFAIK is only used when a specific --version argument is passed:

https://github.com/react-native-community/cli/blob/main/packages/cli/src/tools/npm.ts#L134

This second registry query does need to pull directly from the registry without an npm command, since it assumes it can view scripts information for all published version. This information is available by hitting the registry directly, but not available via npm commands.

So we could update the first registry query (which only cares about tags and versions) to use npm info, but since the second one requires hitting the registry it might make sense to keep them both the same

@thymikee
Copy link
Member

Wouldn't it be enough to provide the auth token in your root .npmrc file? Like this:

registry=https://registry.example.com/foo/
//registry.example.com/foo/:_authToken=npm_token

@rliljest
Copy link
Author

Wouldn't it be enough to provide the auth token in your root .npmrc file? Like this:

We do have that set up locally, which is enough for running npm install commands locally. There are two reasons why we cannot use this _authToken:

  1. The token in that file is not used as part of a fetch call
  2. The auth token is one of the few npm configuration values that cannot be extracted with npm config due to security concerns

So there is no good way to extract that value and automatically add it to the headers

@liamjones
Copy link
Contributor

liamjones commented Sep 29, 2025
edited
Loading

It looks like NPM publish this package which might be worth investigating as a replacement for the raw fetch? https://github.com/npm/npm-registry-fetch

...It's able to consume npm-style configuration values and has all the necessary logic for picking registries, handling scopes, and dealing with authentication details built-in...

@rliljest
Copy link
Author

It looks like NPM publish this package which might be worth investigating as a replacement for the raw fetch? https://github.com/npm/npm-registry-fetch

I experimented with this package a bit. It takes configuration values that are similar to what you would find in a .npmrc file, but it doesn't automatically read/parse the existing .npmrc files. So we could use this library instead of fetch, but we would still need to pass the authToken as an option

@liamjones
Copy link
Contributor

It takes configuration values that are similar to what you would find in a .npmrc file, but it doesn't automatically read/parse the existing .npmrc files. So we could use this library instead of fetch, but we would still need to pass the authToken as an option

So close to being helpful...

Does https://www.npmjs.com/package/@npmcli/config let you load the config via normal lookup methods & then pass it to npm-registry-fetch?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thymikee thymikee Awaiting requested review from thymikee thymikee is a code owner

@szymonrybczak szymonrybczak Awaiting requested review from szymonrybczak szymonrybczak is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rliljest @liamjones @thymikee