npm · fritzy · Jul 19, 2022 · Jul 18, 2022 · Jul 18, 2022
@@ -698,9 +698,11 @@ class Config {
     this.delete(`${nerfed}:_password`, 'user')
     this.delete(`${nerfed}:username`, 'user')
     this.delete(`${nerfed}:email`, 'user')
+    this.delete(`${nerfed}:certfile`, 'user')
+    this.delete(`${nerfed}:keyfile`, 'user')
   }
 
-  setCredentialsByURI (uri, { token, username, password, email }) {
+  setCredentialsByURI (uri, { token, username, password, email, certfile, keyfile }) {
     const nerfed = nerfDart(uri)
     const def = nerfDart(this.get('registry'))
 
@@ -733,6 +735,11 @@ class Config {
     this.delete(`${nerfed}:-authtoken`, 'user')
     this.delete(`${nerfed}:_authtoken`, 'user')
     this.delete(`${nerfed}:email`, 'user')
+    if (certfile && keyfile) {
+      this.set(`${nerfed}:certfile`, certfile, 'user')
+      this.set(`${nerfed}:keyfile`, keyfile, 'user')
+      // cert/key may be used in conjunction with other credentials, thus no `else`
+    }
     if (token) {
       this.set(`${nerfed}:_authToken`, token, 'user')
       this.delete(`${nerfed}:_password`, 'user')
@@ -750,7 +757,7 @@ class Config {
       // protects against shoulder-hacks if password is memorable, I guess?
       const encoded = Buffer.from(password, 'utf8').toString('base64')
       this.set(`${nerfed}:_password`, encoded, 'user')
-    } else {
+    } else if (!certfile || !keyfile) {
       throw new Error('No credentials to set.')
     }
   }
@@ -765,6 +772,14 @@ class Config {
       creds.email = email
     }
 
+    const certfileReg = this.get(`${nerfed}:certfile`)
+    const keyfileReg = this.get(`${nerfed}:keyfile`)
+    if (certfileReg && keyfileReg) {
+      creds.certfile = certfileReg
+      creds.keyfile = keyfileReg
+      // cert/key may be used in conjunction with other credentials, thus no `return`
+    }
+
     const tokenReg = this.get(`${nerfed}:_authToken`) ||
       this.get(`${nerfed}:_authtoken`) ||
       this.get(`${nerfed}:-authtoken`) ||

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/config",
-  "version": "4.1.0",
+  "version": "4.2.0",
   "files": [
     "bin/",
     "lib/"
@@ -31,7 +31,7 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^3.0.1",
-    "@npmcli/template-oss": "3.3.2",
+    "@npmcli/template-oss": "3.5.0",
     "tap": "^16.0.1"
   },
   "dependencies": {
@@ -49,6 +49,6 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "3.3.2"
+    "version": "3.5.0"
   }
 }
@@ -1,4 +1,5 @@
 'use strict'
+const fs = require('fs')
 const npa = require('npm-package-arg')
 const { URL } = require('url')
 
@@ -7,7 +8,8 @@ const { URL } = require('url')
 const regKeyFromURI = (uri, opts) => {
   const parsed = new URL(uri)
   // try to find a config key indicating we have auth for this registry
-  // can be one of :_authToken, :_auth, or :_password and :username
+  // can be one of :_authToken, :_auth, :_password and :username, or
+  // :certfile and :keyfile
   // We walk up the "path" until we're left with just //<host>[:<port>],
   // stopping when we reach '//'.
   let regKey = `//${parsed.host}${parsed.pathname}`
@@ -26,7 +28,8 @@ const regKeyFromURI = (uri, opts) => {
 const hasAuth = (regKey, opts) => (
   opts[`${regKey}:_authToken`] ||
   opts[`${regKey}:_auth`] ||
-  opts[`${regKey}:username`] && opts[`${regKey}:_password`]
+  opts[`${regKey}:username`] && opts[`${regKey}:_password`] ||
+  opts[`${regKey}:certfile`] && opts[`${regKey}:keyfile`]
 )
 
 const sameHost = (a, b) => {
@@ -44,6 +47,17 @@ const getRegistry = opts => {
   return scopeReg || opts.registry
 }
 
+const maybeReadFile = file => {
+  try {
+    return fs.readFileSync(file, 'utf8')
+  } catch (er) {
+    if (er.code !== 'ENOENT') {
+      throw er
+    }
+    return null
+  }
+}
+
 const getAuth = (uri, opts = {}) => {
   const { forceAuth } = opts
   if (!uri) {
@@ -59,6 +73,8 @@ const getAuth = (uri, opts = {}) => {
       username: forceAuth.username,
       password: forceAuth._password || forceAuth.password,
       auth: forceAuth._auth || forceAuth.auth,
+      certfile: forceAuth.certfile,
+      keyfile: forceAuth.keyfile,
     })
   }
 
@@ -82,6 +98,8 @@ const getAuth = (uri, opts = {}) => {
     [`${regKey}:username`]: username,
     [`${regKey}:_password`]: password,
     [`${regKey}:_auth`]: auth,
+    [`${regKey}:certfile`]: certfile,
+    [`${regKey}:keyfile`]: keyfile,
   } = opts
 
   return new Auth({
@@ -90,15 +108,19 @@ const getAuth = (uri, opts = {}) => {
     auth,
     username,
     password,
+    certfile,
+    keyfile,
   })
 }
 
 class Auth {
-  constructor ({ token, auth, username, password, scopeAuthKey }) {
+  constructor ({ token, auth, username, password, scopeAuthKey, certfile, keyfile }) {
     this.scopeAuthKey = scopeAuthKey
     this.token = null
     this.auth = null
     this.isBasicAuth = false
+    this.cert = null
+    this.key = null
     if (token) {
       this.token = token
     } else if (auth) {
@@ -108,6 +130,15 @@ class Auth {
       this.auth = Buffer.from(`${username}:${p}`, 'utf8').toString('base64')
       this.isBasicAuth = true
     }
+    // mTLS may be used in conjunction with another auth method above
+    if (certfile && keyfile) {
+      const cert = maybeReadFile(certfile, 'utf-8')
+      const key = maybeReadFile(keyfile, 'utf-8')
+      if (cert && key) {
+        this.cert = cert
+        this.key = key
+      }
+    }
   }
 }
 

@@ -112,10 +112,10 @@ function regFetch (uri, /* istanbul ignore next */ opts_ = {}) {
       cache: getCacheMode(opts),
       cachePath: opts.cache,
       ca: opts.ca,
-      cert: opts.cert,
+      cert: auth.cert || opts.cert,
       headers,
       integrity: opts.integrity,
-      key: opts.key,
+      key: auth.key || opts.key,
       localAddress: opts.localAddress,
       maxSockets: opts.maxSockets,
       memoize: opts.memoize,

@@ -1,6 +1,6 @@
 {
   "name": "npm-registry-fetch",
-  "version": "13.2.0",
+  "version": "13.3.0",
   "description": "Fetch-based http client for use with npm registry APIs",
   "main": "lib",
   "files": [

@@ -90,7 +90,7 @@
         "@isaacs/string-locale-compare": "^1.1.0",
         "@npmcli/arborist": "^5.0.4",
         "@npmcli/ci-detect": "^2.0.0",
-        "@npmcli/config": "^4.1.0",
+        "@npmcli/config": "^4.2.0",
         "@npmcli/fs": "^2.1.0",
         "@npmcli/map-workspaces": "^2.0.3",
         "@npmcli/package-json": "^2.0.0",
@@ -135,7 +135,7 @@
         "npm-package-arg": "^9.1.0",
         "npm-pick-manifest": "^7.0.1",
         "npm-profile": "^6.2.0",
-        "npm-registry-fetch": "^13.2.0",
+        "npm-registry-fetch": "^13.3.0",
         "npm-user-validate": "^1.0.1",
         "npmlog": "^6.0.2",
         "opener": "^1.5.2",
@@ -867,9 +867,9 @@
       }
     },
     "node_modules/@npmcli/config": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@npmcli/config/-/config-4.1.0.tgz",
-      "integrity": "sha512-cPQmIQ2Q0vuOfrenrA3isikdMFMAHgzlXV+EmvZ8f2JeJsU5xTU2bG7ipXECiMvPF9nM+QDnMLuIg8QLw9H4xg==",
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/@npmcli/config/-/config-4.2.0.tgz",
+      "integrity": "sha512-imWNz5dNWb2u+y41jyxL2WB389tkhu3a01Rchn16O/ur6GrnKySgOqdNG3N/9Z+mqxdISMEGKXI/POCauzz0dA==",
       "inBundle": true,
       "dependencies": {
         "@npmcli/map-workspaces": "^2.0.2",
@@ -5188,9 +5188,9 @@
       }
     },
     "node_modules/npm-registry-fetch": {
-      "version": "13.2.0",
-      "resolved": "https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-13.2.0.tgz",
-      "integrity": "sha512-NEKnK02Co31+cnDtnAvEdq9xn6E9yKPK/aOHXZieVbw/qVOcFd7su6kviZjImYoszjM2GykMfGMiyyPUQjUkag==",
+      "version": "13.3.0",
+      "resolved": "https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-13.3.0.tgz",
+      "integrity": "sha512-10LJQ/1+VhKrZjIuY9I/+gQTvumqqlgnsCufoXETHAPFTS3+M+Z5CFhZRDHGavmJ6rOye3UvNga88vl8n1r6gg==",
       "inBundle": true,
       "dependencies": {
         "make-fetch-happen": "^10.0.6",

@@ -58,7 +58,7 @@
     "@isaacs/string-locale-compare": "^1.1.0",
     "@npmcli/arborist": "^5.0.4",
     "@npmcli/ci-detect": "^2.0.0",
-    "@npmcli/config": "^4.1.0",
+    "@npmcli/config": "^4.2.0",
     "@npmcli/fs": "^2.1.0",
     "@npmcli/map-workspaces": "^2.0.3",
     "@npmcli/package-json": "^2.0.0",
@@ -103,7 +103,7 @@
     "npm-package-arg": "^9.1.0",
     "npm-pick-manifest": "^7.0.1",
     "npm-profile": "^6.2.0",
-    "npm-registry-fetch": "^13.2.0",
+    "npm-registry-fetch": "^13.3.0",
     "npm-user-validate": "^1.0.1",
     "npmlog": "^6.0.2",
     "opener": "^1.5.2",