Skip to content

Using different auth tokens for different scopes in the same registry #12390

Description

@zkochan

@zkochan thanks for the answer.

The problem with PNPM_CONFIG_NPMRC_AUTH_FILE env variable is that the devs would need to inline it each time they want to do pnpm install.

The issue is that our devs work with multiple GitHub users across different orgs, so on disk they might have:

orgA/repo1
orgB/repo2

And each repo has a dependency on private GitHub packages for that org. So if we go with the PNPM_CONFIG_NPMRC_AUTH_FILE solution, we can't just have one in global scope, instead the devs would need to write this when they are in orgA repos

PNPM_CONFIG_NPMRC_AUTH_FILE=~/.npmrc.orgA pnpm install

and this when they are in orgB repos:

PNPM_CONFIG_NPMRC_AUTH_FILE=~/.npmrc.orgB pnpm install

So it makes it quite cumbersome compared to the old pnpm install. Adding alias or use a tool like direnv could potentially be used to automate it, but it would be nice not to have to bring in another tool to work around this if possible.

Regarding your suggestion, pnpm_config_//npm.pkg.github.com/@orgB:_authToken=XXXXX, I might be missing something, but I don't think that will work, or I'm testing it wrong.

The problem is that there's only one host for all organisations on github.com: npm.pkg.github.com. The host itself can't have the org in the path name pathname for github packages, so for orgA and orgB the scope declarations will be:

@orgA:registry=https://npm.pkg.github.com
@orgB:registry=https://npm.pkg.github.com

so both scopes point to the same host. If you try to change this to something like:

@orgA:registry=https://npm.pkg.github.com/@orgA
@orgB:registry=https://npm.pkg.github.com/@orgB

you'll just get 403 - Forbidden, as this isn't a valid path.

And if you instead try to put the scope/org only in the auth section, like this:

@orgA:registry=https://npm.pkg.github.com
@orgB:registry=https://npm.pkg.github.com
//npm.pkg.github.com/@orgA:_authToken=XXXXX
//npm.pkg.github.com/@orgB:_authToken=XXXXX

you get a 401 as when pnpm resolves the @orgA or @orgB scope, as it looks up the registry host https://npm.pkg.github.com and then tries to find an auth token keyed to that host (https://npm.pkg.github.com). But it looks like it will not match //npm.pkg.github.com/@orgA:_authToken or //npm.pkg.github.com/@orgB:_authToken, because those keys have a pathname section now.

So because .npmrc separates the scope declaration from the auth declaration, where the scope declaration maps a scope to a host and then auth declaration maps a host to a token, I don't see how I can target a specific scope with a unique token unless that scope also has a unique host.

In yarn you have .yarnrc like this:

yamlnpmScopes:
  orgA:
    npmAlwaysAuth: true
    npmAuthToken: "${ORG_A_GITHUB_TOKEN:-no_token}"
    npmRegistryServer: "https://npm.pkg.github.com"
  orgB:
    npmAlwaysAuth: true
    npmAuthToken: "${ORG_B_GITHUB_TOKEN:-no_token}"
    npmRegistryServer: "https://npm.pkg.github.com"

where both the host and the auth token sit under the scope settings. I haven't found anything similar in pnpm, which is why we previously used the different env variables per org setup. It doesn't solve all the problems yarn does with totally separate scopes, but as long as orgs don't need to reference packages from each other, it works okay.

But as I said, I might be missing something or have misunderstood what you meant. I'm currently testing with pnpm 11.6.0.

Originally posted by @fredriknils in #12314

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions