Skip to content

feat: pnpm login (old)#11055

Closed
KSXGitHub wants to merge 47 commits into
mainfrom
claude/implement-pnpm-login-4VvtQ
Closed

feat: pnpm login (old)#11055
KSXGitHub wants to merge 47 commits into
mainfrom
claude/implement-pnpm-login-4VvtQ

Conversation

@KSXGitHub

@KSXGitHub KSXGitHub commented Mar 21, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR implements the pnpm login command for authenticating with npm registries. The implementation supports both modern web-based authentication (with QR code display) and falls back to classic username/password authentication for registries that don't support the web flow.

Key Changes

  • New @pnpm/auth.commands package: Implements the login command with support for:

    • Web-based authentication via /-/v1/login endpoint with QR code generation
    • Automatic fallback to classic authentication (username/password/email) when web login is not supported
    • Token persistence to .npmrc configuration file
    • Interactive terminal requirement validation

  • New @pnpm/network.web-auth package: Extracted shared web authentication utilities:

    • pollForWebAuthToken(): Polls a registry's "done" URL until authentication token is received
    • generateQrCode(): Generates QR codes for authentication URLs
    • WebAuthTimeoutError: Custom error for authentication timeout (5 minute default)
    • Respects Retry-After headers during polling
    • Handles network failures and invalid responses gracefully

  • Refactored OTP authentication: Updated releasing/commands/src/publish/otp.ts to use the new shared @pnpm/network.web-auth utilities, eliminating code duplication

  • Integration: Added login command to pnpm CLI and removed it from the not-implemented commands list

Implementation Details

  • The login command requires an interactive TTY for both stdin and stdout
  • Web login is attempted first; if the registry returns 404 or 405, it falls back to classic login
  • Authentication tokens are stored in the .npmrc file under registry-specific keys (e.g., //registry.npmjs.org/:_authToken)
  • The polling mechanism includes configurable retry logic and respects server-provided retry delays
  • Comprehensive test coverage for both web and classic authentication flows

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S

claude added 24 commits March 22, 2026 01:32
@claude
refactor: extract web auth QR code and polling into @pnpm/network.web…
9d31176 
…-auth

Extract generateQrCode() and pollForWebAuthToken() from releasing/commands
into a new shared package so that both `pnpm publish` and the upcoming
`pnpm login` can reuse the web-based authentication flow with QR code
display and doneUrl polling.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
feat: implement pnpm login command
8f0171f 
Add `pnpm login` (and `pnpm adduser` alias) for authenticating with npm
registries. The command:

- Tries web-based login first (POST /-/v1/login), displaying a QR code
  and polling for the token using @pnpm/network.web-auth
- Falls back to classic username/password/email login (PUT /-/user/
  org.couchdb.user:<username>) when web login is not supported (404/405)
- Saves the received auth token to the user's global rc file

Also fixes a tsgo build issue in releasing/commands where
OtpWebAuthFetchOptions was used as a local type alias but was only
available as a re-exported name.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
fix: resolve spellcheck issues in login test
e4a09b7 
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
fix: correct alphabetical ordering for meta-updater
ebe20e8 
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
chore: add meta-updater generated tsconfig files
f80e133 
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
fix: add explicit return type to prompt mock for tsgo compatibility
f0df8ee 
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
fix: use @pnpm/network.fetch instead of globalThis.fetch
8a7ff9b 
Switch from globalThis.fetch to fetchWithAgent from @pnpm/network.fetch
so that pnpm login respects proxy settings (httpProxy/httpsProxy/noProxy),
custom SSL certificates (ca/cert/key), strictSsl, and retry configuration.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor: improve login fetch types and use URL constructor
ae93a02 
- Type LoginContext.fetch using WebAuthFetchOptions/WebAuthFetchResponse
  from @pnpm/network.web-auth, extended with text() and wider method
- Replace regex-based URL construction with new URL() constructor
- Remove redundant LoginFetchInit type

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor: match publish pattern for dependency injection
cea7867 
- Static DEFAULT_CONTEXT constant instead of createDefaultContext factory
- context = DEFAULT_CONTEXT default parameter instead of context?: Partial
- Destructure context in function signatures for natural calling
- Use plain fetch from @pnpm/network.fetch (like SHARED_CONTEXT in publish)
- Context contains only side-effect functions and modules, not config

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor: use typeof fetch instead of custom fetch types
77fac6e 
Remove LoginFetchOptions and LoginFetchResponse. Type LoginContext.fetch
as typeof fetch from @pnpm/network.fetch directly, eliminating all casts.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
fix: remove placeholder username from login success message
e29e71c 
Web login doesn't return a username, so just report the registry.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor: use tempDir from @pnpm/prepare instead of manual tmp dirs
59dad1d 
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
chore: update tsconfig references for @pnpm/prepare
655f8d0 
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor: inject readSettings/writeSettings for fully pure tests
43e606a 
Add readSettings and writeSettings to LoginContext so tests need no
filesystem side effects. Remove @pnpm/prepare devDependency.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor: remove DEFAULT_CONTEXT from tests, use pure test context
9fc033e 
Tests now construct their own TEST_CONTEXT with all no-op mocks,
eliminating any reliance on real side-effectful functions.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
test: use distinct opts per test, assert URLs and config paths
bf29d42 
Each test now uses a different registry and configDir to verify URL
construction, config key generation, and save path are correct for
non-default options.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
test: throw on unexpected mock calls instead of silent fallbacks
555be0b 
All mock functions in TEST_CONTEXT now throw on unexpected calls,
ensuring tests fail loudly if the code makes unanticipated side effects.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
test: use IANA-reserved example.com domains in test URLs
dff299d 
Replace custom.registry.io and private.reg.co with example.com and
example.org (RFC 2606 reserved) to prevent domain squatting risks.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
test: use deterministic Date mock instead of native Date
3fc6504 
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
test: assert globalInfo calls, throw on unexpected ones
b6d845c 
Default globalInfo in TEST_CONTEXT now throws. Each test overrides it
to capture messages and asserts the expected output.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
fix: use inferred type for fetch url parameter in tests
71c9025 
Drop explicit `string` annotation so the parameter matches the
`RequestInfo` type expected by the fetch signature.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
fix: resolve type errors in login test mock fetch
cf33f24 
Use mockResponse helper with `as any` cast to satisfy the Response
type, and String(url) for RequestInfo-to-string conversion.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
chore: add tsconfig.lint.tsbuildinfo to .gitignore
ff0ffec 
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor: replace typeof fetch with explicit LoginFetchResponse/Login…
cd51829 
…FetchOptions types

Derive the fetch signature from actual call-site usage instead of
coupling to the concrete @pnpm/network.fetch type. This lets test
mocks return plain objects without casts.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@KSXGitHub KSXGitHub force-pushed the claude/implement-pnpm-login-4VvtQ branch from a34d83b to cd51829 Compare March 22, 2026 01:33
claude added 5 commits March 22, 2026 01:35
@claude
chore: gitignore generated pn/pnpx/pnx artifacts
e94f78a 
These files are created by setup.js during preinstall and should not
be tracked.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor: remove unnecessary backwards-compat aliases from otp.ts
a920e8b 
Remove Otp-prefixed re-exports (OtpWebAuthFetchOptions,
OtpWebAuthFetchResponse, OtpWebAuthTimeoutError) that only existed as
backwards-compatibility shims. Update the test to import directly from
@pnpm/network.web-auth. Restore the named OtpDate interface that was
unnecessarily inlined.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
test(web-auth): add comprehensive unit tests for @pnpm/network.web-auth
9177a2f 
Add dependency-injected unit tests covering:
- WebAuthTimeoutError: properties, code, hint, message
- generateQrCode: basic output and input differentiation
- pollForWebAuthToken: happy path, fetch argument passing,
  Retry-After handling (valid, non-finite, null, sub-interval,
  capped to remaining timeout, timeout during retry wait),
  error recovery (fetch throws, non-ok response, json parse error,
  missing token, empty token, multiple consecutive errors),
  custom timeout, poll interval timing

All tests use fake Date.now() and setTimeout — no real timers or
side effects.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
fix(web-auth): fix TS2339 compile errors in test assertions
d155cb4 
Replace `.catch((e: WebAuthTimeoutError) => e)` pattern with
`rejects.toMatchObject()` to avoid `string | WebAuthTimeoutError`
union type issue when accessing `.timeout` property.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
feat(web-auth,login): extract shared OTP handling and add OTP support…
bbf1aea 
… to login

- Create `withOtpHandling<T>()` in `@pnpm/network.web-auth` that wraps
  any operation with EOTP challenge detection, web auth flow, and
  classic OTP prompting.
- Refactor `publishWithOtpHandling` to delegate to the shared function.
- Add OTP handling to `pnpm login`'s classic (CouchDB) login flow:
  detects 401 + `www-authenticate: otp` header and retries with the
  OTP code (or web auth token) in the `npm-otp` header.
- Remove overly strict `this: this` constraints from WebAuthFetchResponse
  interfaces to improve cross-package type compatibility.
- Add 13 unit tests for `withOtpHandling` (classic + webauth flows).
- Add 4 login OTP tests (classic OTP, webauth OTP, non-401, non-otp 401).

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 22, 2026
View reviewed changes
Comment thread auth/commands/test/login.test.ts Fixed
claude and others added 18 commits March 22, 2026 03:06
@claude
fix(login): use word-boundary regex for URL assertion in test
ca2c5be 
Replace `m.includes(url)` with a regex that checks the URL is
bounded by whitespace or string boundaries, addressing the CodeQL
"incomplete URL substring sanitization" finding.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor(login): use toContainEqual + stringMatching for URL assertion
b902fa8 
Replace manual `.some()` with Jest's `toContainEqual(expect.stringMatching(...))`
for better error messages on failure.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor(web-auth): use expect.any(String) instead of typeof check
4e09b39 
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor(web-auth): consolidate multi-property assertions
e9bdf6a 
Use toMatchObject and toEqual instead of separate per-property expects.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
docs: explain why npm-auth-type header is sent unconditionally
489daf0 
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor: remove unused re-exports and add missing test coverage
d8e9f43 
Remove dead re-exports of OtpHandlingPromptOptions and
OtpHandlingPromptResponse from releasing/commands/src/publish/otp.ts.

Add tests for:
- LOGIN_MISSING_CREDENTIALS (empty username in classic login)
- LOGIN_NO_TOKEN (registry returns success without token)
- LOGIN_INVALID_RESPONSE (web login returns incomplete response)
- isWebLoginNotSupported with 405 status code

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor(login): rename readSettings/writeSettings to safeReadIniFile…
74105b9 
…/writeIniFile

Use the actual function names in the LoginContext interface instead of
abstract names, matching the implementations they wrap.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor(otp): remove unnecessary re-exports from otp.ts
ae0c319 
OtpNonInteractiveError, OtpSecondChallengeError, and OtpHandlingEnquirer
were re-exported only for the test file, which can import them directly
from @pnpm/network.web-auth.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor(otp): remove unused SHARED_CONTEXT re-export
d64f752 
All consumers already import SHARED_CONTEXT directly from
./utils/shared-context.js, making this re-export dead code.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@claude
refactor(login): extract LoginDate and LoginEnquirer interfaces
b3491d2 
Extract named interfaces for the Date and enquirer members of
LoginContext instead of inlining their types.

https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
@KSXGitHub
refactor: stop renaming
72b1e83 
Claude Code Web didn't rename them thoroughly, so I had to do it myself
@KSXGitHub
docs: correct the lines
9f70c85 
Why did Claude Code Web misaligned?
@KSXGitHub
refactor: strictly type LoginFetchOptions.headers
551b410
@KSXGitHub
docs: remove redundant comments
7c0fdbe
@KSXGitHub
refactor: inline npm-otp
25c88ae
@KSXGitHub
refactor: inline headers
45c2efd
@KSXGitHub
feat: add WebLoginError.responseText
b4c4f19
@KSXGitHub
refactor: rename statusCode into httpStatus
ff625e4
@KSXGitHub KSXGitHub changed the title feat: pnpm login feat: pnpm login (old) Mar 26, 2026
This was referenced Mar 26, 2026
Closed
Merged
@KSXGitHub KSXGitHub deleted the claude/implement-pnpm-login-4VvtQ branch March 27, 2026 11:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zkochan zkochan Awaiting requested review from zkochan zkochan will be requested when the pull request is marked ready for review zkochan is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KSXGitHub @github-advanced-security @claude