The issue has been solved

"Verify user is authenticated" Credentials Issue #432

colinking posted onGitHub

Hitting an issue with authentication when trying to publish a private scoped package to npm.

Running yarn run release (where "release": "np" in package.json):

> yarn run release
yarn run v1.16.0
$ np

Publish a new version of @segment/package-name (current: 1.0.4)

Commits:
- Add np for releasing to npm (#3)  66f0afc

Commit Range:
93f42078aea5ad8114c57c618db33f06c89e4147...master

? Select semver increment or specify new version patch     1.0.5
? This scoped repo @segment/package-name hasn't been published. Do you want to publish it publicly? No

  ❯ Prerequisite check
    ✔ Ping npm registry
    ✔ Check npm version
    ✔ Check yarn version
    ✖ Verify user is authenticated
      → npm ERR!     /Users/colinking/.npm/_logs/2019-06-18T20_37_11_472Z-debug.log
      Check git version
      Check git remote
      Validate version
      Check for pre-release version
      Check git tag existence
    Git
    Cleanup
    Installing dependencies using Yarn
    Running tests using Yarn
    Bumping version using Yarn
    Publishing package using Yarn
    Enabling two-factor authentication
    Pushing tags
    Creating release draft on GitHub

✖ Command failed: npm access ls-collaborators @segment/package-name
npm ERR! code E403
npm ERR! 403 Forbidden - GET https://registry.yarnpkg.com/-/package/%40segment%2Fpackage-name/collaborators?format=cli - Forbidden

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/colinking/.npm/_logs/2019-06-18T20_37_11_472Z-debug.log



Publish failed. Rolling back to the previous state…
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

What's odd is that I am logged in:

> yarn login
yarn login v1.16.0
info npm username: colinking
info npm email: <email>
✨  Done in 0.06s.

And I'm even able to fetch that collaborators list that is 403-ing:

> npm access ls-collaborators @segment/node-ctlstore
{
    // ...
}

And both of the following publish fine:

> ./node_modules/.bin/np

> npm run release

Possibly this is an issue with np getting auth rights correctly via yarn?

Expected behavior

Expected to not get a 403 issue from np. It should have published fine, just like it does when run with npm instead of yarn.

Environment

np - 5.0.3 Node.js - v10.15.3 npm - 6.9.0 Git - 2.20.1 OS - macOS 10.14.5

Also seeing an issue. I'd like to try and resolve this, so I'll pull the repo down locally, but @sindresorhus ... any inkling as to why collaborators('@private-org/private-package') could fail in this package, but npm access ls-collaborators @private-org/private-package responds with 200 status and a list of users?

Really need this one fixed 🙏

posted by kylemh over 5 years ago

@kylemh has funded $50.00 to this issue.

Submit pull request via IssueHunt to receive this reward.
Want to contribute? Chip in to this issue via IssueHunt.
Checkout the IssueHunt Issue Explorer to see more funded issues.
Need help from developers? Add your repository on IssueHunt to raise funds.

posted by issuehunt-app[bot] about 5 years ago

@colinking @kylemh This error looks like a wrong registry url. np (version 5.0.3) tries to publish to the default registry url. If you choose yarn to run np, yarn overrides the registry url with https://registry.yarnpkg.com/ (default-setting). So it doesn't matter, what registry url you configured for npm. Yarn always overrides this url. If you execute the command npm access ls-collaborators @segment/node-ctlstore, the registry url from npm is used. The mismatch between these two commands can come from the different registries.

In version 6.0.0 (np), you can tell np to use the registry url from the publishConfig property in package.json.

posted by bunysae about 5 years ago

@sindresorhus I'm not sure if I should notify the author of https://github.com/sindresorhus/np/pull/491 to collect the bounty or if @bunysae should get it given the explanation of the issue and workaround?

Also, I'm guessing this can be closed by instructing devs to go to v6.0.0 and changing publishConfig

posted by kylemh about 5 years ago

You can give it to @bunysae, but it can only be given by referencing a PR. @bunysae Can you do a PR to add a tip about this issue to the readme? Maybe a FAQ item?

posted by sindresorhus about 5 years ago

@sindresorhus Done

posted by bunysae about 5 years ago

@sindresorhus has rewarded $45.00 to @bunysae. See it on IssueHunt