feat(trusted-publishing): make request to verify if OIDC token exchange can succeed

travi · travi · commit c80ecb0404f4 · 2025-10-15T00:19:34.000-05:00
this is the correct call, but details are still incomplete since the bearer token for the request needs to be the OIDC token from the CI IdP for #958
diff --git a/lib/set-npmrc-auth.js b/lib/set-npmrc-auth.js
@@ -9,7 +9,7 @@ import { OFFICIAL_REGISTRY } from "./definitions/constants.js";
 
 export default async function (npmrc, registry, { cwd, env: { NPM_TOKEN, NPM_CONFIG_USERCONFIG }, logger }) {
   logger.log("Verify authentication for registry %s", registry);
-  const { configs, ...rcConfig } = rc(
+  const { configs, config, ...rcConfig } = rc(
     "npm",
     { registry: OFFICIAL_REGISTRY },
     { config: NPM_CONFIG_USERCONFIG || path.resolve(cwd, ".npmrc") }
diff --git a/lib/trusted-publishing/oidc-context.js b/lib/trusted-publishing/oidc-context.js
@@ -1,6 +1,7 @@
 import { OFFICIAL_REGISTRY } from "../definitions/constants.js";
 import trustedCiProvider from "./supported-ci-provider.js";
+import tokenExchange from "./token-exchange.js";
 
-export default function oidcContextEstablished(registry) {
-  return OFFICIAL_REGISTRY === registry && trustedCiProvider();
+export default async function oidcContextEstablished(registry, pkg) {
+  return OFFICIAL_REGISTRY === registry && trustedCiProvider() && !!(await tokenExchange(pkg));
 }
diff --git a/lib/trusted-publishing/token-exchange.js b/lib/trusted-publishing/token-exchange.js
@@ -0,0 +1,11 @@
+import { OFFICIAL_REGISTRY } from "../definitions/constants.js";
+
+export default async function tokenExchange(pkg) {
+  const response = await fetch(`${OFFICIAL_REGISTRY}-/npm/v1/oidc/token/exchange/package/${pkg.name}`, { method: 'POST' });
+
+  if (response.ok) {
+    return (await response.json()).token;
+  }
+
+  return undefined;
+}
diff --git a/lib/verify-auth.js b/lib/verify-auth.js
@@ -62,7 +62,7 @@ export default async function (npmrc, pkg, context) {
   } = context;
   const registry = getRegistry(pkg, context);
 
-  if (oidcContextEstablished(registry)) {
+  if (oidcContextEstablished(registry, pkg)) {
     return;
   }
 
diff --git a/test/trusted-publishing/oidc-context.test.js b/test/trusted-publishing/oidc-context.test.js
@@ -3,10 +3,14 @@ import * as td from "testdouble";
 
 import { OFFICIAL_REGISTRY } from "../../lib/definitions/constants.js";
 
-let oidcContextEstablished, trustedCiProvider;
+let oidcContextEstablished, trustedCiProvider, tokenExchange;
+const pkg = {};
 
 test.beforeEach(async (t) => {
+  await td.replace(globalThis, "fetch");
   ({ default: trustedCiProvider } = await td.replaceEsm("../../lib/trusted-publishing/supported-ci-provider.js"));
+  ({ default: tokenExchange } = await td.replaceEsm("../../lib/trusted-publishing/token-exchange.js"));
+  td.when(tokenExchange(pkg)).thenResolve(undefined);
 
   ({ default: oidcContextEstablished } = await import("../../lib/trusted-publishing/oidc-context.js"));
 });
@@ -15,18 +19,28 @@ test.afterEach.always((t) => {
   td.reset();
 });
 
-test("that `true` is returned when a trusted-publishing context has been established with the official registry", async (t) => {
+test.serial("that `true` is returned when a trusted-publishing context has been established with the official registry", async (t) => {
   td.when(trustedCiProvider()).thenResolve(true);
+  td.when(fetch("https://matt.travi.org")).thenResolve(new Response(null, { status: 401 }));
+  td.when(tokenExchange(pkg)).thenResolve('token-value');
 
-  t.true(await oidcContextEstablished(OFFICIAL_REGISTRY));
+  t.true(await oidcContextEstablished(OFFICIAL_REGISTRY, pkg));
 });
 
-test("that `false` is returned when the official registry is targeted, but outside the context of a supported CI provider", async (t) => {
+test.serial("that `false` is returned when the official registry is targeted, but outside the context of a supported CI provider", async (t) => {
   td.when(trustedCiProvider()).thenResolve(false);
 
-  t.false(await oidcContextEstablished(OFFICIAL_REGISTRY));
+  t.false(await oidcContextEstablished(OFFICIAL_REGISTRY, pkg));
 });
 
-test("that `false` is returned when a custom registry is targeted", async (t) => {
-  t.false(await oidcContextEstablished("https://custom.registry.org/"));
+test.serial("that `false` is returned when OIDC token exchange fails in a supported CI provider", async (t) => {
+  td.when(trustedCiProvider()).thenResolve(true);
+  td.when(fetch("https://matt.travi.org")).thenResolve(new Response(null, { status: 401 }));
+  td.when(tokenExchange(pkg)).thenResolve(undefined);
+
+  t.false(await oidcContextEstablished(OFFICIAL_REGISTRY, pkg));
+});
+
+test.serial("that `false` is returned when a custom registry is targeted", async (t) => {
+  t.false(await oidcContextEstablished("https://custom.registry.org/", pkg));
 });
diff --git a/test/trusted-publishing/token-exchange.test.js b/test/trusted-publishing/token-exchange.test.js
@@ -0,0 +1,33 @@
+import test from "ava";
+import * as td from "testdouble";
+
+import tokenExchange from '../../lib/trusted-publishing/token-exchange.js';
+import { OFFICIAL_REGISTRY } from "../../lib/definitions/constants.js";
+
+// https://api-docs.npmjs.com/#tag/registry.npmjs.org/operation/exchangeOidcToken
+
+const packageName = "some-package";
+const pkg = { name: packageName };
+
+test.beforeEach(async (t) => {
+  await td.replace(globalThis, "fetch");
+});
+
+test.afterEach.always((t) => {
+  td.reset();
+});
+
+test.serial("that an access token is returned when token exchange succeeds", async (t) => {
+  const token = "token-value";
+  td.when(fetch(`${OFFICIAL_REGISTRY}-/npm/v1/oidc/token/exchange/package/${packageName}`, {method: 'POST'}))
+    .thenResolve(new Response(JSON.stringify({token}), {status: 201, headers: {'Content-Type': 'application/json'}}));
+
+  t.is(await tokenExchange(pkg), token);
+});
+
+test.serial("that `undefined` is returned when token exchange fails", async (t) => {
+  td.when(fetch(`${OFFICIAL_REGISTRY}-/npm/v1/oidc/token/exchange/package/${packageName}`, {method: 'POST'}))
+    .thenResolve(new Response(JSON.stringify({message: 'foo'}), {status: 401, headers: {'Content-Type': 'application/json'}}));
+
+  t.is(await tokenExchange(pkg), undefined);
+});
diff --git a/test/verify-auth.test.js b/test/verify-auth.test.js
@@ -30,7 +30,7 @@ test.serial(
   "that the auth context for the official registry is considered valid when trusted publishing is established",
   async (t) => {
     td.when(getRegistry(pkg, context)).thenReturn(DEFAULT_NPM_REGISTRY);
-    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY)).thenReturn(true);
+    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY, pkg)).thenReturn(true);
 
     await t.notThrowsAsync(verifyAuth(npmrc, pkg, context));
   }
@@ -40,7 +40,7 @@ test.serial(
   "that the provided token is verified with `npm whoami` when trusted publishing is not established for the official registry",
   async (t) => {
     td.when(getRegistry(pkg, context)).thenReturn(DEFAULT_NPM_REGISTRY);
-    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY)).thenReturn(false);
+    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY, pkg)).thenReturn(false);
     td.when(
       execa("npm", ["whoami", "--userconfig", npmrc, "--registry", DEFAULT_NPM_REGISTRY], {
         cwd,
@@ -60,7 +60,7 @@ test.serial(
   "that the auth context for the official registry is considered invalid when no token is provided and trusted publishing is not established",
   async (t) => {
     td.when(getRegistry(pkg, context)).thenReturn(DEFAULT_NPM_REGISTRY);
-    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY)).thenReturn(false);
+    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY, pkg)).thenReturn(false);
     td.when(
       execa("npm", ["whoami", "--userconfig", npmrc, "--registry", DEFAULT_NPM_REGISTRY], {
         cwd,
@@ -84,7 +84,7 @@ test.serial(
   async (t) => {
     const otherRegistry = "https://other.registry.org";
     td.when(getRegistry(pkg, context)).thenReturn(otherRegistry);
-    td.when(oidcContextEstablished(otherRegistry)).thenReturn(false);
+    td.when(oidcContextEstablished(otherRegistry, pkg)).thenReturn(false);
     td.when(
       execa(
         "npm",
@@ -119,7 +119,7 @@ test.serial(
   async (t) => {
     const otherRegistry = "https://other.registry.org";
     td.when(getRegistry(pkg, context)).thenReturn(otherRegistry);
-    td.when(oidcContextEstablished(otherRegistry)).thenReturn(false);
+    td.when(oidcContextEstablished(otherRegistry, pkg)).thenReturn(false);
     td.when(
       execa(
         "npm",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`import { OFFICIAL_REGISTRY } from "../definitions/constants.js";`
`2`	`2`	`import trustedCiProvider from "./supported-ci-provider.js";`
	`3`	`+import tokenExchange from "./token-exchange.js";`
`3`	`4`
`4`		`-export default function oidcContextEstablished(registry) {`
`5`		`- return OFFICIAL_REGISTRY === registry && trustedCiProvider();`
	`5`	`+export default async function oidcContextEstablished(registry, pkg) {`
	`6`	`+ return OFFICIAL_REGISTRY === registry && trustedCiProvider() && !!(await tokenExchange(pkg));`
`6`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ export default async function (npmrc, pkg, context) {`
`62`	`62`	`} = context;`
`63`	`63`	`const registry = getRegistry(pkg, context);`
`64`	`64`
`65`		`- if (oidcContextEstablished(registry)) {`
	`65`	`+ if (oidcContextEstablished(registry, pkg)) {`
`66`	`66`	`return;`
`67`	`67`	`}`
`68`	`68`