feat(trusted-publishing): verify auth, considering OIDC vs tokens from various registriess

travi · travi · commit e3319f1b2cb0 · 2025-10-14T12:14:28.000-05:00
the trusted publishing verification is incomplete, but this change wires the various options together, at least for #958
diff --git a/lib/verify-auth.js b/lib/verify-auth.js
@@ -4,52 +4,54 @@ import AggregateError from "aggregate-error";
 import getRegistry from "./get-registry.js";
 import setNpmrcAuth from "./set-npmrc-auth.js";
 import getError from "./get-error.js";
+import oidcContextEstablished from "./trusted-publishing/oidc-context.js";
 import { OFFICIAL_REGISTRY } from "./definitions/constants.js";
 
 function registryIsDefault(registry, DEFAULT_NPM_REGISTRY) {
   return normalizeUrl(registry) === normalizeUrl(DEFAULT_NPM_REGISTRY);
 }
 
-function targetingDefaultRegistryButNoTokenProvided(registry, DEFAULT_NPM_REGISTRY, errors) {
-  return registryIsDefault(registry, DEFAULT_NPM_REGISTRY) && errors.length === 1 && errors[0].code === "ENONPMTOKEN";
-}
-
 export default async function (npmrc, pkg, context) {
   const {
     cwd,
     env: { DEFAULT_NPM_REGISTRY = OFFICIAL_REGISTRY, ...env },
     stdout,
     stderr,
-    logger,
   } = context;
   const registry = getRegistry(pkg, context);
 
-  try {
-    logger.log("setting npmrc auth for registry", registry);
-    await setNpmrcAuth(npmrc, registry, context);
-  } catch (aggregateError) {
-    const { errors } = aggregateError;
-
-    if (targetingDefaultRegistryButNoTokenProvided(registry, DEFAULT_NPM_REGISTRY, errors)) {
-      logger.log("NPM_TOKEN was not provided for the default npm registry.");
-    } else {
-      throw aggregateError;
-    }
+  if (oidcContextEstablished(registry)) {
+    return;
   }
 
+  await setNpmrcAuth(npmrc, registry, context);
+
   if (registryIsDefault(registry, DEFAULT_NPM_REGISTRY)) {
+    try {
+      const whoamiResult = execa("npm", ["whoami", "--userconfig", npmrc, "--registry", registry], {
+        cwd,
+        env,
+        preferLocal: true,
+      });
+      whoamiResult.stdout.pipe(stdout, { end: false });
+      whoamiResult.stderr.pipe(stderr, { end: false });
+      await whoamiResult;
+    } catch {
+      throw new AggregateError([getError("EINVALIDNPMTOKEN", { registry })]);
+    }
+  } else {
     const publishDryRunResult = execa(
       "npm",
       ["publish", "--dry-run", "--tag=semantic-release-auth-check", "--userconfig", npmrc, "--registry", registry],
       { cwd, env, preferLocal: true, lines: true }
     );
 
-    publishDryRunResult.stdout.pipe(stdout, { end: false });
-    publishDryRunResult.stderr.pipe(stderr, { end: false });
+    // publishDryRunResult.stdout.pipe(stdout, { end: false });
+    // publishDryRunResult.stderr.pipe(stderr, { end: false });
 
     (await publishDryRunResult).stderr.forEach((line) => {
       if (line.includes("This command requires you to be logged in to ")) {
-        throw new AggregateError([getError("EINVALIDNPMAUTH")]);
+        throw new AggregateError([getError("EINVALIDNPMAUTH", { registry })]);
       }
     });
   }
diff --git a/test/integration.test.js b/test/integration.test.js
@@ -91,7 +91,7 @@ test('Skip npm token verification if "package.private" is true', async (t) => {
   );
 });
 
-test("Throws error if NPM token is invalid", async (t) => {
+test("Throws error if NPM token is invalid when targeting the default registry", async (t) => {
   const cwd = temporaryDirectory();
   const env = { NPM_TOKEN: "wrong_token", DEFAULT_NPM_REGISTRY: npmRegistry.url };
   const pkg = { name: "published", version: "1.0.0", publishConfig: { registry: npmRegistry.url } };
@@ -111,7 +111,7 @@ test("Throws error if NPM token is invalid", async (t) => {
   t.is(error.message, "Invalid npm authentication.");
 });
 
-test("Throws error if NPM token is not provided", async (t) => {
+test("Throws error if NPM token is not provided when targeting the default registry", async (t) => {
   const cwd = temporaryDirectory();
   const env = { DEFAULT_NPM_REGISTRY: npmRegistry.url };
   const pkg = { name: "published", version: "1.0.0", publishConfig: { registry: npmRegistry.url } };
diff --git a/test/verify-auth.test.js b/test/verify-auth.test.js
@@ -1,8 +1,9 @@
 import test from "ava";
 import * as td from "testdouble";
+import AggregateError from "aggregate-error";
 import { OFFICIAL_REGISTRY } from "../lib/definitions/constants.js";
 
-let execa, verifyAuth, getRegistry, setNpmrcAuth;
+let execa, verifyAuth, getRegistry, setNpmrcAuth, oidcContextEstablished;
 const DEFAULT_NPM_REGISTRY = OFFICIAL_REGISTRY;
 const npmrc = "npmrc contents";
 const pkg = {};
@@ -15,6 +16,8 @@ test.beforeEach(async (t) => {
   ({ execa } = await td.replaceEsm("execa"));
   ({ default: getRegistry } = await td.replaceEsm("../lib/get-registry.js"));
   ({ default: setNpmrcAuth } = await td.replaceEsm("../lib/set-npmrc-auth.js"));
+  ({ default: oidcContextEstablished } = await td.replaceEsm("../lib/trusted-publishing/oidc-context.js"));
+  td.when(oidcContextEstablished()).thenReturn(false);
 
   ({ default: verifyAuth } = await import("../lib/verify-auth.js"));
 });
@@ -23,10 +26,21 @@ test.afterEach.always((t) => {
   td.reset();
 });
 
+test.serial(
+  "that the auth context for the official registry is considered valid when trusted publishing is established",
+  async (t) => {
+    td.when(getRegistry(pkg, context)).thenReturn(DEFAULT_NPM_REGISTRY);
+    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY)).thenReturn(true);
+
+    await t.notThrowsAsync(verifyAuth(npmrc, pkg, context));
+  }
+);
+
 test.serial(
   "that the provided token is verified with `npm whoami` when trusted publishing is not established for the official registry",
   async (t) => {
     td.when(getRegistry(pkg, context)).thenReturn(DEFAULT_NPM_REGISTRY);
+    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY)).thenReturn(false);
     td.when(
       execa("npm", ["whoami", "--userconfig", npmrc, "--registry", DEFAULT_NPM_REGISTRY], {
         cwd,
@@ -46,6 +60,7 @@ test.serial(
   "that the auth context for the official registry is considered invalid when no token is provided and trusted publishing is not established",
   async (t) => {
     td.when(getRegistry(pkg, context)).thenReturn(DEFAULT_NPM_REGISTRY);
+    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY)).thenReturn(false);
     td.when(
       execa("npm", ["whoami", "--userconfig", npmrc, "--registry", DEFAULT_NPM_REGISTRY], {
         cwd,
@@ -64,10 +79,89 @@ test.serial(
   }
 );
 
+test.serial(
+  "that a publish dry run is performed to validate token presence when publishing to a custom registry",
+  async (t) => {
+    const otherRegistry = "https://other.registry.org";
+    td.when(getRegistry(pkg, context)).thenReturn(otherRegistry);
+    td.when(oidcContextEstablished(otherRegistry)).thenReturn(false);
+    td.when(
+      execa(
+        "npm",
+        [
+          "publish",
+          "--dry-run",
+          "--tag=semantic-release-auth-check",
+          "--userconfig",
+          npmrc,
+          "--registry",
+          otherRegistry,
+        ],
+        {
+          cwd,
+          env: otherEnvVars,
+          preferLocal: true,
+          lines: true,
+        }
+      )
+    ).thenResolve({
+      stderr: ["foo", "bar", "baz"],
+    });
+
+    await t.notThrowsAsync(verifyAuth(npmrc, pkg, context));
+  }
+);
+
 // since alternative registries are not consistent in implementing `npm whoami`,
 // we do not attempt to verify the provided token when publishing to them
-test.serial("that `npm whoami` is not invoked when publishing to a custom registry", async (t) => {
-  td.when(getRegistry(pkg, context)).thenReturn("https://other.registry.org");
+test.serial(
+  "that the token is considered invalid when the publish dry run fails when publishing to a custom registry",
+  async (t) => {
+    const otherRegistry = "https://other.registry.org";
+    td.when(getRegistry(pkg, context)).thenReturn(otherRegistry);
+    td.when(oidcContextEstablished(otherRegistry)).thenReturn(false);
+    td.when(
+      execa(
+        "npm",
+        [
+          "publish",
+          "--dry-run",
+          "--tag=semantic-release-auth-check",
+          "--userconfig",
+          npmrc,
+          "--registry",
+          otherRegistry,
+        ],
+        {
+          cwd,
+          env: otherEnvVars,
+          preferLocal: true,
+          lines: true,
+        }
+      )
+    ).thenResolve({
+      stderr: ["foo", "bar", "baz", `This command requires you to be logged in to ${otherRegistry}`, "qux"],
+    });
+
+    const {
+      errors: [error],
+    } = await t.throwsAsync(verifyAuth(npmrc, pkg, context));
+
+    t.is(error.name, "SemanticReleaseError");
+    t.is(error.code, "EINVALIDNPMAUTH");
+    t.is(error.message, "Invalid npm authentication.");
+  }
+);
+
+test.serial("that errors from setting up auth bubble through this function", async (t) => {
+  const registry = DEFAULT_NPM_REGISTRY;
+  const thrownError = new Error();
+  td.when(getRegistry(pkg, context)).thenReturn(registry);
+  td.when(setNpmrcAuth(npmrc, registry, context)).thenThrow(new AggregateError([thrownError]));
+
+  const {
+    errors: [error],
+  } = await t.throwsAsync(verifyAuth(npmrc, pkg, context));
 
-  await t.notThrowsAsync(verifyAuth(npmrc, pkg, context));
+  t.is(error, thrownError);
 });
