@vltpkg/registry-client 1.0.0-rc.29 → 1.0.0-rc.30

package/dist/auth.d.ts

@@ -11,6 +11,14 @@ export type Token = `Bearer ${string}` | `Basic ${string}`;
  * `new URL(url).origin` behaviour (e.g. `https://registry.npmjs.org`).
  */
 export declare const normalizeRegistryKey: (url: string) => string;
+/**
+ * Ensure a registry URL ends with `/` so that `new URL(path, base)`
+ * appends under the full path instead of replacing the last segment.
+ *
+ *   registryBase('https://r.io/scope/name')
+ *   // → 'https://r.io/scope/name/'
+ */
+export declare const registryBase: (url: string) => string;
 export declare const keychains: Map<string, Keychain<Token>>;
 /**
  * In-memory token store for OIDC-exchanged tokens.

package/dist/auth.js

@@ -13,6 +13,14 @@ export const normalizeRegistryKey = (url) => {
     const u = new URL(url);
     return (u.origin + u.pathname).replace(/\/+$/, '');
 };
+/**
+ * Ensure a registry URL ends with `/` so that `new URL(path, base)`
+ * appends under the full path instead of replacing the last segment.
+ *
+ *   registryBase('https://r.io/scope/name')
+ *   // → 'https://r.io/scope/name/'
+ */
+export const registryBase = (url) => url.endsWith('/') ? url : url + '/';
 // just exported for testing
 export const keychains = new Map();
 /**
@@ -45,7 +53,9 @@ export const deleteToken = async (registry, identity) => {
 };
 export const setToken = async (registry, token, identity) => {
     const kc = getKC(identity);
-    return kc.set(normalizeRegistryKey(registry), token);
+    await kc.load();
+    kc.set(normalizeRegistryKey(registry), token);
+    await kc.save();
 };
 export const getToken = async (registry, identity) => {
     const kc = getKC(identity);

package/dist/index.d.ts

@@ -3,14 +3,14 @@ import type { Integrity } from '@vltpkg/types';
 import type { Dispatcher } from 'undici';
 import { RetryAgent } from 'undici';
 import type { Token } from './auth.ts';
-import { clearRuntimeTokens, deleteToken, getKC, getTokenByURL, isToken, keychains, normalizeRegistryKey, runtimeTokens, setRuntimeToken, setToken } from './auth.ts';
+import { clearRuntimeTokens, deleteToken, getKC, getToken, getTokenByURL, isToken, keychains, normalizeRegistryKey, registryBase, runtimeTokens, setRuntimeToken, setToken } from './auth.ts';
 import type { JSONObj } from './cache-entry.ts';
 import { CacheEntry } from './cache-entry.ts';
 import type { TokenResponse } from './token-response.ts';
 import type { WebAuthChallenge } from './web-auth-challenge.ts';
 import { oidc } from './oidc.ts';
 import type { OidcOptions } from './oidc.ts';
-export { CacheEntry, clearRuntimeTokens, deleteToken, getKC, getTokenByURL, isToken, keychains, normalizeRegistryKey, oidc, runtimeTokens, setRuntimeToken, setToken, type JSONObj, type OidcOptions, type Token, type TokenResponse, type WebAuthChallenge, };
+export { CacheEntry, clearRuntimeTokens, deleteToken, getKC, getToken, getTokenByURL, isToken, keychains, normalizeRegistryKey, oidc, registryBase, runtimeTokens, setRuntimeToken, setToken, type JSONObj, type OidcOptions, type Token, type TokenResponse, type WebAuthChallenge, };
 export type CacheableMethod = 'GET' | 'HEAD';
 export declare const isCacheableMethod: (m: unknown) => m is CacheableMethod;
 export type RegistryClientOptions = {

package/dist/index.js

@@ -10,7 +10,7 @@ import { setTimeout } from 'node:timers/promises';
 import { loadPackageJson } from 'package-json-from-dist';
 import { Agent, RetryAgent } from 'undici';
 import { addHeader } from "./add-header.js";
-import { clearRuntimeTokens, deleteToken, getKC, getToken, getTokenByURL, isToken, keychains, normalizeRegistryKey, runtimeTokens, setRuntimeToken, setToken, } from "./auth.js";
+import { clearRuntimeTokens, deleteToken, getKC, getToken, getTokenByURL, isToken, keychains, normalizeRegistryKey, registryBase, runtimeTokens, setRuntimeToken, setToken, } from "./auth.js";
 import { CacheEntry } from "./cache-entry.js";
 import { register } from "./cache-revalidate.js";
 import { bun, deno, node } from "./env.js";
@@ -22,7 +22,7 @@ import { getTokenResponse } from "./token-response.js";
 import { getWebAuthChallenge } from "./web-auth-challenge.js";
 import { getEncondedValue } from "./string-encoding.js";
 import { oidc } from "./oidc.js";
-export { CacheEntry, clearRuntimeTokens, deleteToken, getKC, getTokenByURL, isToken, keychains, normalizeRegistryKey, oidc, runtimeTokens, setRuntimeToken, setToken, };
+export { CacheEntry, clearRuntimeTokens, deleteToken, getKC, getToken, getTokenByURL, isToken, keychains, normalizeRegistryKey, oidc, registryBase, runtimeTokens, setRuntimeToken, setToken, };
 export const isCacheableMethod = (m) => m === 'GET' || m === 'HEAD';
 const { version } = loadPackageJson(import.meta.filename, process.env.__VLT_INTERNAL_REGISTRY_CLIENT_PACKAGE_JSON);
 const nua = globalThis.navigator?.userAgent ??
@@ -112,13 +112,14 @@ export class RegistryClient {
         if (!tok)
             return;
         const s = tok.replace(/^(Bearer|Basic) /i, '');
-        const tokensUrl = new URL('-/npm/v1/tokens', registry);
+        const base = registryBase(registry);
+        const tokensUrl = new URL('-/npm/v1/tokens', base);
         const record = await this.seek(tokensUrl, ({ token }) => s.startsWith(token), {
             useCache: false,
         }).catch(() => undefined);
         if (record) {
             const { key } = record;
-            await this.request(new URL(`-/npm/v1/tokens/token/${key}`, registry), { useCache: false, method: 'DELETE' });
+            await this.request(new URL(`-/npm/v1/tokens/token/${key}`, base), { useCache: false, method: 'DELETE' });
         }
         await deleteToken(registry, this.identity);
     }
@@ -136,7 +137,7 @@ export class RegistryClient {
         // - hang on the doneUrl until done
         //
         // if that fails: fall back to couchdb login
-        const webLoginURL = new URL('-/v1/login', registry);
+        const webLoginURL = new URL('-/v1/login', registryBase(registry));
         const response = await this.request(webLoginURL, {
             method: 'POST',
             useCache: false,
@@ -281,10 +282,15 @@ export class RegistryClient {
     async #handleResponse(url, options, response, entry) {
         if (handleCacheHitResponse(response, entry))
             return entry;
+        let consumedBody;
         if (response.statusCode === 401) {
-            const repeatRequest = await otplease(this, options, response);
-            if (repeatRequest)
-                return await this.request(url, repeatRequest);
+            const otpResult = await otplease(this, options, response);
+            if (otpResult && 'retry' in otpResult) {
+                return await this.request(url, otpResult.retry);
+            }
+            if (otpResult && 'bodyConsumed' in otpResult) {
+                consumedBody = otpResult.bodyConsumed;
+            }
         }
         const h = [];
         for (const [key, value] of Object.entries(response.headers)) {
@@ -298,15 +304,20 @@ export class RegistryClient {
             }
         }
         const { integrity, trustIntegrity } = options;
+        // When otplease already consumed the body, use its length
+        // instead of the Content-Length header to size the CacheEntry
+        // buffer correctly.
+        const contentLength = consumedBody !== undefined ? consumedBody.length
+            : response.headers['content-length'] ?
+                Number(response.headers['content-length'])
+                : /* c8 ignore next */ undefined;
         const result = new CacheEntry(
         /* c8 ignore next - should always have a status code */
         response.statusCode || 200, h, {
             integrity,
             trustIntegrity,
             'stale-while-revalidate-factor': this.staleWhileRevalidateFactor,
-            contentLength: response.headers['content-length'] ?
-                Number(response.headers['content-length'])
-                : /* c8 ignore next */ undefined,
+            contentLength,
         });
         if (isRedirect(result)) {
             response.body.resume();
@@ -316,6 +327,15 @@ export class RegistryClient {
             }
             return result;
         }
+        // If otplease already consumed the body (e.g. checking for OTP
+        // prompt on a plain 401), use the text it read rather than trying
+        // to re-read from the already-drained stream.
+        if (consumedBody !== undefined) {
+            if (consumedBody.length > 0) {
+                result.addBody(new TextEncoder().encode(consumedBody));
+            }
+            return result;
+        }
         response.body.on('data', (chunk) => result.addBody(chunk));
         return await new Promise((res, rej) => {
             response.body.on('error', rej);

package/dist/oidc.js

@@ -47,11 +47,10 @@ const _oidc = async ({ packageName, registry, }) => {
     const isGitHub = process.env.GITHUB_ACTIONS === 'true';
     const isGitLab = process.env.GITLAB_CI === 'true';
     const isCircle = process.env.CIRCLECI === 'true';
-    log(`CI detected: github=${isGitHub} gitlab=${isGitLab} circle=${isCircle}`);
     if (!isGitHub && !isGitLab && !isCircle) {
-        log('Not in a supported CI environment — skipping');
         return undefined;
     }
+    log(`CI detected: github=${isGitHub} gitlab=${isGitLab} circle=${isCircle}`);
     // NPM_ID_TOKEN is supported as an override in all CI environments
     let idToken = process.env.NPM_ID_TOKEN;
     log(`NPM_ID_TOKEN: ${idToken ? `set (length=${idToken.length})` : 'not set'}`);

package/dist/otplease.d.ts

@@ -1,3 +1,8 @@
 import type { Dispatcher } from 'undici';
 import type { RegistryClient, RegistryClientRequestOptions } from './index.ts';
-export declare const otplease: (client: RegistryClient, options: RegistryClientRequestOptions, response: Dispatcher.ResponseData) => Promise<RegistryClientRequestOptions | undefined>;
+export type OtpResult = {
+    retry: RegistryClientRequestOptions;
+} | {
+    bodyConsumed: string;
+} | undefined;
+export declare const otplease: (client: RegistryClient, options: RegistryClientRequestOptions, response: Dispatcher.ResponseData) => Promise<OtpResult>;

package/dist/otplease.js

@@ -27,8 +27,10 @@ export const otplease = async (client, options, response) => {
         const challenge = getWebAuthChallenge(await response.body.json().catch(() => null));
         if (challenge) {
             return {
-                ...options,
-                otp: (await client.webAuthOpener(challenge)).token,
+                retry: {
+                    ...options,
+                    otp: (await client.webAuthOpener(challenge)).token,
+                },
             };
         }
         const { 'npm-notice': npmNotice } = response.headers;
@@ -39,8 +41,10 @@ export const otplease = async (client, options, response) => {
                 await urlOpen(match[1]);
                 log(notice);
                 return {
-                    ...options,
-                    otp: await question('OTP: '),
+                    retry: {
+                        ...options,
+                        otp: await question('OTP: '),
+                    },
                 };
             }
         }
@@ -48,15 +52,23 @@ export const otplease = async (client, options, response) => {
             response,
         });
     }
+    if (wwwAuth.has('bearer')) {
+        throw error('Missing or invalid authentication token. Run `vlt login` or `vlt token add` to authenticate.', { response });
+    }
     if (wwwAuth.size) {
         throw error('Unknown authentication challenge', { response });
     }
-    // see if the body is prompting for otp
+    // Consume the body to check if it's prompting for OTP.
+    // We must return the consumed text so the caller doesn't try to
+    // re-read from the already-drained stream.
     const text = await response.body.text().catch(() => '');
     if (text.toLowerCase().includes('one-time pass')) {
         return {
-            ...options,
-            otp: await question(text),
+            retry: {
+                ...options,
+                otp: await question(text),
+            },
         };
     }
+    return { bodyConsumed: text };
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@vltpkg/registry-client",
   "description": "Fetch package artifacts and metadata from registries",
-  "version": "1.0.0-rc.29",
+  "version": "1.0.0-rc.30",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/vltpkg/vltpkg.git",
@@ -13,14 +13,14 @@
     "url": "http://vlt.sh"
   },
   "dependencies": {
-    "@vltpkg/cache": "1.0.0-rc.29",
-    "@vltpkg/cache-unzip": "1.0.0-rc.29",
-    "@vltpkg/error-cause": "1.0.0-rc.29",
-    "@vltpkg/keychain": "1.0.0-rc.29",
-    "@vltpkg/output": "1.0.0-rc.29",
-    "@vltpkg/types": "1.0.0-rc.29",
-    "@vltpkg/url-open": "1.0.0-rc.29",
-    "@vltpkg/xdg": "1.0.0-rc.29",
+    "@vltpkg/cache": "1.0.0-rc.30",
+    "@vltpkg/cache-unzip": "1.0.0-rc.30",
+    "@vltpkg/error-cause": "1.0.0-rc.30",
+    "@vltpkg/keychain": "1.0.0-rc.30",
+    "@vltpkg/output": "1.0.0-rc.30",
+    "@vltpkg/types": "1.0.0-rc.30",
+    "@vltpkg/url-open": "1.0.0-rc.30",
+    "@vltpkg/xdg": "1.0.0-rc.30",
     "cache-control-parser": "^2.0.6",
     "package-json-from-dist": "^1.0.1",
     "undici": "^7.16.0"