fix: report auth info on 404 errors as well

PR #2818

.changeset/brown-humans-change.md

@@ -0,0 +1,5 @@
+---
+"@pnpm/error": patch
+---
+
+Report auth info on 404 errors as well.

.changeset/hot-shoes-share.md

@@ -0,0 +1,5 @@
+---
+"@pnpm/npm-resolver": patch
+---
+
+Report information about any used auth token, if an error happens during fetch.

packages/error/src/index.ts

@@ -25,7 +25,9 @@ export class FetchError extends PnpmError {
     const message = `GET ${request.url}: ${response.statusText} - ${response.status}`
     const authHeaderValue = request.authHeaderValue
       ? hideAuthInformation(request.authHeaderValue) : undefined
-    if (response.status === 401 || response.status === 403) {
+    // NOTE: For security reasons, some registries respond with 404 on authentication errors as well.
+    // So we print authorization info on 404 errors as well.
+    if (response.status === 401 || response.status === 403 || response.status === 404) {
       hint = hint ? `${hint}\n\n` : ''
       if (authHeaderValue) {
         hint += `An authorization header was used: ${authHeaderValue}`

packages/npm-resolver/src/fetch.ts

@@ -26,7 +26,7 @@ class RegistryResponseError extends FetchError {
   ) {
     let hint: string | undefined
     if (response.status === 404) {
-      hint = `${pkgName} is not in the npm registry.`
+      hint = `${pkgName} is not in the npm registry, or you have no permission to fetch it.`
       const matched = pkgName.match(semvarRegex)
       if (matched) {
         hint += ` Did you mean ${matched[1]}?`
@@ -48,7 +48,7 @@ export default async function fromRegistry (
   const response = await fetch(uri, { authHeaderValue, retry }) as RegistryResponse
   if (response.status > 400) {
     const request = {
-      authToken: authHeaderValue,
+      authHeaderValue,
       url: uri,
     }
     throw new RegistryResponseError(request, response, pkgName)

packages/npm-resolver/test/index.ts

@@ -701,7 +701,9 @@ test('error is thrown when package is not found in the registry', async t => {
     t.fail('installation should have failed')
   } catch (err) {
     t.equal(err.message, 'GET https://registry.npmjs.org/foo: Not Found - 404')
-    t.equal(err.hint, `${notExistingPackage} is not in the npm registry.`)
+    t.equal(err.hint, `${notExistingPackage} is not in the npm registry, or you have no permission to fetch it.
+
+No authorization header was set for the request.`)
     t.equal(err.pkgName, notExistingPackage)
     t.equal(err.code, 'ERR_PNPM_FETCH_404')
     t.equal(err.request.url, `${registry}${notExistingPackage}`)
@@ -725,7 +727,9 @@ test('extra info is shown if package has valid semver appended', async t => {
     t.fail('installation should have failed')
   } catch (err) {
     t.equal(err.message, 'GET https://registry.npmjs.org/foo1.0.0: Not Found - 404')
-    t.equal(err.hint, `${notExistingPackage} is not in the npm registry. Did you mean foo?`)
+    t.equal(err.hint, `${notExistingPackage} is not in the npm registry, or you have no permission to fetch it. Did you mean foo?
+
+No authorization header was set for the request.`)
     t.equal(err.pkgName, notExistingPackage)
     t.equal(err.code, 'ERR_PNPM_FETCH_404')
     t.equal(err.request.url, `${registry}${notExistingPackage}`)

packages/server/test/index.ts

@@ -139,7 +139,9 @@ test('server errors should arrive to the client', async t => {
   } catch (e) {
     caught = true
     t.equal(e.message, 'GET https://registry.npmjs.org/not-an-existing-package: Not Found - 404', 'error message delivered correctly')
-    t.equal(e.hint, 'not-an-existing-package is not in the npm registry.')
+    t.equal(e.hint, `not-an-existing-package is not in the npm registry, or you have no permission to fetch it.
+
+No authorization header was set for the request.`)
     t.equal(e.code, 'ERR_PNPM_FETCH_404', 'error code delivered correctly')
     t.ok(e.response, 'error response field delivered')
     t.ok(e.pkgName, 'error package field delivered')