fix(auth-header): decode _password from base64 for default registry auth (#11089)

* fix(auth-header): decode _password from base64 for default registry auth * refactor: extract basicAuth helper to deduplicate password decoding --------- Co-authored-by: Zoltan Kochan <z@kochan.io>
2026-04-28 02:53:15 -04:00 · 2026-03-26 06:40:22 +05:30
parent dd8efdb280
commit fb8962f3a5
3 changed files with 14 additions and 4 deletions
--- a/.changeset/fix-default-registry-password-decode.md
+++ b/.changeset/fix-default-registry-password-decode.md
@@ -0,0 +1,6 @@
+---
+"@pnpm/network.auth-header": patch
+"pnpm": patch
+---
+
+Fix `_password` handling for the default registry to decode from base64 before use, consistent with scoped registry behavior.
--- a/network/auth-header/src/getAuthHeadersFromConfig.ts
+++ b/network/auth-header/src/getAuthHeadersFromConfig.ts
@@ -25,8 +25,7 @@ export function getAuthHeadersFromConfig (
      }
      case 'username': {
        if (`${uri}:_password` in allSettings) {
-          const password = Buffer.from(allSettings[`${uri}:_password`], 'base64').toString('utf8')
-          authHeaderValueByURI[uri] = `Basic ${Buffer.from(`${value}:${password}`).toString('base64')}`
+          authHeaderValueByURI[uri] = basicAuth(value, allSettings[`${uri}:_password`])
        }
      }
    }
@@ -45,11 +44,16 @@ export function getAuthHeadersFromConfig (
  } else if (allSettings['_auth']) {
    authHeaderValueByURI[registry] = `Basic ${allSettings['_auth']}`
  } else if (allSettings['_password'] && allSettings['username']) {
-    authHeaderValueByURI[registry] = `Basic ${Buffer.from(`${allSettings['username']}:${allSettings['_password']}`).toString('base64')}`
+    authHeaderValueByURI[registry] = basicAuth(allSettings['username'], allSettings['_password'])
  }
  return authHeaderValueByURI
 }

+function basicAuth (username: string, encodedPassword: string): string {
+  const password = Buffer.from(encodedPassword, 'base64').toString('utf8')
+  return `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`
+}
+
 function splitKey (key: string): string[] {
  const index = key.lastIndexOf(':')
  if (index === -1) {
--- a/network/auth-header/test/getAuthHeadersFromConfig.test.ts
+++ b/network/auth-header/test/getAuthHeadersFromConfig.test.ts
@@ -49,7 +49,7 @@ describe('getAuthHeadersFromConfig()', () => {
      const allSettings = {
        registry: 'https://reg.com/',
        username: 'foo',
-        _password: 'bar',
+        _password: encodeBase64('bar'),
      }
      expect(getAuthHeadersFromConfig({ allSettings, userSettings: {} })).toStrictEqual({
        '//reg.com/': `Basic ${encodeBase64('foo:bar')}`,