From fb8962f3a53200d0a652a1c2049bdde1cf170ed3 Mon Sep 17 00:00:00 2001
From: Burra Karthikeya <karukarthikeya1111@gmail.com>
Date: Thu, 26 Mar 2026 06:40:22 +0530
Subject: [PATCH] fix(auth-header): decode _password from base64 for default
 registry auth (#11089)

* fix(auth-header): decode _password from base64 for default registry auth

* refactor: extract basicAuth helper to deduplicate password decoding

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
---
 .changeset/fix-default-registry-password-decode.md     |  6 ++++++
 network/auth-header/src/getAuthHeadersFromConfig.ts    | 10 +++++++---
 .../auth-header/test/getAuthHeadersFromConfig.test.ts  |  2 +-
 3 files changed, 14 insertions(+), 4 deletions(-)
 create mode 100644 .changeset/fix-default-registry-password-decode.md

diff --git a/.changeset/fix-default-registry-password-decode.md b/.changeset/fix-default-registry-password-decode.md
new file mode 100644
index 0000000000..edef44b474
--- /dev/null
+++ b/.changeset/fix-default-registry-password-decode.md
@@ -0,0 +1,6 @@
+---
+"@pnpm/network.auth-header": patch
+"pnpm": patch
+---
+
+Fix `_password` handling for the default registry to decode from base64 before use, consistent with scoped registry behavior.
diff --git a/network/auth-header/src/getAuthHeadersFromConfig.ts b/network/auth-header/src/getAuthHeadersFromConfig.ts
index 38b7716607..284fa51267 100644
--- a/network/auth-header/src/getAuthHeadersFromConfig.ts
+++ b/network/auth-header/src/getAuthHeadersFromConfig.ts
@@ -25,8 +25,7 @@ export function getAuthHeadersFromConfig (
       }
       case 'username': {
         if (`${uri}:_password` in allSettings) {
-          const password = Buffer.from(allSettings[`${uri}:_password`], 'base64').toString('utf8')
-          authHeaderValueByURI[uri] = `Basic ${Buffer.from(`${value}:${password}`).toString('base64')}`
+          authHeaderValueByURI[uri] = basicAuth(value, allSettings[`${uri}:_password`])
         }
       }
     }
@@ -45,11 +44,16 @@ export function getAuthHeadersFromConfig (
   } else if (allSettings['_auth']) {
     authHeaderValueByURI[registry] = `Basic ${allSettings['_auth']}`
   } else if (allSettings['_password'] && allSettings['username']) {
-    authHeaderValueByURI[registry] = `Basic ${Buffer.from(`${allSettings['username']}:${allSettings['_password']}`).toString('base64')}`
+    authHeaderValueByURI[registry] = basicAuth(allSettings['username'], allSettings['_password'])
   }
   return authHeaderValueByURI
 }
 
+function basicAuth (username: string, encodedPassword: string): string {
+  const password = Buffer.from(encodedPassword, 'base64').toString('utf8')
+  return `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`
+}
+
 function splitKey (key: string): string[] {
   const index = key.lastIndexOf(':')
   if (index === -1) {
diff --git a/network/auth-header/test/getAuthHeadersFromConfig.test.ts b/network/auth-header/test/getAuthHeadersFromConfig.test.ts
index 0ce4396308..aa81e67599 100644
--- a/network/auth-header/test/getAuthHeadersFromConfig.test.ts
+++ b/network/auth-header/test/getAuthHeadersFromConfig.test.ts
@@ -49,7 +49,7 @@ describe('getAuthHeadersFromConfig()', () => {
       const allSettings = {
         registry: 'https://reg.com/',
         username: 'foo',
-        _password: 'bar',
+        _password: encodeBase64('bar'),
       }
       expect(getAuthHeadersFromConfig({ allSettings, userSettings: {} })).toStrictEqual({
         '//reg.com/': `Basic ${encodeBase64('foo:bar')}`,