Please add authentication support for NodeJS Dist mirrors

[grepwood]

I'm working with NVM in an environment where I can't access the Internet. My only way to access https://nodejs.org/dist is through a server that is blessed with a very restricted Internet access. However, accessing stuff through it like a proxy is not possible without authentication.

Please accommodate such a use case as I can't find anything other than this, as a means of support: master...DanielK2013:nvm:master

[ljharb]

This seems like a reasonable use case to support; I'm not sure two env vars is the right solution, and that particular patch seems like it's using HTTP basic auth (but i might be misreading it).

[ljharb]

Related: #963, #3003.

[grepwood]

For clarity this isn't about proxy authentication. The server in question is an Artifactory instance. We can punch holes in the Intranet firewall, but ones that only Artifactory can take advantage of. That is how we can access https://nodejs.org/dist on let's say https://artifactory.in.the.cool.company/remote-generic-nodejs-dist. However, because the company has a zero trust policy in place, there's no way to make anonymous calls to all internal services. Especially Artifactory given its purpose to introduce 3rd party code inside the network.

[ljharb]

ok, so it seems like from your patch, that all you need is -u for curl / --user/--password for wget.

The simplest mechanism would be to allow a flag that tells nvm, to tell curl/wget, to actually pay attention to curlrc/wgetrc, and then you could put your auth or whatever in there. However, that wouldn't allow you to change it per invocation - but maybe that's not a use case you care about?

If it's accepted per invocation, then either nvm has to explicitly accept username and password arguments (which wouldn't account for a broader set of use cases beyond HTTP basic auth), or, has to sanitize the command string to avoid a security vulnerability, which I'd prefer to avoid having to do.

[grepwood]

I think I've got this. So far I'm managing by creating a .curlrc file in my home directory that contains the Artifactory token.

[ljharb]

nvm used -q which bypasses curlrc - would an env var that tells nvm to skip the -q, and respect curlrc, work for your use case?

[dwelch2344]

Alternative approach: support any auth header via something like NVM_AUTH_HEADER. Leave it up to the environment to provide the full value, and then just pass through the value to both curl and wget via --header (which is the same across both in every version I can find)

For basic auth, you'd have to do the base64 auth a la

BASIC_CRED=$(echo -n "joeuser:secretpass" | base64)
NVM_AUTH_HEADER="Basic $BASIC_CRED"

But you could also support Bearer (so OAuth / JWT / many custom specs) via:

NVM_AUTH_HEADER="Bearer <jwt>"

AFAICT the feat is fairly straight forward. Opened #3380 to work from. Happy to collab, add tests + docs + etc.

@ljharb I know where to track you down. @grepwood would love to hear your feedback on making sure this covers your cases too. All others welcome as well ;)