`aspire deploy` doesn't support npm authentication for private feeds

[tekgiant]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Similar to #9350 but for npm. The odd thing is, similar to #14528, running locally with aspire run doesn't have this problem. I'm guessing due to some locally installed credential providers helping out?

Expected Behavior

aspire deploy should support a way to authenticate to private feeds defined in .npmrc when running inside ADO pipelines

Steps To Reproduce

you can use something as simple as one of the sample applications for aspire that has backend & frontend. Just update the frontend project to have an .npmrc that uses a private feed and then use a package from that feed. You'll get 401 errors when it tries to pull the package.

The workaround for this:

# Setup npm authentication for Docker build
Write-Host "`nSetting up npm authentication for Azure Artifacts..."
$base64Password = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("$env:SYSTEM_ACCESSTOKEN"))
$npmrcContent = "registry=https://pkgs.dev.azure.com/OurProject/_packaging/OurFeed/npm/registry/`nalways-auth=true`n//pkgs.dev.azure.com/OurProject/_packaging/OurFeed/npm/registry/:username=AzureDevOps`n//pkgs.dev.azure.com/OurProject/_packaging/OurFeed/npm/registry/:_password=$base64Password`n//pkgs.dev.azure.com/OurProject/_packaging/OurFeed/npm/registry/:email=notused@example.com"
Set-Content -Path "Frontend/.npmrc" -Value $npmrcContent -Force

Exceptions (if any)

No response

.NET Version info

10

Anything else?

No response

[eerhardt]

@tekgiant - can you use the npmAuthenticate task?

              - task: npmAuthenticate@0
                displayName: 'Authenticate src/frontend to npm feeds'
                inputs:
                  workingFile: src/frontend/.npmrc

The intention is you check in the .npmrc file with the URL, and then the npmAuthenticate task will add the correct credentials to it.

registry=https://pkgs.dev.azure.com/YOURFEED/
always-auth=true

[tekgiant]

@eerhardt Sure, it's just strange we typically haven't needed that, but I'll add that and see what happens.

[machie27]

The confusing part is that the Aspire 13.2 release notes probably refer to this PR, which was supposed to add npmrc support. However, when I look at the PR itself, it was never actually merged due to security concerns. So it seems like the release notes were published, but the PR was never actually merged. This is my guess though.

[eerhardt]

The confusing part is that the Aspire 13.2 release notes probably refer to this PR, which was supposed to add npmrc support. However, when I look at the PR itself, it was never actually merged due to security concerns. So it seems like the release notes were published, but the PR was never actually merged. This is my guess though.

Thanks for the catch. Fixing it with Replace .npmrc Docker builds line with file-based build secrets in Aspire 13.2 what's new (microsoft/aspire.dev#699)

[machie27]

Thanks for the description update! I spent some time debugging this and couldn't find the .npmrc being copied anywhere. I was already passing the token in as a build secret, but the file itself never got added during the dynamic Dockerfile build. The updated description makes a lot more sense. A bit of a nitpick, but thanks regardless