Skip to content

fix: add path-prefix matching for static npm registry credentials#146

Open
ryemelia wants to merge 1 commit into
dependabot:mainfrom
ryemelia:fix/npm-static-token-path-matching
Open

fix: add path-prefix matching for static npm registry credentials#146
ryemelia wants to merge 1 commit into
dependabot:mainfrom
ryemelia:fix/npm-static-token-path-matching

Conversation

@ryemelia

@ryemelia ryemelia commented Jun 17, 2026

Copy link
Copy Markdown

Fixes #145

What

Add path-segment-aware matching to the static credential loop in NPMRegistryHandler.HandleRequest, so that credentials configured for one path-scoped registry are not applied to sibling paths on the same host.

Why

When multiple npm registries share the same hostname but use different URL paths (common with JFrog Artifactory, AWS CodeArtifact, and Azure DevOps), the proxy sends the first matching credential based on host+port only. If the tokens are scoped to their respective repos, the wrong token results in a 403.

The OIDC code path was already fixed via OIDCRegistry (#78, #87, #91), but the static token fallback was not updated.

How

After the existing host+port check, compare the request URL path against the credential's registry path using segment-aware prefix matching:

regPath := strings.TrimSuffix(regURL.Path, "/")
if regPath != "" && !strings.HasPrefix(req.URL.Path, regPath+"/") && req.URL.Path != regPath {
    continue
}
  • Empty path (host-only registries like registry.npmjs.org) continues to match any path on that host — no behavior change.
  • Non-empty paths require the request URL to be within the registry's path scope.
  • Segment-aware: /team-a-npm does not match /team-a-npm-evil.

Tests

  • Updated existing test: sibling path on same host is now correctly rejected.
  • Added TestNPMRegistryHandler_SameHostDifferentPaths: verifies two registries on the same host with different paths receive their respective tokens, and unrelated paths are unauthenticated.

All existing tests pass (go test ./...).

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@ryemelia
fix: add path-prefix matching for static npm registry credentials
d1c3cfa 
When multiple npm registries share the same hostname with different URL
paths (e.g., two Artifactory virtual repos), the proxy incorrectly
applies the first matching credential based on host+port only. This
causes 403 errors when the wrong scoped token is sent.

Add path-segment-aware matching to the static credential loop,
consistent with OIDCRegistry.TryAuth behavior. Credentials configured
for /team-a-npm/ will no longer be applied to /team-b-npm/ requests.

Fixes dependabot#145
@ryemelia ryemelia requested a review from a team as a code owner June 17, 2026 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Static token credential collision when multiple npm registries share a host

1 participant

@ryemelia