This repository has been archived by the owner on Feb 18, 2024. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 43
/
github.js
400 lines (357 loc) · 13.5 KB
/
github.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
const { Semver, SemverRange } = require('sver');
const execGit = require('./exec-git');
const { URL } = require('url');
const githubApiAcceptHeader = 'application/vnd.github.v3+json';
const githubApiRawAcceptHeader = 'application/vnd.github.v3.raw';
const commitRegEx = /^[a-f0-9]{6,}$/;
const wildcardRange = new SemverRange('*');
const githubApiAuth = process.env.JSPM_GITHUB_AUTH_TOKEN ? {
username: 'envtoken',
password: process.env.JSPM_GITHUB_AUTH_TOKEN
} : null;
module.exports = class GithubEndpoint {
constructor (util, config) {
this.userInput = config.userInput;
this.util = util;
this.timeout = config.timeout;
this.strictSSL = config.strictSSL;
this.instanceId = Math.round(Math.random() * 10**10);
if (config.auth) {
this._auth = readAuth(config.auth);
if (!this._auth)
this.util.log.warn(`${this.util.bold(`registries.github.auth`)} global github registry auth token is not a valid token format.`);
}
else {
this._auth = undefined;
}
this.credentialsAttempts = 0;
if (config.host && config.host !== 'github.com') {
// github enterprise support
this.githubUrl = 'https://' + (config.host[config.host.length - 1] === '/' ? config.host.substr(0, config.host.length - 1) : config.host);
this.githubApiUrl = `https://${this.githubApiHost}/api/v3`;
}
else {
this.githubUrl = 'https://github.com';
this.githubApiUrl = 'https://api.github.com';
}
this.execOpt = {
timeout: this.timeout,
killSignal: 'SIGKILL',
maxBuffer: 100 * 1024 * 1024,
env: Object.assign({
GIT_TERMINAL_PROMPT: '0',
GIT_SSL_NO_VERIFY: this.strictSSL ? '0' : '1'
}, process.env)
};
this.gettingCredentials = false;
this.rateLimited = false;
this.freshLookups = {};
// by default, "dependencies" are taken to be from npm registry
// unless there is an explicit "registry" property
this.dependencyRegistry = 'npm';
}
dispose () {
}
/*
* Registry config
*/
async configure () {
this.gettingCredentials = true;
await this.ensureAuth(this.util.getCredentials(this.githubUrl), true);
this.gettingCredentials = false;
this.util.log.ok('GitHub authentication updated.');
}
async auth (url, _method, credentials, unauthorizedHeaders) {
if (unauthorizedHeaders || this._auth) {
const origin = url.origin;
if (origin === this.githubUrl || origin === this.githubApiUrl) {
// unauthorized -> fresh auth token
if (unauthorizedHeaders)
await this.ensureAuth(credentials, true);
// update old jspm auth format to an automatically generated token, so we always use tokens
// (can be deprecated eventually)
else if (this._auth && !isGithubApiToken(this._auth.password) && !this.gettingCredentials)
await this.ensureAuth(credentials);
credentials.basicAuth = githubApiAuth || this._auth;
return true;
}
}
}
async ensureAuth (credentials, invalid) {
if (invalid || !this._auth) {
if (!this.userInput)
return;
const username = await this.util.input('Enter your GitHub username', this._auth && this._auth.username !== 'Token' ? this._auth.username : '', {
edit: true,
info: `jspm can generate an authentication token to install packages from GitHub with the best performance and for private repo support. Leave blank to remove jspm credentials.`
});
if (!username) {
this.util.globalConfig.set('registries.github.auth', undefined);
return;
}
else {
const password = await this.util.input('Enter your GitHub password or access token', {
info: `Your password is not saved locally and is only used to generate a token with the permission for repo access ${this.util.bold('repo')} to be saved into the jspm global configuration. Alternatively, you can generate an access token manually from ${this.util.bold(`${this.githubUrl}/settings/tokens`)}.`,
silent: true,
validate (input) {
if (!input)
return 'Please enter a valid GitHub password or token.';
}
});
if (isGithubApiToken(password)) {
this.util.globalConfig.set('registries.github.auth', password);
return;
}
credentials.basicAuth = { username, password };
}
}
const getAPIToken = async (otp) => {
// get an API token if using basic auth
const res = await this.util.fetch(`${this.githubApiUrl}/authorizations`, {
method: 'POST',
headers: {
accept: githubApiAcceptHeader,
'X-GitHub-OTP': otp
},
body: JSON.stringify({
scopes: ['repo'],
note: 'jspm token ' + Math.round(Math.random() * 10**10)
}),
timeout: this.timeout,
credentials,
reauthorize: false
});
switch (res.status) {
case 201:
const response = await res.json();
this.util.globalConfig.set('registries.github.auth', response.token);
this._auth = credentials.basicAuth = {
username: 'Token',
password: response.token
};
this.util.log.ok('GitHub token generated successfully from basic auth credentials.');
break;
case 401:
if (!this.userInput)
return;
if (++this.credentialsAttempts === 3)
throw new Error(`Unable to setup GitHub credentials.`);
const otpHeader = res.headers.get('x-github-otp');
if (otpHeader && otpHeader.startsWith('required')) {
const otp = await this.util.input('Please enter your GitHub 2FA token', {
validate (input) {
if (!input || input.length !== 6 || !input.match(/^[0-9]{6}$/))
return 'Please enter a valid GitHub 6 digit 2FA Token.';
}
});
return getAPIToken(otp);
}
this.util.log.warn('GitHub username and password combination is invalid. Please enter your details again.');
return await this.ensureAuth(credentials, true);
break;
default:
throw new Error(`Bad GitHub API response code ${res.status}: ${res.statusText}`);
}
};
return getAPIToken();
}
/*
* Resolved object has the shape:
* { source?, dependencies?, peerDependencies?, optionalDependencies?, deprecated?, override? }
*/
async lookup (packageName, versionRange, lookup) {
if (lookup.redirect && this.freshLookups[packageName])
return false;
// first check if we have a redirect
try {
var res = await this.util.fetch(`${this.githubUrl}/${packageName[0] === '@' ? packageName.substr(1) : packageName}`, {
headers: {
'User-Agent': 'jspm'
},
redirect: 'manual',
timeout: this.timeout
});
}
catch (err) {
err.retriable = true;
throw err;
}
switch (res.status) {
case 301:
lookup.redirect = `github:${res.headers.get('location').split('/').splice(3).join('/')}`;
return true;
// it might be a private repo, so wait for the lookup to fail as well
case 200:
case 404:
case 302:
break
case 401:
var e = new Error(`Invalid GitHub authentication details. Run ${this.util.bold(`jspm registry config github`)} to configure.`);
e.hideStack = true;
throw e;
default:
throw new Error(`Invalid status code ${res.status}: ${res.statusText}`);
}
// cache lookups per package for process execution duration
if (this.freshLookups[packageName])
return false;
// could filter to range in this lookup, but testing of eg `git ls-remote https://github.com/twbs/bootstrap.git refs/tags/v4.* resf/tags/v.*`
// didn't reveal any significant improvement
let url = this.githubUrl;
let credentials = await this.util.getCredentials(this.githubUrl);
if (credentials.basicAuth) {
let urlObj = new URL(url);
({ username: urlObj.username, password: urlObj.password } = credentials.basicAuth);
url = urlObj.href;
// href includes trailing `/`
url = url.substr(0, url.length - 1);
}
try {
var stdout = await execGit(`ls-remote ${url}/${packageName[0] === '@' ? packageName.substr(1) : packageName}.git refs/tags/* refs/heads/*`, this.execOpt);
}
catch (err) {
const str = err.toString();
// not found
if (str.indexOf('not found') !== -1)
return;
// invalid credentials
if (str.indexOf('Invalid username or password') !== -1 || str.indexOf('fatal: could not read Username') !== -1) {
let e = new Error(`git authentication failed resolving GitHub package ${this.util.highlight(packageName)}.
Make sure that git is locally configured with permissions to ${this.githubUrl} or run ${this.util.bold(`jspm registry config github`)}.`, err);
e.hideStack = true;
throw e;
}
throw err;
}
let refs = stdout.split('\n');
for (let ref of refs) {
if (!ref)
continue;
let hash = ref.substr(0, ref.indexOf('\t'));
let refName = ref.substr(hash.length + 1);
let version;
if (refName.substr(0, 11) === 'refs/heads/') {
version = refName.substr(11);
}
else if (refName.substr(0, 10) === 'refs/tags/') {
if (refName.substr(refName.length - 3, 3) === '^{}')
version = refName.substr(10, refName.length - 13);
else
version = refName.substr(10);
if (version.substr(0, 1) === 'v' && Semver.isValid(version.substr(1)))
version = version.substr(1);
}
const encoded = this.util.encodeVersion(version);
const existingVersion = lookup.versions[encoded];
if (!existingVersion)
lookup.versions[encoded] = { resolved: undefined, meta: { expected: hash, resolved: undefined } };
else
existingVersion.meta.expected = hash;
}
return true;
}
async resolve (packageName, version, lookup) {
let changed = false;
let versionEntry;
// first ensure we have the right ref hash
// an exact commit is immutable
if (commitRegEx.test(version)) {
versionEntry = lookup.versions[version] = { resolved: undefined, meta: { expected: version, resolved: undefined } };
}
else {
versionEntry = lookup.versions[version];
// we get refs through the full remote-ls lookup
if (!(packageName in this.freshLookups)) {
await this.lookup(packageName, wildcardRange, lookup);
changed = true;
versionEntry = lookup.versions[version];
if (!versionEntry)
return changed;
}
}
// next we fetch the package.json file for that ref hash, to get the dependency information
// to populate into the resolved object
if (!versionEntry.resolved || versionEntry.meta.resolved !== versionEntry.meta.expected) {
changed = true;
const hash = versionEntry.meta.expected;
const resolved = versionEntry.resolved = {
source: `${this.githubUrl}/${packageName[0] === '@' ? packageName.substr(1) : packageName}/archive/${hash}.tar.gz`,
override: undefined
};
// if this fails, we just get no preloading
if (!this.rateLimited) {
const res = await this.util.fetch(`${this.githubApiUrl}/repos/${packageName[0] === '@' ? packageName.substr(1) : packageName}/contents/package.json?ref=${hash}`, {
headers: {
'User-Agent': 'jspm',
accept: githubApiRawAcceptHeader
},
timeout: this.timeout
});
switch (res.status) {
case 404:
// repo can not have a package.json
break;
case 200:
const pjson = await res.json();
resolved.override = {
dependencies: pjson.dependencies,
peerDependencies: pjson.peerDependencies,
optionalDepdnencies: pjson.optionalDependencies
}
break;
case 401:
apiWarn(this.util, `Invalid GitHub API credentials`);
break;
case 403:
apiWarn(this.util, `GitHub API rate limit reached`);
this.rateLimited = true;
break;
case 406:
apiWarn(this.util, `GitHub API token doesn't have the right access permissions`);
break;
default:
apiWarn(this.util, `Invalid GitHub API response code ${res.status}`);
}
function apiWarn (util, msg) {
util.log.warn(`${msg} attempting to preload dependencies for ${packageName}.`);
};
}
versionEntry.meta.resolved = hash;
}
return changed;
}
};
function readAuth (auth) {
// no auth
if (!auth)
return;
// auth is an object
if (typeof auth === 'object' && typeof auth.username === 'string' && typeof auth.password === 'string')
return auth;
else if (typeof auth !== 'string')
return;
// jspm 2 auth form - just a token
if (isGithubApiToken(auth)) {
return { username: 'Token', password: auth };
}
// jspm 0.16/0.17 auth form backwards compat
// (base64(encodeURI(username):encodeURI(password)))
try {
let auth = new Buffer(auth, 'base64').toString('utf8').split(':');
if (auth.length !== 2)
return;
let username = decodeURIComponent(auth[0]);
let password = decodeURIComponent(auth[1]);
return { username, password };
}
// invalid auth
catch (e) {
return;
}
}
function isGithubApiToken (str) {
if (str && str.length === 40 && str.match(/^[a-f0-9]+$/))
return true;
else
return false;
}