Using auth tokens in .npmrc

Question

I have a project where we use font awesome 5 library. I followed the instructions that are written here and added an .npmrc file with my auth token.

Is

Answer 1

It is definitely NOT a safe behavior to put the token in any git checked file, including .npmrc.

Below are the steps your team can take to safely leverage your npm token.

There are two different environments to consider:

1. each developer's local dev machine
2. the app's deployment platform

local dev

Following the Global Set Up instructions you linked to in your question, is not the solution.

Create the .npmrc file similar to the "Per project" instructions, but substitute your real token with a variable name, prefixed by $. ie:

@fontawesome:registry=https://npm.fontawesome.com/
//npm.fontawesome.com/:_authToken=$TOKEN

npm will detect an environment variables file named .env. So, in a .gitignored .env file, add your secret key value pair, ie:

TOKEN=ABC123

You can also prefix the variable name with "NPM_CONFIG_", according to the npm-config docs, ie:

NPM_CONFIG_TOKEN=ABC123

Now, when the dev runs npm i, font-awesome dependencies will load from the private repo.

NOTE: Don't follow the current npm-config docs about the environment variables syntax! See this stack overflow answer, ie:

Answer 2

https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow

Export your secret token into your session, e.g., export NPM_TOKEN="00000000-0000-0000-0000-000000000000"

Inside your ~/.npmrc, add //registry.npmjs.org/:_authToken=${NPM_TOKEN}