fix(npm): match npm bearer token generation (#26544)

Spend some time stepping through the npm client code and noticed that
the bearer token was different from ours. They do some double encoding
and @dsherret helped me in matching the encoding behavior.

Fixes https://github.com/denoland/deno/issues/26033

cli/npm/common.rs

@@ -3,6 +3,7 @@
 use base64::prelude::BASE64_STANDARD;
 use base64::Engine;
 use deno_core::anyhow::bail;
+use deno_core::anyhow::Context;
 use deno_core::error::AnyError;
 use deno_npm::npm_rc::RegistryConfig;
 use http::header;
@@ -36,17 +37,21 @@ pub fn maybe_auth_header_for_npm_registry(
   }
 
   if username.is_some() && password.is_some() {
-    return Ok(Some((
+    // The npm client does some double encoding when generating the
-      header::AUTHORIZATION,
+    // bearer token value, see
-      header::HeaderValue::from_str(&format!(
+    // https://github.com/npm/cli/blob/780afc50e3a345feb1871a28e33fa48235bc3bd5/workspaces/config/lib/index.js#L846-L851
-        "Basic {}",
+    let pw_base64 = BASE64_STANDARD
-        BASE64_STANDARD.encode(format!(
+      .decode(password.unwrap())
+      .with_context(|| "The password in npmrc is an invalid base64 string")?;
+    let bearer = BASE64_STANDARD.encode(format!(
       "{}:{}",
       username.unwrap(),
-          password.unwrap()
+      String::from_utf8_lossy(&pw_base64)
-        ))
+    ));
-      ))
+
-      .unwrap(),
+    return Ok(Some((
+      header::AUTHORIZATION,
+      header::HeaderValue::from_str(&format!("Basic {}", bearer)).unwrap(),
     )));
   }
 

tests/specs/npm/npmrc_username_password/.npmrc

@@ -1,6 +1,8 @@
 @denotest:registry=http://localhost:4261/
 //localhost:4261/:username=deno
-//localhost:4261/:_password=land
+# base64 of land
+//localhost:4261/:_password=bGFuZA==
 @denotest2:registry=http://localhost:4262/
 //localhost:4262/:username=deno
-//localhost:4262/:_password=land2
+# base64 of land2
+//localhost:4262/:_password=bGFuZDI=