Azure Devops NPM Auth

The ado-npm-auth package can automatically use the azureauth CLI to fetch tokens and update a user's .npmrc file for authenticating to ADO package feeds.

You'll first need an .npmrc in your project such as...

registry=https://pkgs.dev.azure.com/org/project/_packaging/feedname/npm/registry/

You can run the binary "ado-npm-auth" via yarn ado-npm-auth or npm exec ado-npm-auth.

It will then shell out to the azureauth package on npm, retrieve a token, and update your ~/.npmrc.

ado-npm-auth vs vsts-npm-auth

The main difference between the two is how they function, and where they can run. The vsts-npm-auth tool is Windows only, and uses MSAL authentication.

ado-npm-auth uses the node-azureauth library, to wrap the azureauth-cli, which itself is a cross platform MSAL wrapper.

Since the azureauth-cli is cross-platform, ado-npm-auth will also run cross-platform as well!

One of the easiest ways to use the tool is to add it to your "preinstall" script in your repo like this...

"scripts": {
  "preinstall": "npm exec ado-npm-auth"
},

It will then perform a quick "pre-flight" check to assess if the token is valid, and generate a new one if it has expired.

Beware the chicken and egg problem

You may need to set the registry to the public NPM feed when running npm exec or npx.

There are 2 options to address this case:

1: Explictly pass the config file.

You can hop one directory up, or run it from an arbitrary path and pass the configuration.

pushd ..
npx ado-npm-auth -c <myrepo>\.npmrc
popd

2: configure registry explicilty

If that's the case, set the environment variable npm_config_registry=https://registry.npmjs.org.

That will ensure that npx or npm exec grabs from the public NPM feed, bypassing the soon-to-be authenticated ADO feed.

"scripts": {
  "preinstall": "npm_config_registry=https://registry.npmjs.org npm exec ado-npm-auth"
},