Package Common Npm Bearer Auth Mask (#327)

* mask bearer auth apitoken

* removed the password64 accidently, adding back

* test case fix mock

Author: tintse-thxsky-MSFT

common-npm-packages/packaging-common/Tests/npm/npmL0.ts

@@ -202,7 +202,8 @@ export function npmcommon() {
             },
             getHttpProxyConfiguration: (endpoint) => {
                 return null;
-            }
+            },
+            setSecret : msg => null
         };
         mocker.registerMock('azure-pipelines-task-lib/task', mockTask);
 

common-npm-packages/packaging-common/locationUtilities.ts

@@ -112,6 +112,7 @@ export async function getPackagingUris(protocolType: ProtocolType): Promise<Pack
     return pkgLocation;
 }
 
+/** Return a masked SystemAccessToken */
 export function getSystemAccessToken(): string {
     tl.debug('Getting credentials for local feeds');
     const auth = tl.getEndpointAuthorization('SYSTEMVSSCONNECTION', false);

common-npm-packages/packaging-common/npm/npmregistry.ts

@@ -25,6 +25,7 @@ export class NpmRegistry implements INpmRegistry {
         this.authOnly = authOnly || false;
     }
 
+    /** Return NpmRegistry with masked auth from Service Endpoint. */
     public static async FromServiceEndpoint(endpointId: string, authOnly?: boolean): Promise<NpmRegistry> {
         const lineEnd = os.EOL;
         let endpointAuth: tl.EndpointAuthorization;
@@ -59,31 +60,32 @@ export class NpmRegistry implements INpmRegistry {
                 username = endpointAuth.parameters['username'];
                 password = endpointAuth.parameters['password'];
                 email = username; // npm needs an email to be set in order to publish, this is ignored on npmjs
-                password64 = (new Buffer(password).toString('base64'));
-                tl.setSecret(password64);
+                password64 = Buffer.from(password).toString('base64');
 
                 auth = nerfed + ':username=' + username + lineEnd;
                 auth += nerfed + ':_password=' + password64 + lineEnd;
                 auth += nerfed + ':email=' + email + lineEnd;
                 break;
             case 'Token':
                 const apitoken = endpointAuth.parameters['apitoken'];
+                tl.setSecret(apitoken);
                 if (!isVstsTokenAuth){
                     // Use Bearer auth as it was intended.
                     auth = nerfed + ':_authToken=' + apitoken + lineEnd;
                 } else {
                     // Azure DevOps does not support PATs+Bearer only JWTs+Bearer
                     email = 'VssEmail';
                     username = 'VssToken';
-                    password64 = (new Buffer(apitoken).toString('base64'));
-                    tl.setSecret(password64);
+                    password64 = Buffer.from(apitoken).toString('base64');
 
                     auth = nerfed + ':username=' + username + lineEnd;
                     auth += nerfed + ':_password=' + password64 + lineEnd;
                     auth += nerfed + ':email=' + email + lineEnd;
                 }
                 break;
         }
+        tl.setSecret(password);
+        tl.setSecret(password64);
 
         auth += nerfed + ':always-auth=true';
         return new NpmRegistry(url, auth, authOnly);

common-npm-packages/packaging-common/package-lock.json

@@ -1,6 +1,6 @@
 {
     "name": "azure-pipelines-tasks-packaging-common",
-    "version": "3.241.0",
+    "version": "3.241.1",
     "description": "Azure Pipelines Packaging Tasks Common",
     "scripts": {
         "test": "mocha _build/Tests/L0.js",