Official Npm registry authentication

I will fill out the bug report, but yes, I'm using the same version:
Verdaccio 4.3.5 and Unity 2019.4f12

And a quick update, we also tried with Verdaccio 4.8.1 (if not mistaken)

 

Hi @okcompute_unity, any news in here?
This is the only thing blocking us from taking our packages distribution system to the next level.

 

Wrote a blog on the steps I took to get packages working http://enigma23.co.uk/blog/how-to-setup-github-packages-and-unity/

 

Is there any chance unity will (or if there is a workaround we can apply in-repository) add some way so we can access public-github-npm-repositories, without needing to make a upmconfig.toml file?

Given it's public, *anyone*'s PAT would work, but the user still has to create this file (and obviously can't commit an example file to a repository as github will detect it and invalidate the PAT)

If we can add a variable to the scoped registry entry in the manifest to say it's public, and then perhaps unity can maintain one key or something?
During testing with npm packages (outside unity, just using it for distrubtion), we also found you didn't have to provide a matching email address. The key can be essentially anonymous. (I have a feeling that possibly the password/pat could be anything too, but still, the bottleneck for deployment is the file)

For context, we build public binaries as an npm package; and install them this way.
https://github.com/NewChromantics/PopH264

 

Wouldn't all of this be unnecessary if Unity just used unmodified npm to resolve packages? What's the reasoning behind adding all of this extra abstraction, that only creates the need for all these workarounds to make it work with an ecosystem with established tooling?

 

Were you able to fix your issue with the gitlab runner not being able to authenticate ? We’re having the same issue...

 

For anyone running into the same issue, found the solution, the config file needs to be here when running with the gitlab-runner:

%ALLUSERSPROFILE%\Unity\config\ServiceAccounts\.upmconfig.toml (for example, C:\Users\Public\Unity\config\ServiceAccounts\.upmconfig.toml)

Found by reading the docs here:
https://docs.unity3d.com/Manual/upm-config.html
The runner runs as a service account so it needs to be in the ServiceAccounts folder.

 

Hello.
I have done all steps and I can install my packages by adding it into manifest.json, BUT every time when UPM tries to update packages list I get error:

[PackageManager] Error Request [GET https://npm.pkg.github.com/@<MYSCOPE>/-/v1/search?text=com.<COMPANYNAME>&from=0&size=250] failed with status code [405]

package name is com.<COMPANYNAME>.<PACKAGENAME>

I can not find solution for this problem.
.npmrc file and .toml file are correct and contain all required data.
I will say it again:

• UPM can install packages from my registry with all dependencies.
• UPM failed with code 405 on packages list update (.../-/v1/search... ).

.npmrc

Code (CSharp):

1. //npm.pkg.github.com/:_authToken=<MYTOKEN>
2. @<MYSCOPE>:registry=https://npm.pkg.github.com
3. always-auth=true

.toml

Code (CSharp):

1. [npmAuth."https://npm.pkg.github.com/@<MYSCOPE>"]
2. token = "<MYTOKEN>"
3. email = "<MYGITEMAIL>"
4. alwaysAuth = true

MYTOKEN - git access token with correct rights

 

Here's a thread that explain what needs to be done to connect to github. Unfortunately github packages are not officially supported, so it comes with some limitations.

 

I wonder if anyone can help with this. I have a project that compiles run and builds without a problem on the Unity editor. The project uses npm packages.
I am now trying to build the project using TeamCity, which means calling unity build from the command line. And when running the build from the command line I get :
[Package Manager] Done resolving packages in 1.12s seconds
An error occurred while resolving packages:
Project has invalid dependencies:
my.package.test: Request [GET https://npm.pkg.github.com/@mycomany/myrepo] failed because it lacks valid authentication credentials

I am at a loss as to why commandline Unity behaves differently to Untiy Editor. Do I need to specify the npm credential in the command line perhaps? Any help would be greatly appreciated.

 

You need to add your npm authorisation data into ".upmconfig.toml" in TeamCity. You can copy this file from your PC (if it is ok for you to have same authorisation data in TeamCity).

 

I have a registry serving both public packages and packages which require authentication. Recently, in newer Unity versions, there is an issue that users without authentication will encounter error messages preventing them from accessing all packages form the registry.

Code (CSharp):

1. [Package Manager Window] Cannot perform upm operation: Unable to perform online search:
2.   Request [GET https://myregistry.com/com.a.package.requiring.authentication] failed because it lacks valid authentication credentials [Unknown].
3. UnityEditor.EditorApplication:Internal_CallUpdateFunctions ()
4.  
5. [Package Manager Window] Error searching for packages.
6. UnityEditor.EditorApplication:Internal_CallUpdateFunctions ()

I'm not sure this behavior starts from which Unity version though.

Versions with this issue:
- 2020.3.13
- 2021.1.6
- 2021.1.12
- 2021.1.14

Versions without this issue:
- 2020.2.3f1

Is it an intended modification? Or is there any workaround for me to serve both kinds of packages in the same registry just like before? Thanks!

 

Edit: This doesn't seem to be a problem as it seemed at first Please ignore.

Our company's scoped registry (nexus) ends with a trailing '/'. I can see from upm.log and the project settings window that the trailing slash is stripped internally in Unity. I think this is causing us issues, since entering the url without that trailing slash returns an error if you test it in your browser.

Is there any way I can get to keep that trailing forward slash? ('/')

@okcompute_unity

 

Is there an ETA on the user friendly version of this setup? As a sysadmin, I have to handhold every developer through the process each time they clone our repo on a new machine.

 

There's a new version of the hub in the works, but I see no mention of package registry authentication:
https://unity.com/roadmap/unity-hub
Is it not happening?

 

The path for system users is really not great. In a normal CI such a system user does not have access to the file path, so every machine has to be pre-configured for every registry (which also is only possible on private runners).
Apart from that it really would be better if credentials could be given e.g. via environment variables i.e. *not* having to save the credentials on-disk.

 

It would be nice to have UI for this feature

 

Code (CSharp):

1. Cannot perform upm operation: self signed certificate in certificate chain [NotFound]
2. UnityEditor.EditorApplication:Internal_CallUpdateFunctions ()

I built an unity packages server and configure the SSL with a self signed certificate, unity needs an option to ignore that. Like npm strict-ssl false or cafile=C:\Users\someone\ssl\local-ca.crt. If there is no already an option. Is seems like Unity does not access the certificates of the OS (Windows 10). Or the package manager it self. maybe it's a separated system?

 

Early last month I had to use npm to gain access to preview packages. It was an unintuitive experience and something I really believe Unity should look to make easier.

If Package Manager had button that opened a window to put your credentials and a Go button, it would have been a much smoother ride, even if npm installation and registration was still an external step.

 

Hey, hey,
im facing an issue here.
Im trying to setup Azure DevOps Artifacts with Unity's Package Manager but it seems that i cant get it to work.
I am following this guide here:
https://forum.unity.com/threads/npm-registry-authentication.836308/#post-5582287

1. Creating the .upmconfig.toml under %USERPROFILE%/
2. Base64 Encode my concatination of my username: personalAccessToken ( dont mind the space, without space it gets converted to a smiley)
(i tried the username which is blacked out in the screenshot and tried my whole email)
3. insert everything in the .upmconfig.toml

[npmAuth."https://pkgs.dev.azure.com/XYZ/test/_packaging/test/npm/registry"]



_auth = "XYZ"  // <-- the base64 encoded "username:PersonalAccessToken" comes here



email = "joe@company.com"



alwaysAuth = true

Then i upen up Unity and under Project Settings -> PackageManager i am adding a new Registry
with URL: https://pkgs.dev.azure.com/XYZ/test/_packaging/test/npm/registry and my scope.
After hitting save or Refreshing Packages in the UPM im getting

[Package Manager Window] Cannot perform upm operation: Unable to perform online search:

  Unable to perform online search:

    Cannot fetch authorization code. User access token is expired or invalid. You may need to sign out and sign in again. [Unknown].

UnityEditor.EditorApplication:Internal_CallUpdateFunctions ()

[Package Manager Window] Error searching for packages.

UnityEditor.EditorApplication:Internal_CallUpdateFunctions ()

Am i missing something here?

Edit: The PersonalAccessToken has FullAccess. When trying to push Package with npm publish everything is working.


Edit2: I just tried signing in and out from the Unity Hub. This fixed to error above. Now im getting:

[Package Manager Window] Cannot perform upm operation: Unable to perform online search:

  Request [GET https://pkgs.dev.azure.com/XYZ/test/_packaging/test/npm/registry/-/v1/search?text=com.XYZSCOPE&from=0&size=250] failed because it lacks valid authentication credentials [Unknown].

UnityEditor.EditorApplication:Internal_CallUpdateFunctions ()

 

I am having the same issue, however signing in and out of Unity Hub did not fix the second error. Does anyone know how to fix this?

 

Having the same problem as the above 2 users. Is this a feature that is receiving any kind of attention any more?

 

Maybe time is add NORMAL UI for auth in scoped\private registries?
Many problems with this toml file...

 

@okcompute_unity can you give any hint when the login UI form will be available?

 

Would it be possible to add support for adding the upmconfig.toml file into the PROJECT/Packages directory, so it could be added to VCS? Currently, we have had to make our own Unity Launcher software, which ensures the upmconfig.toml file exists on the users computer before launching any of our projects.

The fact that Unity does not support launching projects with 3rd party NPM packages without additional setup for each PC is not great...

 

agree, we can use a public token with VCS, or we have to teach every one to do this. it's realy impossible.

 

When downloading a npm package from the package manager it's missing large files (lfs) and replaced them with 1kb pointer files. But I am able to download directly from github packages and install the package with all of it's files via the tarball option in package manager.

So if the package is fine downloaded & installed locally, what is going wrong when it's being downloaded as a scoped registry?

 

How are you adding the package to the package manager, using the git repository URL or by adding GitHub as a scoped registry?

When using scoped registries or tarballs, LFS is already out of the picture. It only matters wether LFS was properly set up at the time the package was created.

In case you're using the git repository URL, then git is used on your local machine to check out the repository and you need to have LFS installed and set up properly. The Unity manual on Git dependencies has some additional pointers on how to set up LFS with Unity.

 

This is with scoped registries, npm package is on GitHub packages. I followed this step by step guide

If I put the project into a repository, and use the git url to install with the package manager that recognizes the LFS pointers with gitdependcies and the whole package is installed fine.

I just can't get the npm package to install fully through scoped registry.

The link you sent refers to setting up lfsconfig and npmignore files as well. But this didn't make any difference. The rest of the page is referring to dependencies. My dependencies only refer to the package and it's version.

 

Hm, that would mean you somehow get different package archives when Unity downloads it vs when you download the package archive manually from GitHub. Do you have an example repository where this happens?

You can check the UPM Global Cache for the package archive Unity has downloaded. Also the upm.log might have some clues.

 

Any news about a dedicated UI? Is there maybe a way to run a custom script before package solving? I don't want my team to go through this procedure manually

 

We're going through this now. We've setup a Verdaccio instance on EC2 AWS and while that was a pretty smooth process, getting a handle of exactly how Auth is supposed to work, wasn't. On top of that, Unity's auth solution here doesn't really seem to have gone anywhere since Feb 2020.

@JesperSmith 's solution is a great example of the kind of work we'd like to see Unity doing to make these tools chains more suitable for teams using their products. It certainly makes the onboarding process for team members just that much easier.

I'm yet to test this across the github actions workflow so we'll see how we go.

All that being said, I'd like to some more idea's about how to share these login details across machines in teams. One step that needs to be repeated per machines just for security reasons isn't a big deal, but they tend to add up overtime. Is this any flexibility on where the .upmconfig.toml can be located? i.e in project? Well aware this might be iffy from a pure security perspective, but if a bad actor has access to my repos it's likely I've got bigger problems already.

 

I would personnally store the upmconfig file outside of the project. If you use a password management system (Bitwarden for example), it could go there.

We currently have an upmconfig that give read/write access (if you need to modify a package), and one that give read only access (if you only need to download a package).

 

hello there, wanted to ask you how did you generate a token that does not expire? or set the expiration to never? I followed best practices to enable JWT instead of legacy but I lose the ability to create tokens that do not expire, I need this for CI at least. Thanks.

 

Hello. We don't use JWT, we use legacy to generate an authToken which is shared for a "bot" account (i.e CI). We're using github actions and the token is an encrypted organisation secret. To the best of my knowledge, this authToken will only expire when the user logs out which would have to happen manually at this point.

 

We're now generating the upmconfig.toml file when CI runs and the token is supplied via encrypted secret. This works for us using game.ci.

 

I would love if unity would give a UI for authentication or a least access to the npm client they use because the best solution so far consists in installing npm just for the sake of getting a token that you copy in another file which is far from user friendly if we want to distribute our packages

 

@okcompute_unity , Not to beat a dead horse but I too am having trouble authenticating to my registry. In my case I'm using Jfrog. I can successfully install my packages using npm i com.mycompany.mypackage but Unity Package Manager fails, so that leads me to believe it is a unity issue. I have checked and double checked there are no trailing slashes in my manifest.json and upmconfig.toml and the _auth token is the same as what is in my .npmrc.

Is there any debugging available to the end user? I don't know what else to try.

 

For anyone interested, I created a custom editor extension to authenticate to a private registry using a webrequest that all repository should be compatible with.
The main part of the code is (do not copy the code as it is, I manually changed it to remove extra stuff from my custom extension) :

Code (CSharp):

1.  
2.        [System.Serializable]
3.         public class LoginResponse
4.         {
5.             public string error;
6.             public string ok;
7.             public string token;
8.             public bool success;
9.             public string reason;
10.         }

Code (CSharp):

1.      
2.       [System.Serializable]
3.         class LoginRequest
4.         {
5.             public string name;
6.             public string password;
7.         }

Code (CSharp):

1.  
2.            string serverUri = YOUSERVERURI;
3.             if (!registrySettings.RegistryUrl.EndsWith("/"))
4.                 serverUri += "/";
5.  
6.             Uri loginUri = new Uri(serverUri + "-/user/org.couchdb.user:" + USERLOGIN);
7.             LoginRequest loginRequest = new LoginRequest { name = USERLOGIN, password = USERTOKEN_OR_PASSWORD };
8.             string requestData = JsonUtility.ToJson(loginRequest);
9.             UnityWebRequest webRequest = UnityWebRequest.Put(loginUri, requestData);
10.             string authorization = "Basic ";
11.             authorization += Convert.ToBase64String(Encoding.ASCII.GetBytes(USERLOGIN + ":" + USERTOKEN_OR_PASSWORD ));
12.        
13.             webRequest.SetRequestHeader("Authorization", authorization);
14.             webRequest.SetRequestHeader("Accept", "application/json");
15.             webRequest.SetRequestHeader("Content-Type", "application/json");
16.             webRequest.SendWebRequest();
17.  
18.             while (!webRequest.isDone) ;
19.  
20.             string res = webRequest.downloadHandler.text;
21.             if (webRequest.result == UnityWebRequest.Result.Success)
22.             {
23.                 LoginResponse response = JsonUtility.FromJson<LoginResponse>(res);
24.  
25.                 if (!string.IsNullOrWhiteSpace(response.token))
26.                     REGISTRY_TOKEN = response.token;
27.             }
28.             else
29.             {
30.                 Debug.LogError("Error while trying to authenticate : " + res);
31.             }

I manually write int the .upmconfig.toml something like :

#USERLOGIN
[npmAuth."YOUSERVERURI"]
token = "REGISTRY_TOKEN"

 

@okcompute_unity

I previously used this method on a Windows 10 computer, however, I recently had to upgrade to Windows 11 and am now getting the "lacks valid authentication credentials" error. Has this method been vetted on Windows 11? If so, what are the steps?

 

We are also having this issue where my one Windows computer can access the scoped repository, but my coworker's Windows machine cannot, even while using my .npmrc and .upmconfig.toml. Additionally we are on the same version of Windows 10

 

Turns out my issue was that Windows 11 was recognizing the .npmrc and .upmconfig.toml as text files with .txt file extensions. Removed the extensions and it worked fine.

 

@okcompute_unity @maximeb_unity

I have several Azure Pipelines self-hosted agents configured with the upmconfig.toml files in the appropriate paths.

I would like to know if there is currently or there is the possibility to add an environment variable with which you can indicate the path of this file as well as you can with NPM with the variable NPM_CONFIG_USERCONFIG: https://docs.npmjs.com/cli/v9/using-npm/config?v=true

Looking at the Unity documentation it doesn't seem to be possible:

https://docs.unity3d.com/Manual/upm-config.html

https://docs.unity3d.com/Manual/upm-config-scoped.html

My use case is that for security reasons, I don't want to leave a token exposed in a folder on that machines. I would like to generate the upmconfig.toml file on the fly in the build using the variable $(System.AccessToken): https://learn.microsoft.com/en-us/a...view=azure-devops&tabs=yaml#systemaccesstoken

This way apart from gaining security, it allows the token to always be the right one with the right permissions and never expire.

 

@maximeb_unity Thank you so much! Well I'm afraid that despite being since 2019.4 it has been 4 years without anyone using it until now because it is not documented

 

Is it possible to use only the `.upmconfig.toml` to authenticate. I thought I'd be able to use npm login to get the token and then just share the token/toml file with other users rather than having them all require npm installed and have potentially their own accounts with the registry (or access to a sinle account). Especially for Build Machines, I need them to authenticate easily.

I tried another machine from my own with the toml file only and the auth failed. What else is needed?

 

One error that I have encountered before was that explorer was showing

.upmconfig.toml

but in reality it was

.upmconfig.toml.txt

for some messed up reason.
Also you will have to make sure that your server now can handle simultaneous logins with identical user(s).

 

That was it! Thanks for that!