Merge branch 'nixos-unstable' of https://github.com/NixOS/nixpkgs

4 files changed, 19 insertions, 4 deletions

diff --git a/nixpkgs/pkgs/build-support/node/fetch-npm-deps/default.nix b/nixpkgs/pkgs/build-support/node/fetch-npm-deps/default.nix
index ac76758ba50e..67a4c337c0d2 100644
--- a/nixpkgs/pkgs/build-support/node/fetch-npm-deps/default.nix
+++ b/nixpkgs/pkgs/build-support/node/fetch-npm-deps/default.nix
@@ -165,7 +165,9 @@
 
       dontInstall = true;
 
-      impureEnvVars = lib.fetchers.proxyImpureEnvVars;
+      # NIX_NPM_TOKENS environment variable should be a JSON mapping in the shape of:
+      # `{ "registry.example.com": "example-registry-bearer-token", ... }`
+      impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [ "NIX_NPM_TOKENS" ];
 
       SSL_CERT_FILE = if (hash_.outputHash == "" || hash_.outputHash == lib.fakeSha256 || hash_.outputHash == lib.fakeSha512 || hash_.outputHash == lib.fakeHash)
         then "${cacert}/etc/ssl/certs/ca-bundle.crt"
diff --git a/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/main.rs b/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/main.rs
index 62e5752c74c0..9d86bd8091a7 100644
--- a/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/main.rs
+++ b/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/main.rs
@@ -108,7 +108,7 @@ fn fixup_lockfile(
 
 // Recursive helper to fixup v1 lockfile deps
 fn fixup_v1_deps(
-    dependencies: &mut serde_json::Map<String, Value>,
+    dependencies: &mut Map<String, Value>,
     cache: &Option<HashMap<String, String>>,
     fixed: &mut bool,
 ) {
diff --git a/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/parse/mod.rs b/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/parse/mod.rs
index e1b491cccea2..b37652ffdf82 100644
--- a/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/parse/mod.rs
+++ b/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/parse/mod.rs
@@ -139,9 +139,9 @@ impl Package {
             None => Specifics::Registry {
                 integrity: pkg
                     .integrity
-                    .expect("non-git dependencies should have assosciated integrity")
+                    .expect("non-git dependencies should have associated integrity")
                     .into_best()
-                    .expect("non-git dependencies should have non-empty assosciated integrity"),
+                    .expect("non-git dependencies should have non-empty associated integrity"),
             },
         };
 
diff --git a/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/util.rs b/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/util.rs
index a165461fa71a..7a220f681c0d 100644
--- a/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/util.rs
+++ b/nixpkgs/pkgs/build-support/node/fetch-npm-deps/src/util.rs
@@ -3,6 +3,7 @@ use isahc::{
     config::{CaCertificate, Configurable, RedirectPolicy, SslOption},
     Body, Request, RequestExt,
 };
+use serde_json::{Map, Value};
 use std::{env, path::Path};
 use url::Url;
 
@@ -22,6 +23,18 @@ pub fn get_url(url: &Url) -> Result<Body, isahc::Error> {
         }
     }
 
+    // Respect NIX_NPM_TOKENS environment variable, which should be a JSON mapping in the shape of:
+    // `{ "registry.example.com": "example-registry-bearer-token", ... }`
+    if let Some(host) = url.host_str() {
+        if let Ok(npm_tokens) = env::var("NIX_NPM_TOKENS") {
+            if let Ok(tokens) = serde_json::from_str::<Map<String, Value>>(&npm_tokens) {
+                if let Some(token) = tokens.get(host).and_then(|val| val.as_str()) {
+                    request = request.header("Authorization", format!("Bearer {token}"));
+                }
+            }
+        }
+    }
+
     Ok(request.body(())?.send()?.into_body())
 }