2 files changed, 18 insertions, 11 deletions

diff --git a/cli/npm/common.rs b/cli/npm/common.rs
index de282310a..55f1bc086 100644
--- a/cli/npm/common.rs
+++ b/cli/npm/common.rs
@@ -3,6 +3,7 @@
 use base64::prelude::BASE64_STANDARD;
 use base64::Engine;
 use deno_core::anyhow::bail;
+use deno_core::anyhow::Context;
 use deno_core::error::AnyError;
 use deno_npm::npm_rc::RegistryConfig;
 use http::header;
@@ -36,17 +37,21 @@ pub fn maybe_auth_header_for_npm_registry(
   }
 
   if username.is_some() && password.is_some() {
+    // The npm client does some double encoding when generating the
+    // bearer token value, see
+    // https://github.com/npm/cli/blob/780afc50e3a345feb1871a28e33fa48235bc3bd5/workspaces/config/lib/index.js#L846-L851
+    let pw_base64 = BASE64_STANDARD
+      .decode(password.unwrap())
+      .with_context(|| "The password in npmrc is an invalid base64 string")?;
+    let bearer = BASE64_STANDARD.encode(format!(
+      "{}:{}",
+      username.unwrap(),
+      String::from_utf8_lossy(&pw_base64)
+    ));
+
     return Ok(Some((
       header::AUTHORIZATION,
-      header::HeaderValue::from_str(&format!(
-        "Basic {}",
-        BASE64_STANDARD.encode(format!(
-          "{}:{}",
-          username.unwrap(),
-          password.unwrap()
-        ))
-      ))
-      .unwrap(),
+      header::HeaderValue::from_str(&format!("Basic {}", bearer)).unwrap(),
     )));
   }
 
diff --git a/tests/specs/npm/npmrc_username_password/.npmrc b/tests/specs/npm/npmrc_username_password/.npmrc
index c318678ae..9e1ded96a 100644
--- a/tests/specs/npm/npmrc_username_password/.npmrc
+++ b/tests/specs/npm/npmrc_username_password/.npmrc
@@ -1,6 +1,8 @@
 @denotest:registry=http://localhost:4261/
 //localhost:4261/:username=deno
-//localhost:4261/:_password=land
+# base64 of land
+//localhost:4261/:_password=bGFuZA==
 @denotest2:registry=http://localhost:4262/
 //localhost:4262/:username=deno
-//localhost:4262/:_password=land2
+# base64 of land2
+//localhost:4262/:_password=bGFuZDI=