id: npmrc-authtoken

info:
  name: Hardcoded .npmrc AuthToken
  author: geeknik
  severity: info
  reference:
    - https://docs.npmjs.com/cli/v8/configuring-npm/npmrc
    - https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry
  metadata:
    verified: true
    google-query: intitle:"index of" ".npmrc"
  tags: npm,exposure

requests:
  - method: GET
    path:
      - "{{BaseURL}}/.npmrc"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "_authToken="
          - "_auth="
        condition: or

      - type: word
        part: header
        words:
          - "text/html"
          - "application/javascript"
          - "application/json"
        negative: true

      - type: status
        status:
          - 200