Support npm's 2FA (via OTP) #5
Comments
|
@freitagbr FYI |
|
I tried a local patch along the lines of suggestion 1, and I don't think it's a suitable approach. Even if an OTP is fresh (remaining lifetime ~30 seconds) when the user types it on the commandline, I think suggestion 3 is a better option. |
|
Publish the tags only after |
|
Reordering might help. Current order looks like:
Steps 1-3 exist to see if the user is authorized to run
This puts This seems like a good refactor, regardless of 2FA. This would also open the door for us to implement a blend of suggestions 1 & 3, which is exactly how |
This completely changes the order of steps we follow for publishing a package. The goal here is to move `npm publish` as close as possible to the beginning so that we can error-out early if it fails (e.g. 2FA errors). At a high level, our new steps are: * npm version (bump version, commit, make tag) * echo npm publish * if successful, push commit & tag * if failed, undo commit & tag In the case of failure, we still provide the same granularity of error output: we check to see if the user is logged in, if they're owner/contributor, etc. In addition, we also provide some error output if the user is outside of a git repo (the usual cause for `npm version` failures). While this refactor is done to enable supporting 2FA, this does not itself provide OTP support. This refactor also adds TODOs for other bugs, which will be resolved in follow-up PRs. Issue #5
This completely changes the order of steps we follow for publishing a package. The goal here is to move `npm publish` as close as possible to the beginning so that we can error-out early if it fails (e.g. 2FA errors). At a high level, our new steps are: * npm version (bump version, commit, make tag) * echo npm publish * if successful, push commit & tag * if failed, undo commit & tag In the case of failure, we still provide the same granularity of error output: we check to see if the user is logged in, if they're owner/contributor, etc. In addition, we also provide some error output if the user is outside of a git repo (the usual cause for `npm version` failures). While this refactor is done to enable supporting 2FA, this does not itself provide OTP support. This refactor also adds TODOs for other bugs, which will be resolved in follow-up PRs. Issue #5
This adds the `--otp` flag to support 2FA. Fixes #5
This adds the `--otp` flag to support 2FA. Fixes #5
This documents our support for npm's 2FA via the --otp flag. Issue #5
I ran into this when pushing shelljs v0.8. Now that NPM supports 2FA (and I've enabled it), we really need to find a way to support this in the script.
Current behavior is to do most things (bump the version, push the tags) but it fails during
npm publish. First reaction might be to re-run the command, but this would re-bump the version and push a second tag (and would still fail).I see a few solutions:
--otpflag. If present, then the otp value is forwarded tonpm publish's--otpflag. But if the user forgets to add this (I inevitably will forget), then we have the same issue where it's not safe to re-run the command.npm publish --otp=. This isn't perfect, since the user may not have 2FA (yet we still prompt them). And if they pass the wrong thing, we need to remember to re-prompt them.npm publishin a way that it accepts user input. This doesn't work withshell.exec(), but does withchild_process.exec(). Users are only prompted when they use 2FA. But if the user supplies a bad OTP, or hits ctrl-c, then the project is still in a bad state (git tags are pushed, but it isn't published).Official docs for 2FA are here.
The text was updated successfully, but these errors were encountered: