Support 2FA for npm via --otp

[rbuckton]

Description

This adds an --otp CLI argument to lerna publish to support publishing to NPM registries that require two-factor authentication.

Motivation and Context

It is currently possible to publish using 2FA without the --otp argument, however this requires setting an environment variable prior to calling lerna publish, and the process of setting an environment variable differs in different shells (i.e. bash, cmd, PowerShell, etc.). Providing this via an option simplifies the process and documents the capability.

How Has This Been Tested?

I've added tests to verify the --otp option is passed to npmPublish as a configuration option and have also verified that the --otp option works by publishing a monorepo to NPM using an account that requires 2FA to publish.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed. (NOTE: There are tests that currently fail without this change when run on Windows).

Fixes #1091

[rbuckton]

@evocateur, do you have time to take a look?

[evocateur]

It's not clear to me that this solves the issue, except possibly in the case where one has already run lerna version seperately and has a very fast (or no) build for each package. I took a stab at things awhile back, but it's incomplete: https://github.com/lerna/lerna/compare/one-time-password-to-rule-them-all

[evocateur]

They actually expire within 30 seconds, so it's not clear that this solution would be guaranteed to work in all cases (imagine per-package builds that take 2 seconds each in a repo with 30 packages to publish...).

[rbuckton]

While this is true, until lerna has true OTP support, the only alternative is to set the NPM_CONFIG_OTP environment variable (which differs per system) and has the same downsides.

[rbuckton]

Per-package OTP isn't terribly complicated with otplease in your branch, the problem is having to repeatedly enter the same OTP until a new one is needed. One way might be to maintain an in-memory cache of OTPs per registry and have otplease update that cache prior to a retry. I can tinker with something and put up a separate PR for that.

[rbuckton]

Closing in favor of #2084