Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support 2FA for npm via --otp #2076

Closed
wants to merge 1 commit into from
Closed

Support 2FA for npm via --otp #2076

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
11 changes: 11 additions & 0 deletions commands/publish/README.md
View file
Open in desktop
Expand Up @@ -51,6 +51,7 @@ This is useful when a previous `lerna publish` failed to publish all packages to
- [`--git-head <sha>`](#--git-head-sha)
- [`--no-git-reset`](#--no-git-reset)
- [`--no-verify-access`](#--no-verify-access)
- [`--otp`](#--otp)
- [`--preid`](#--preid)
- [`--registry <url>`](#--registry-url)
- [`--temp-tag`](#--temp-tag)
Expand Down Expand Up @@ -140,6 +141,16 @@ If you are using a third-party registry that does not support `npm access ls-pac

> Please use with caution

### `--otp`

When publishing to a registry that requires two-factor authentication, you can specify a "one-time password" using `--otp`:

```sh
lerna publish --otp 123456
```

> Please keep in mind that one-time passwords often expire within a few minutes of their generation. Please ensure adequate time for the publish process to complete.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They actually expire within 30 seconds, so it's not clear that this solution would be guaranteed to work in all cases (imagine per-package builds that take 2 seconds each in a repo with 30 packages to publish...).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this is true, until lerna has true OTP support, the only alternative is to set the NPM_CONFIG_OTP environment variable (which differs per system) and has the same downsides.


### `--preid`

Unlike the `lerna version` option of the same name, this option only applies to [`--canary`](#--canary) version calculation.
Expand Down
13 changes: 13 additions & 0 deletions commands/publish/__tests__/publish-command.test.js
View file
Open in desktop
Expand Up @@ -257,4 +257,17 @@ Map {
}
});
});

describe("--otp", () => {
it("passes one-time password to npm commands", async () => {
const testDir = await initFixture("normal");
const otp = "123456";
await lernaPublish(testDir)("--otp", otp);
expect(npmPublish).toHaveBeenCalledWith(
expect.objectContaining({ name: "package-1" }),
"/TEMP_DIR/package-1-MOCKED.tgz",
expect.objectContaining({ otp })
);
});
});
});
5 changes: 5 additions & 0 deletions commands/publish/command.js
View file
Open in desktop
Expand Up @@ -77,6 +77,11 @@ exports.builder = yargs => {
// alias: "yes",
// type: "boolean",
// },
otp: {
describe: "Supply a one-time password for publishing with two-factor authentication.",
type: "string",
requiresArg: true,
},
};

composeVersionOptions(yargs);
Expand Down
1 change: 1 addition & 0 deletions commands/publish/index.js
View file
Open in desktop
Expand Up @@ -96,6 +96,7 @@ class PublishCommand extends Command {
npmSession,
npmVersion: userAgent,
registry: this.options.registry,
otp: this.options.otp,
});

this.conf.set("user-agent", userAgent, "cli");
Expand Down