Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support 2FA --otp=123456 #1091

Closed
hzoo opened this issue Oct 30, 2017 · 45 comments
Closed

Support 2FA --otp=123456 #1091

hzoo opened this issue Oct 30, 2017 · 45 comments
Assignees

Comments

@hzoo
Copy link
Member

@hzoo hzoo commented Oct 30, 2017

https://docs.npmjs.com/getting-started/using-two-factor-authentication

Need a prompt to be able to pass this for publishing, etc (right before since not that much time)

EDIT: current workaround is NPM_CONFIG_OTP=123456 lerna publish

@evocateur
Copy link
Member

@evocateur evocateur commented Oct 30, 2017

I'm worried that we'll have to re-prompt if publishes start failing (due to expired TOTP). Really exposes how un-tested and gnarly our current publish failure handling is. :/

Loading

@hzoo
Copy link
Member Author

@hzoo hzoo commented Oct 30, 2017

Yeah that's what happened, also since we published like 100 pkgs and it would expire in between (had to just turn it off)

Loading

@djfarrelly
Copy link

@djfarrelly djfarrelly commented Nov 3, 2017

To help people in the short term, perhaps npm's tokens could help. Creating a wrapper script to generate a token, adding it to your .npmrc then publishing using lerna then removing and deleting the token could work.

Docs: https://docs.npmjs.com/getting-started/working_with_tokens
Other helpful info: https://circleci.com/docs/1.0/npm-private-module-dependency/

Loading

@rhysforyou
Copy link

@rhysforyou rhysforyou commented Feb 11, 2018

For people finding this through Google, I'd like to point out that a good workaround is to set the NPM_CONFIG_OTP environment variable before running lerna publish, e.g.

NPM_CONFIG_OTP=123456 lerna publish

Loading

@jthegedus
Copy link

@jthegedus jthegedus commented Mar 5, 2018

The above solution doesn't seem to work with Yarn & lerna as a devDep, eg:

NPM_CONFIG_OTP=123456 yarn lerna publish

It still fails on the OTP during publication 😞

Loading

@evocateur
Copy link
Member

@evocateur evocateur commented Mar 5, 2018

Loading

@jthegedus
Copy link

@jthegedus jthegedus commented Mar 5, 2018

Fair point. I was under the impression that Yarn read all of npm's configs, wishful thinking. A note for others nonetheless.

Loading

@teppeis
Copy link
Contributor

@teppeis teppeis commented May 5, 2018

Yarn's issue: yarnpkg/yarn#4904

Loading

@dupski
Copy link

@dupski dupski commented May 13, 2018

+1 for lerna to prompt for this, although NPM_CONFIG_OTP seems to work ok. Turning off 2FA doesn't seem like a good solution :)

Loading

inikulin added a commit to inikulin/parse5 that referenced this issue May 23, 2018
@evocateur
Copy link
Member

@evocateur evocateur commented Jul 4, 2018

@iarna (from the npm team) suggested running npm pack initially and then prompting for the OTP and publishing the tarballs concurrently. I think approach this has lots of promise!

Loading

@rgbkrk
Copy link

@rgbkrk rgbkrk commented Jul 12, 2018

As a result of the recent compromise, I'd love to be able to enforce 2FA across our org. Is there a way to do the npm pack approach with lerna now or does this need work within lerna itself?

Loading

@kachkaev
Copy link

@kachkaev kachkaev commented Jul 12, 2018

One thing to be aware of is npm/npm#19425. 2FA OTP may timeout during the upload process and thus fail the publish. This is even the case for single npm uploads, so may be also common in lerna context. I'm not saying that 2FA should not be used because of this, just pointing to a related issue that is a big pain for me on slow connections.

Perhaps, lerna could check for 401 during publishing and re-ask OTP in this case?

Loading

@hzoo
Copy link
Member Author

@hzoo hzoo commented Jul 12, 2018

Great point @kachkaev, it's definitely more of an issue with Lerna given multiple packages even if you have a fast connection (this would be the case with Babel).

Loading

@loganfsmyth
Copy link
Collaborator

@loganfsmyth loganfsmyth commented Jul 12, 2018

It seems like ideally there'd be a way to upload to a temporary location with minimal credentials, then have the 2-factor only be needed for kind of committing those bundles to the registry.

Loading

@iarna
Copy link

@iarna iarna commented Jul 12, 2018

Two phase publishes with staging is something we've been talking about. It's a rather substantial platform change, but it is one we intend to see done.

Loading

@loganfsmyth
Copy link
Collaborator

@loganfsmyth loganfsmyth commented Jul 12, 2018

@iarna Cool! I don't doubt that it'd be quite a large change. Thanks to you and everyone at npm for all your hard work :)

Loading

@iarna
Copy link

@iarna iarna commented Jul 13, 2018

I was chatting about this with Ceej today and we may have an alternative and much easier to implement solution for you all:

Time-limited tokens. You could create an access token for the purposes of publication that does not require 2fa and is valid for the next 5 or 10 minutes. Then use that during the various publications.

Creating the token would require 2fa, but using it would not. And it would auto-delete itself after it times out.

Loading

@loganfsmyth
Copy link
Collaborator

@loganfsmyth loganfsmyth commented Jul 13, 2018

That seems like it'd be a great solution.

Loading

@ljharb
Copy link

@ljharb ljharb commented Jul 13, 2018

That seems like a great solution in general, not just for monorepos. @iarna, any possibility of being able to customize longer periods? Like an hour, perhaps?

Loading

@rexxars
Copy link

@rexxars rexxars commented Jul 13, 2018

Created a thread on npm.community to track/discuss the suggested time-limited token idea outside of this issue.

Loading

evocateur added a commit that referenced this issue Aug 2, 2018
TODO:
- unit tests (direct + high-level)
- figure out how to make integration tests work again

refs #1091
evocateur added a commit that referenced this issue Jan 1, 2019
TODO: unit tests (direct + high-level)

refs #1091
evocateur added a commit that referenced this issue Jan 9, 2019
TODO: unit tests (direct + high-level)

refs #1091
evocateur added a commit that referenced this issue Jan 9, 2019
TODO: unit tests (direct + high-level)

refs #1091
@imaman
Copy link

@imaman imaman commented Mar 1, 2019

What's the status of the https://github.com/lerna/lerna/tree/one-time-password-to-rule-them-all branch? I keep doing local patches of it as it is currently the only solution for using lerna with OTP

Loading

niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019
niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019
niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019
niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019
niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019
niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019
@ricmoo
Copy link

@ricmoo ricmoo commented Mar 5, 2019

Can you point me in the right direction as to which file I need to update/patch to change the studio to "inherit"?

Thanks!! :)

Loading

@evocateur
Copy link
Member

@evocateur evocateur commented Mar 6, 2019

Loading

@ricmoo
Copy link

@ricmoo ricmoo commented Mar 6, 2019

I see. That may explain why the export technique isn’t working for me either then?

Is there any existing work around? Even if it involves patching the bin/lerna?

Loading

@ricmoo
Copy link

@ricmoo ricmoo commented Mar 7, 2019

@imaman Can you share your technique for patching? :)

Loading

@busticated
Copy link

@busticated busticated commented Mar 7, 2019

@ricmoo implementation details aside, i've had a ton of success with: https://github.com/ds300/patch-package

Loading

@imaman
Copy link

@imaman imaman commented Mar 7, 2019

@ricmoo: there's a branch called "one-time-password-to-rule-them-all" which contains a proposed solution.

Link to the branch: https://github.com/lerna/lerna/tree/one-time-password-to-rule-them-all

Loading

@ricmoo
Copy link

@ricmoo ricmoo commented Mar 7, 2019

@busticated Oh, I meant specifically what lines and files to modify for the purpose of OTP w/ Lerna. :)

@imaman Is that safe? I checked it out the other day and it was 114 commits behind... :s (or do you mean just copy the otpplease and co?)

Loading

@imaman
Copy link

@imaman imaman commented Mar 7, 2019

@ricmoo: The actual fix is very small so I selectively copied only this part. Unfortunately, I am away from my laptop for the next 10 days so I can't send you a copy-and-paste snippet.

Loading

@ricmoo
Copy link

@ricmoo ricmoo commented Mar 7, 2019

@imaman No worries, that helps a tonne. I'll copy it over (maybe experiment with a smaller test repo first). :)

Loading

@evocateur
Copy link
Member

@evocateur evocateur commented May 14, 2019

Published in v3.14.0. Used it to publish it, even. ^_^

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.