Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support 2FA `--otp=123456` #1091

Open
hzoo opened this Issue Oct 30, 2017 · 44 comments

Comments

Projects
None yet
@hzoo
Copy link
Member

hzoo commented Oct 30, 2017

https://docs.npmjs.com/getting-started/using-two-factor-authentication

Need a prompt to be able to pass this for publishing, etc (right before since not that much time)

EDIT: current workaround is NPM_CONFIG_OTP=123456 lerna publish

@evocateur

This comment has been minimized.

Copy link
Member

evocateur commented Oct 30, 2017

I'm worried that we'll have to re-prompt if publishes start failing (due to expired TOTP). Really exposes how un-tested and gnarly our current publish failure handling is. :/

@hzoo

This comment has been minimized.

Copy link
Member Author

hzoo commented Oct 30, 2017

Yeah that's what happened, also since we published like 100 pkgs and it would expire in between (had to just turn it off)

@djfarrelly

This comment has been minimized.

Copy link

djfarrelly commented Nov 3, 2017

To help people in the short term, perhaps npm's tokens could help. Creating a wrapper script to generate a token, adding it to your .npmrc then publishing using lerna then removing and deleting the token could work.

Docs: https://docs.npmjs.com/getting-started/working_with_tokens
Other helpful info: https://circleci.com/docs/1.0/npm-private-module-dependency/

@rhysforyou

This comment has been minimized.

Copy link

rhysforyou commented Feb 11, 2018

For people finding this through Google, I'd like to point out that a good workaround is to set the NPM_CONFIG_OTP environment variable before running lerna publish, e.g.

NPM_CONFIG_OTP=123456 lerna publish

@evocateur evocateur added this to the v3.0.0 milestone Feb 28, 2018

@jthegedus

This comment has been minimized.

Copy link

jthegedus commented Mar 5, 2018

The above solution doesn't seem to work with Yarn & lerna as a devDep, eg:

NPM_CONFIG_OTP=123456 yarn lerna publish

It still fails on the OTP during publication 😞

@evocateur

This comment has been minimized.

Copy link
Member

evocateur commented Mar 5, 2018

@jthegedus

This comment has been minimized.

Copy link

jthegedus commented Mar 5, 2018

Fair point. I was under the impression that Yarn read all of npm's configs, wishful thinking. A note for others nonetheless.

@teppeis

This comment has been minimized.

Copy link
Contributor

teppeis commented May 5, 2018

Yarn's issue: yarnpkg/yarn#4904

@dupski

This comment has been minimized.

Copy link

dupski commented May 13, 2018

+1 for lerna to prompt for this, although NPM_CONFIG_OTP seems to work ok. Turning off 2FA doesn't seem like a good solution :)

inikulin added a commit to inikulin/parse5 that referenced this issue May 23, 2018

@evocateur

This comment has been minimized.

Copy link
Member

evocateur commented Jul 4, 2018

@iarna (from the npm team) suggested running npm pack initially and then prompting for the OTP and publishing the tarballs concurrently. I think approach this has lots of promise!

@rgbkrk

This comment has been minimized.

Copy link

rgbkrk commented Jul 12, 2018

As a result of the recent compromise, I'd love to be able to enforce 2FA across our org. Is there a way to do the npm pack approach with lerna now or does this need work within lerna itself?

@kachkaev

This comment has been minimized.

Copy link

kachkaev commented Jul 12, 2018

One thing to be aware of is npm/npm#19425. 2FA OTP may timeout during the upload process and thus fail the publish. This is even the case for single npm uploads, so may be also common in lerna context. I'm not saying that 2FA should not be used because of this, just pointing to a related issue that is a big pain for me on slow connections.

Perhaps, lerna could check for 401 during publishing and re-ask OTP in this case?

@hzoo

This comment has been minimized.

Copy link
Member Author

hzoo commented Jul 12, 2018

Great point @kachkaev, it's definitely more of an issue with Lerna given multiple packages even if you have a fast connection (this would be the case with Babel).

@loganfsmyth

This comment has been minimized.

Copy link
Collaborator

loganfsmyth commented Jul 12, 2018

It seems like ideally there'd be a way to upload to a temporary location with minimal credentials, then have the 2-factor only be needed for kind of committing those bundles to the registry.

@iarna

This comment has been minimized.

Copy link

iarna commented Jul 12, 2018

Two phase publishes with staging is something we've been talking about. It's a rather substantial platform change, but it is one we intend to see done.

@loganfsmyth

This comment has been minimized.

Copy link
Collaborator

loganfsmyth commented Jul 12, 2018

@iarna Cool! I don't doubt that it'd be quite a large change. Thanks to you and everyone at npm for all your hard work :)

@iarna

This comment has been minimized.

Copy link

iarna commented Jul 13, 2018

I was chatting about this with Ceej today and we may have an alternative and much easier to implement solution for you all:

Time-limited tokens. You could create an access token for the purposes of publication that does not require 2fa and is valid for the next 5 or 10 minutes. Then use that during the various publications.

Creating the token would require 2fa, but using it would not. And it would auto-delete itself after it times out.

@loganfsmyth

This comment has been minimized.

Copy link
Collaborator

loganfsmyth commented Jul 13, 2018

That seems like it'd be a great solution.

@ljharb

This comment has been minimized.

Copy link

ljharb commented Jul 13, 2018

That seems like a great solution in general, not just for monorepos. @iarna, any possibility of being able to customize longer periods? Like an hour, perhaps?

@rexxars

This comment has been minimized.

Copy link

rexxars commented Jul 13, 2018

Created a thread on npm.community to track/discuss the suggested time-limited token idea outside of this issue.

evocateur added a commit that referenced this issue Aug 2, 2018

feat(publish): Support 2FA during publish (WIP)
TODO:
- unit tests (direct + high-level)
- figure out how to make integration tests work again

refs #1091

evocateur added a commit that referenced this issue Nov 27, 2018

feat(publish): Support 2FA during publish (WIP)
TODO: unit tests (direct + high-level)

refs #1091

evocateur added a commit that referenced this issue Nov 29, 2018

feat(publish): Support 2FA during publish (WIP)
TODO: unit tests (direct + high-level)

refs #1091
@fson

This comment has been minimized.

Copy link

fson commented Dec 3, 2018

I’ve been using the NPM_CONFIG_OTP variable, but it fails often because the one time password expires before publishing finishes.

Until full support for npm 2fa has been implemented in Lerna, would it be reasonable to change the options npm/Yarn is spawned with stdio = 'inherit'? This would allow npm/Yarn to show the normal prompt for OTP when authentication fails due to 2FA. Right now it’s not shown because the commad runs with a non-TTY input stream.

@ThisIsMissEm

This comment has been minimized.

Copy link

ThisIsMissEm commented Dec 4, 2018

evocateur added a commit that referenced this issue Dec 7, 2018

feat(publish): Support 2FA during publish (WIP)
TODO: unit tests (direct + high-level)

refs #1091

evocateur added a commit that referenced this issue Dec 10, 2018

feat(publish): Support 2FA during publish (WIP)
TODO: unit tests (direct + high-level)

refs #1091

evocateur added a commit that referenced this issue Dec 17, 2018

feat(publish): Support 2FA during publish (WIP)
TODO: unit tests (direct + high-level)

refs #1091

evocateur added a commit that referenced this issue Dec 19, 2018

feat(publish): Support 2FA during publish (WIP)
TODO: unit tests (direct + high-level)

refs #1091

evocateur added a commit that referenced this issue Jan 1, 2019

feat(publish): Support 2FA during publish (WIP)
TODO: unit tests (direct + high-level)

refs #1091

evocateur added a commit that referenced this issue Jan 9, 2019

feat(publish): Support 2FA during publish (WIP)
TODO: unit tests (direct + high-level)

refs #1091

evocateur added a commit that referenced this issue Jan 9, 2019

feat(publish): Support 2FA during publish (WIP)
TODO: unit tests (direct + high-level)

refs #1091
@imaman

This comment has been minimized.

Copy link

imaman commented Mar 1, 2019

What's the status of the https://github.com/lerna/lerna/tree/one-time-password-to-rule-them-all branch? I keep doing local patches of it as it is currently the only solution for using lerna with OTP

niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019

niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019

niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019

niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019

niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019

niksy added a commit to niksy/advertol that referenced this issue Mar 5, 2019

@ricmoo

This comment has been minimized.

Copy link

ricmoo commented Mar 5, 2019

Can you point me in the right direction as to which file I need to update/patch to change the studio to "inherit"?

Thanks!! :)

@evocateur

This comment has been minimized.

Copy link
Member

evocateur commented Mar 6, 2019

@ricmoo

This comment has been minimized.

Copy link

ricmoo commented Mar 6, 2019

I see. That may explain why the export technique isn’t working for me either then?

Is there any existing work around? Even if it involves patching the bin/lerna?

@ricmoo

This comment has been minimized.

Copy link

ricmoo commented Mar 7, 2019

@imaman Can you share your technique for patching? :)

@busticated

This comment has been minimized.

Copy link

busticated commented Mar 7, 2019

@ricmoo implementation details aside, i've had a ton of success with: https://github.com/ds300/patch-package

@imaman

This comment has been minimized.

Copy link

imaman commented Mar 7, 2019

@ricmoo: there's a branch called "one-time-password-to-rule-them-all" which contains a proposed solution.

Link to the branch: https://github.com/lerna/lerna/tree/one-time-password-to-rule-them-all

@ricmoo

This comment has been minimized.

Copy link

ricmoo commented Mar 7, 2019

@busticated Oh, I meant specifically what lines and files to modify for the purpose of OTP w/ Lerna. :)

@imaman Is that safe? I checked it out the other day and it was 114 commits behind... :s (or do you mean just copy the otpplease and co?)

@imaman

This comment has been minimized.

Copy link

imaman commented Mar 7, 2019

@ricmoo: The actual fix is very small so I selectively copied only this part. Unfortunately, I am away from my laptop for the next 10 days so I can't send you a copy-and-paste snippet.

@ricmoo

This comment has been minimized.

Copy link

ricmoo commented Mar 7, 2019

@imaman No worries, that helps a tonne. I'll copy it over (maybe experiment with a smaller test repo first). :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.