-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support 2FA for npm via --otp #2076
Conversation
@evocateur, do you have time to take a look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not clear to me that this solves the issue, except possibly in the case where one has already run lerna version
seperately and has a very fast (or no) build for each package. I took a stab at things awhile back, but it's incomplete: https://github.com/lerna/lerna/compare/one-time-password-to-rule-them-all
lerna publish --otp 123456 | ||
``` | ||
|
||
> Please keep in mind that one-time passwords often expire within a few minutes of their generation. Please ensure adequate time for the publish process to complete. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They actually expire within 30 seconds, so it's not clear that this solution would be guaranteed to work in all cases (imagine per-package builds that take 2 seconds each in a repo with 30 packages to publish...).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While this is true, until lerna has true OTP support, the only alternative is to set the NPM_CONFIG_OTP environment variable (which differs per system) and has the same downsides.
Per-package OTP isn't terribly complicated with otplease in your branch, the problem is having to repeatedly enter the same OTP until a new one is needed. One way might be to maintain an in-memory cache of OTPs per registry and have otplease update that cache prior to a retry. I can tinker with something and put up a separate PR for that. |
Closing in favor of #2084 |
Description
This adds an
--otp
CLI argument tolerna publish
to support publishing to NPM registries that require two-factor authentication.Motivation and Context
It is currently possible to publish using 2FA without the
--otp
argument, however this requires setting an environment variable prior to callinglerna publish
, and the process of setting an environment variable differs in different shells (i.e. bash, cmd, PowerShell, etc.). Providing this via an option simplifies the process and documents the capability.How Has This Been Tested?
I've added tests to verify the
--otp
option is passed tonpmPublish
as a configuration option and have also verified that the--otp
option works by publishing a monorepo to NPM using an account that requires 2FA to publish.Types of changes
Checklist:
Fixes #1091