[BUG] npm publish does not prompt for OTP #4519
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
Running npm publish for a package that has "Require two-factor authentication or automation tokens" enabled from an account with 2FA enabled (as confirmed by "Enabled for authorization and publishing" being checked on /settings/dstaley/profile) doesn't prompt for a one-time password, instead reporting an error stating that the package requires a OTP.
npm notice Publishing to https://registry.npmjs.org/
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/rivet-graphql - This package requires that publishers enable TFA and provide an OTP to publish. For more info, visit: https://go.npm.me/2fa-guide
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.
Furthermore, passing a OTP via --otp=999999 results in the same error. It feels like the CLI isn't detecting that the package needs a OTP, and thus isn't prompting me for one nor passing it in the initial request to publish.
This is for the package rivet-graphql, which my account has publishing access as confirmed on /package/rivet-graphql/access.
Full npm publish output
PS C:\Users\DylanStaley\Documents\git\hashicorp\rivet-graphql> npm publish npm notice npm notice 📦 rivet-graphql@0.4.0-canary.1 npm notice === Tarball Contents === npm notice 43B .prettierrc npm notice 7.1kB README.md npm notice 876B index.d.ts npm notice 443B index.d.ts.map npm notice 8.9kB index.js npm notice 1.1kB package.json npm notice 271B tsconfig.json npm notice === Tarball Details === npm notice name: rivet-graphql npm notice version: 0.4.0-canary.1 npm notice filename: rivet-graphql-0.4.0-canary.1.tgz npm notice package size: 7.0 kB npm notice unpacked size: 18.7 kB npm notice shasum: d78ec644b9f7cdfd25ff4f6e25bae41a004bcb67 npm notice integrity: sha512-kaCHI3enxZnos[...]xltnEupe7yYvg== npm notice total files: 7 npm notice npm notice Publishing to https://registry.npmjs.org/ npm ERR! code E403 npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/rivet-graphql - This package requires that publishers enable TFA and provide an OTP to publish. For more info, visit: https://go.npm.me/2fa-guide npm ERR! 403 In most cases, you or one of your dependencies are requesting npm ERR! 403 a package version that is forbidden by your security policy, or npm ERR! 403 on a server you do not have access to.
npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\DylanStaley\AppData\Local\npm-cache_logs\2022-03-07T22_11_33_306Z-debug-0.log
npm profile get --json output
{
"tfa": {
"pending": false,
"mode": "auth-and-writes"
},
"name": "dstaley",
"email": "(protected)",
"email_verified": true,
"created": "2015-07-26T23:09:11.142Z",
"updated": "2022-02-02T01:57:08.972Z",
"fullname": "Dylan Staley",
"twitter": "dstaley",
"github": "dstaley"
}
According to this line, the CLI expects a code of EOTP or E401, but I'm getting the following back from the registry:
{
code: 'E403',
body: {
error: 'This package requires that publishers enable TFA and provide an OTP to publish. For more info, visit: https://go.npm.me/2fa-guide'
}
}Expected Behavior
npm prompts for a OTP, and package publishing is successful.
Steps To Reproduce
- Run
npm publishin the directory for a package that's configured to require 2FA
Environment
- npm: 8.5.3
- Node.js: v16.14.0
- OS Name: Windows 11
- System Model Name:
- npm config:
; "user" config from C:\Users\DylanStaley\.npmrc
//registry.npmjs.org/:_authToken = (protected)
; node bin location = C:\Users\DylanStaley\AppData\Local\Volta\tools\image\node\16.14.0\node.exe
; cwd = C:\Users\DylanStaley\Documents\git\hashicorp\rivet-graphql
; HOME = C:\Users\DylanStaley
; Run `npm config ls -l` to show all defaults.