Can't login using 2.1.7

[svallory]

username: theblacksmith

After upgrading to 2.1.7 I was getting the following error. But it was solved after updating my password on the site and deleting ~/.npmrc

npm verb adduser before first PUT { _id: 'org.couchdb.user:theblacksmith',
npm verb adduser   name: 'theblacksmith',
npm verb adduser   password: 'XXXXX',
npm verb adduser   email: 'me@saulovallory.com',
npm verb adduser   type: 'user',
npm verb adduser   roles: [],
npm verb adduser   date: '2014-11-04T21:05:00.553Z' }
npm verb request uri https://registry.npmjs.org/-/user/org.couchdb.user:theblacksmith
npm verb request new user, so can't send auth
npm info attempt registry request try #1 at 19:05:00
npm verb request id 36456cf5290507dd
npm http request PUT https://registry.npmjs.org/-/user/org.couchdb.user:theblacksmith
npm http 409 https://registry.npmjs.org/-/user/org.couchdb.user:theblacksmith
npm verb headers { date: 'Tue, 04 Nov 2014 21:05:01 GMT',
npm verb headers   server: 'CouchDB/1.5.0 (Erlang OTP/R16B03)',
npm verb headers   'content-type': 'application/json',
npm verb headers   'cache-control': 'max-age=60',
npm verb headers   'content-length': '58',
npm verb headers   'accept-ranges': 'bytes',
npm verb headers   via: '1.1 varnish',
npm verb headers   'x-served-by': 'cache-jfk1026-JFK',
npm verb headers   'x-cache': 'MISS',
npm verb headers   'x-cache-hits': '0',
npm verb headers   'x-timer': 'S1415135101.195851,VS0,VE343',
npm verb headers   'keep-alive': 'timeout=10, max=50',
npm verb headers   connection: 'Keep-Alive' }
npm verb request invalidating /Users/svallory/.npm/registry.npmjs.org/-/user/org.couchdb.user_3Atheblacksmith on PUT
npm verb adduser update existing user
npm verb request uri https://registry.npmjs.org/-/user/org.couchdb.user:theblacksmith?write=true
npm verb request sending authorization for write operation
npm info attempt registry request try #1 at 19:05:01
npm http request GET https://registry.npmjs.org/-/user/org.couchdb.user:theblacksmith?write=true
npm http 200 https://registry.npmjs.org/-/user/org.couchdb.user:theblacksmith?write=true
npm verb adduser userobj { _id: 'org.couchdb.user:theblacksmith',
npm verb adduser   name: 'theblacksmith',
npm verb adduser   password: 'XXXXX',
npm verb adduser   email: 'me@saulovallory.com',
npm verb adduser   type: 'user',
npm verb adduser   roles: [],
npm verb adduser   date: '2014-11-04T21:05:00.553Z' }
npm verb request uri https://registry.npmjs.org/-/user/org.couchdb.user:theblacksmith/-rev/3-f18a79c01312290049758eabb2649dad
npm verb request updating existing user; sending authorization
npm info attempt registry request try #1 at 19:05:02
npm http request PUT https://registry.npmjs.org/-/user/org.couchdb.user:theblacksmith/-rev/3-f18a79c01312290049758eabb2649dad
npm http 403 https://registry.npmjs.org/-/user/org.couchdb.user:theblacksmith/-rev/3-f18a79c01312290049758eabb2649dad
npm verb headers { date: 'Tue, 04 Nov 2014 21:05:03 GMT',
npm verb headers   server: 'CouchDB/1.5.0 (Erlang OTP/R16B03)',
npm verb headers   'content-type': 'application/json',
npm verb headers   'cache-control': 'max-age=60',
npm verb headers   'content-length': '203',
npm verb headers   'accept-ranges': 'bytes',
npm verb headers   via: '1.1 varnish',
npm verb headers   'x-served-by': 'cache-atl6221-ATL',
npm verb headers   'x-cache': 'MISS',
npm verb headers   'x-cache-hits': '0',
npm verb headers   'x-timer': 'S1415135103.017817,VS0,VE281',
npm verb headers   'keep-alive': 'timeout=10, max=50',
npm verb headers   connection: 'Keep-Alive' }
npm verb request invalidating /Users/svallory/.npm/registry.npmjs.org/-/user/org.couchdb.user_3Atheblacksmith on PUT
npm verb adduser back [ { [Error: forbidden may not mix password_sha and pbkdf2
npm verb adduser   You may need to upgrade your version of npm:
npm verb adduser     npm install npm -g
npm verb adduser   Note that this may need to be run as root/admin (sudo, etc.)
npm verb adduser   
npm verb adduser   : -/user/org.couchdb.user:theblacksmith/-rev/3-f18a79c01312290049758eabb2649dad] statusCode: 403, code: 'E403' },
npm verb adduser   { error: 'forbidden',
npm verb adduser     reason: 'may not mix password_sha and pbkdf2\nYou may need to upgrade your version of npm:\n  npm install npm -g\nNote that this may need to be run as root/admin (sudo, etc.)\n\n' },
npm verb adduser   '{"error":"forbidden","reason":"may not mix password_sha and pbkdf2\\nYou may need to upgrade your version of npm:\\n  npm install npm -g\\nNote that this may need to be run as root/admin (sudo, etc.)\\n\\n"}' ]
npm WARN adduser Incorrect username or password
npm WARN adduser You can reset your account by visiting:
npm WARN adduser 
npm WARN adduser     https://npmjs.org/forgot
npm WARN adduser 
npm verb stack Error: forbidden may not mix password_sha and pbkdf2
npm verb stack You may need to upgrade your version of npm:
npm verb stack   npm install npm -g
npm verb stack Note that this may need to be run as root/admin (sudo, etc.)
npm verb stack 
npm verb stack : -/user/org.couchdb.user:theblacksmith/-rev/3-f18a79c01312290049758eabb2649dad
npm verb stack     at CachingRegistryClient.<anonymous> (/usr/local/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:234:14)
npm verb stack     at Request._callback (/usr/local/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:172:14)
npm verb stack     at Request.self.callback (/usr/local/lib/node_modules/npm/node_modules/request/request.js:372:22)
npm verb stack     at Request.emit (events.js:98:17)
npm verb stack     at Request.<anonymous> (/usr/local/lib/node_modules/npm/node_modules/request/request.js:1310:14)
npm verb stack     at Request.emit (events.js:117:20)
npm verb stack     at IncomingMessage.<anonymous> (/usr/local/lib/node_modules/npm/node_modules/request/request.js:1258:12)
npm verb stack     at IncomingMessage.emit (events.js:117:20)
npm verb stack     at _stream_readable.js:943:16
npm verb stack     at process._tickCallback (node.js:419:13)
npm verb statusCode 403
npm verb cwd /Users/svallory/projects/theblacksmith/typescript-compiler
npm ERR! Darwin 14.0.0
npm ERR! argv "node" "/usr/local/bin/npm" "login"
npm ERR! node v0.10.33
npm ERR! npm  v2.1.7
npm ERR! code E403

npm ERR! forbidden may not mix password_sha and pbkdf2
npm ERR! You may need to upgrade your version of npm:
npm ERR!   npm install npm -g
npm ERR! Note that this may need to be run as root/admin (sudo, etc.)
npm ERR! 
npm ERR! : -/user/org.couchdb.user:theblacksmith/-rev/3-f18a79c01312290049758eabb2649dad
npm ERR! 
npm ERR! If you need help, you may report this error at:
npm ERR!     <http://github.com/npm/npm/issues>
npm verb exit [ 1, true ]

npm ERR! Please include the following file with any support request:
npm ERR!     /Users/svallory/projects/theblacksmith/typescript-compiler/npm-debug.log

[smikes]

Just to confirm: you couldn't login (after upgrading to 2.1.7), but

after updating my password on the site and deleting ~/.npmrc

Then you were able to log in?

[svallory]

exactly! Well, I couldn't login before the upgrade either, but because of the error shown in #6530

[mohsen1]

FYI
With 2.1.6 I wasn't able to login. Got the same error in #6530 but with 2.1.7 I was able to login.

[raoulmillais]

I also experienced this issue with npm 2.1.6 and 2.1.7 Following the suggestion of the OP and removing the hash from my npmrc and "Changing" (just re-entered it) on npmjs.org solved the issue for me. In case it's relevant I've had an npm account since pretty early on (node v0.4 days) so maybe it's only affecting older accounts?

[smikes]

The relevant line in the debug log seems to be:

npm ERR! forbidden may not mix password_sha and pbkdf2

I think the fix is to upgrade npm and login again:

$ npm install -g npm     # may need sudo
$ npm config del  //registry.npmjs.org/:_password
$ npm login
Username: (default) RET
Password: [enter password]
Email: (this IS public) (default) RET
$ 

And things will be fine. Note that you can hit RET to accept your previous username and e-mail address, provided they're still correct.

Does anybody still get the error after upgrading to >= 2.1.7 and clearing the password entry out of .npmrc? If so, please speak up, otherwise I will recommend this case be closed.

[raoulmillais]

Me. I had to "change" my password on npmjs.org before it worked. The removal of the hash in .npmrc didn't work.

[smikes]

Ah, OK. So that sounds like a change on the back end was needed. I'm guessing (since I haven't looked at node-registry-couchapp) that support for the password_sha auth was recently removed.

Then this would bite everyone who:

1. had an old enough npm account (with password_sha) auth
2. has never changed their password since pbkdf2 became the default
3. now upgrades to a version of npm that no longer supports pbkdf2 password_sha

(fixed error)

[smikes]

Can this issue now be closed?

I have suggested this protocol for a number of people with login problems:

1. change password at https://npmjs.com/password
2. clear login-related fields from ~/.npmrc
3. npm login

and it generally seems to work.

We are trying to clean up older npm issues, so if we don't hear back from you within a week, we will close this issue. (Don't worry -- you can always come back again and open a new issue!)

Thanks!

[othiym23]

That is indeed a good protocol, and one of these days we will have worked all the old passwords out of the system. Closing as resolved.

[ljharb]

This just happened for me :-( I fixed it by changing my password to the exact same value.

Could this not just be automatically done, for everybody, upon any successful login to npmjs.com?

[othiym23]

@ljharb I think that's probably a question for the registry team, and I imagine their answer is that all of the current login code is very close to being replaced, in which case everybody's going to have to log back in anyway (because we're all going to be using bearer token auth in the glorious future). I agree that this is a mystifying and frustrating error to encounter in practice, especially when you're running into it in the context of an erroneous 502 error.

[ReinsBrain]

update: i had to kickstart the upgrade of NPM - once done properly I no longer had issues. So this is not an issue after all : end update
I'm a first-time user, tried the protocol with no luck (same error as others). I don't have a ~/.npmrc file (probably because npm adduser does not complete).

[smikes]

@ReinsBrain , could you please open a new issue at https://github.com/npm/npm/issues so we can work on fixing the problem you're seeing without sending email to all the people above?