Check if 2FA is enabled in verifyConditions

[felixfbecker]

I don't know if this is an npm issue, but my publishes fail since I enabled 2FA. I wanted others to be aware of this

[Semantic release]: Publishing version 1.2.3 to npm registry
[Semantic release]: An error occurred while running semantic-release: { Error: Command failed: npm publish
npm ERR! publish Failed PUT 401
npm ERR! code E401
npm ERR! 404 You must provide a one-time pass. You can provide one using the "--otp" flag. : cli-highlight
npm ERR! 404 
npm ERR! 404  'cli-highlight' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
npm ERR! A complete log of this run can be found in:
npm ERR!     /home/travis/.npm/_logs/2017-11-30T19_59_44_322Z-debug.log
    at Promise.all.then.arr (/home/travis/build/felixfbecker/cli-highlight/node_modules/@semantic-release/npm/node_modules/execa/index.js:236:11)
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:188:7)
  code: 1,
  killed: false,
  stdout: '',
  stderr: 'npm ERR! publish Failed PUT 401\nnpm ERR! code E401\nnpm ERR! 404 You must provide a one-time pass. You can provide one using the "--otp" flag. : cli-highlight\nnpm ERR! 404 \nnpm ERR! 404  \'cli-highlight\' is not in the npm registry.\nnpm ERR! 404 You should bug the author to publish it (or use the name yourself!)\nnpm ERR! 404 \nnpm ERR! 404 Note that you can also install from a\nnpm ERR! 404 tarball, folder, http url, or git url.\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!     /home/travis/.npm/_logs/2017-11-30T19_59_44_322Z-debug.log\n',
  failed: true,
  signal: null,
  cmd: 'npm publish',
  timedOut: false }
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! cli-highlight@0.0.0-development semantic-release: `semantic-release`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the cli-highlight@0.0.0-development semantic-release script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR!     /home/travis/.npm/_logs/2017-11-30T19_59_44_346Z-debug.log
The command "npm run semantic-release" exited with 1.

npm 5.5.1

[felixfbecker]

It only works if you enabled 2fa with auth-only.

[gr2m]

Yes, we are aware of the problem. There is not much we can do, besides setting the auth-only. It is something we have to document.

The problem is that if you enable 2FA without it, you cannot automate the release of your packages, which renders semantic-release pretty useless.

I wonder if we can somehow check for that and give a good, explanatory error message ... could you find that out? That’d be super helpful :)

[felixfbecker]

Yeah, just run

> npm profile get "two factor auth"                                                                                     
auth-only

[pvdlg]

The challenge is that npm profile probably doesn't work with other repo (Artifactory, npm-registry-couchapp).

The the check would have to be done only when the repo is https://registry.npmjs.org/.

I don't know how to write unit tests to verify it works...

[felixfbecker]

Something like this should catch it

let stdout
try {
  stdout = await exec('npm profile get "two factor auth"')
} catch {
  // ignore
}
if (stdout.trim() === 'auth-and-writes') {
    throw new Error('Your two-factor authentication is set to auth-and-writes. To publish packages automatically, please set it to auth-only')
}

[pvdlg]

Yes that's a good idea. But how would you write unit tests?

[felixfbecker]

Unit test is simple, stub exec to return auth-and-writes, auth-only or throw when called with npm profile get. Integration test would be hard but I don't think we need one.

[pvdlg]

Ok. Would you like to try a PR?

Ultimately, I'd like to have an integration test solution that works like the real registry. But so far I couldn't find what npm use to handles tokens.