npm two-factor authorization error

[sapegin]

Can’t make it work with npm 2FA:

$ semantic-release pre && npm publish && semantic-release post
[Travis Deploy Once]: Success at attempt 1. All 2 jobs passed.
npm ERR! publish Failed PUT 401
npm ERR! Linux 4.9.6-040906-generic
npm ERR! argv "/home/travis/.nvm/versions/node/v6.12.2/bin/node" "/home/travis/.nvm/versions/node/v6.12.2/bin/npm" "publish"
npm ERR! node v6.12.2
npm ERR! npm  v3.10.10
npm ERR! code E401

npm ERR! You must be logged in to publish packages. : textlint-rule-terminology
npm ERR! 
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>

npm ERR! Please include the following file with any support request:
npm ERR!     /home/travis/build/sapegin/textlint-rule-terminology/npm-debug.log

Full log is here. Looks like I’m missing something, but I couldn’t find anything in the docs or issues.

[pvdlg]

Can you update to semantic-release version 11.0.2 ? That should give you more detailed logs.

You can use 2FA for your npm account, but you have to make sure to use a deploy token: https://npme.npmjs.com/docs/workflow/travis.html.

[sapegin]

It was 11.0.2:

$ npm install -g semantic-release
/home/travis/.nvm/versions/node/v6.12.2/bin/semantic-release -> /home/travis/.nvm/versions/node/v6.12.2/lib/node_modules/semantic-release/bin/semantic-release.js
/home/travis/.nvm/versions/node/v6.12.2/lib
└─┬ semantic-release@11.0.2 

And looks like this guide is for npm Enterprise. I can’t find anything about deployment tokens for normal npm.

[pvdlg]

If you use v11.0.0, your should do semantic-release instead of semantic-release pre && npm publish && semantic-release post. This has changed recently.

You need to create a token with the npm CLI:npm token create, and add it to Travis environment variable with the name NPM_TOKEN.

Also I'm not sure if npm install --no-save semantic-release-tamia has an impact....

[felixfbecker]

@sapegin do you have your 2FA set to auth-only or auth-and-writes? auth-and-writes doesn't work because it would prompt for a code on every automatic publish

[sapegin]

Yes, it works with auth-only.

auth-and-writes doesn't work because it would prompt for a code on every automatic publish

That’s why I’ve created this issue.

[felixfbecker]

Then the description is misleading though. It does work with 2fa, just not if you configure it to prompt for OTPs during publishing (that would be impossible). Better error reporting is tracked here: semantic-release/npm#11

[pvdlg]

@sapegin Should we close this issue in favor semantic-release/npm#11?

I also created semantic-release/npm#30 in order to improve the npm plugin doc regarding 2FA.

[sapegin]

It does work with 2fa, just not if you configure it to prompt for OTPs during publishing

This isn’t 100% correct, because it’s a default mode, so you have to configure it not to prompt for OTP :-)

Should we close this issue in favor

Yeah, I guess we can’t really fix that on semantic-release side.

[markusguenther]

I tried that and with 2fa npm publish is not working. Even when it is configured to auth only.
Always get the error that I need to provide a OTP.

[travi]

was the token created while your account was configured for auth-and-writes and then your account was switched to auth-only? i think it matters when the token was created

fwiw, i have been successfully publishing with semantic-release with my account using 2fa for auth-only for quite some time, so i can at least confirm it does work. my bet would be that it is related to the token you are trying to use.

[markusguenther]

Ah so you mean the Token knows that I have configured 2FA with auth-and-write no matter what I configure later. So with a new token it should work out. By the way I tested it before with a test package and that worked with 2FA auth only but the package had no scope. Maybe the scope is the problem. Matt Travi <notifications@github.com> schrieb am Mi. 15. Aug. 2018 um 03:57:

was the token created while your account was configured for auth-and-writes and then your account was switched to auth-only? i think it matters when the token was created fwiw, i have been successfully publishing with semantic-release with my account using 2fa for auth-only for quite some time, so i can at least confirm it does work. my bet would be that it is related to the token you are trying to use. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#572 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA95bpbpe3hIrXTwn9zlj_7RnF2xAxJTks5uQ4AigaJpZM4RJjTp> .

-- Von Gmail Mobile gesendet mit dem iPad gesendet - ich bitte Tippfehler zu entschuldigen.

[markusguenther]

I tried it now with a new token that I have created after auth-only was active and I still have the problem with the OTP message.

Travis has the NPM_TOKEN in the settings and I have no clue what really goes wrong.
I tested before on a extra package for testing and the only thing that is different now is the case that this package is from an organisation.

Would be great if someone has a hint. Will test the extra package now with the organisation and may this is then the issue.

[markusguenther]

Ok found the issue ... before I used semantic release I required 2fa on npm for the package and that setting seems to break the whole behaviour with the tokens.

Thank you anyway.
You all created a great package or better ecosystem of packages :)

[Almenon]

For people coming into this thread you can figure out if you have auth-only set by executing npm profile get on the command line.