Lerna: Support 2FA `--otp=123456`

I'm worried that we'll have to re-prompt if publishes start failing (due to expired TOTP). Really exposes how un-tested and gnarly our current publish failure handling is. :/

Yeah that's what happened, also since we published like 100 pkgs and it would expire in between (had to just turn it off)

To help people in the short term, perhaps npm's tokens could help. Creating a wrapper script to generate a token, adding it to your .npmrc then publishing using lerna then removing and deleting the token could work.

Docs: https://docs.npmjs.com/getting-started/working_with_tokens
Other helpful info: https://circleci.com/docs/1.0/npm-private-module-dependency/

For people finding this through Google, I'd like to point out that a good workaround is to set the NPM_CONFIG_OTP environment variable before running lerna publish, e.g.

NPM_CONFIG_OTP=123456 lerna publish

The above solution doesn't seem to work with Yarn & lerna as a devDep, eg:

NPM_CONFIG_OTP=123456 yarn lerna publish

It still fails on the OTP during publication :disappointed:

Because it’s using yarn to publish now, and who knows if they’re compatible with npm 2FA?

On Mar 4, 2018, at 21:17, James Hegedus notifications@github.com wrote:

The above solution doesn't seem to work with Yarn & lerna as a devDep, eg:

NPM_CONFIG_OTP=123456 yarn lerna publish
It still fails on the OTP during publication 😞

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

Fair point. I was under the impression that Yarn read all of npm's configs, wishful thinking. A note for others nonetheless.

Yarn's issue: https://github.com/yarnpkg/yarn/issues/4904

+1 for lerna to prompt for this, although NPM_CONFIG_OTP seems to work ok. Turning off 2FA doesn't seem like a good solution :)

@iarna (from the npm team) suggested running npm pack initially and _then_ prompting for the OTP and publishing the tarballs concurrently. I think approach this has lots of promise!

As a result of the recent compromise, I'd love to be able to enforce 2FA across our org. Is there a way to do the npm pack approach with lerna now or does this need work within lerna itself?

One thing to be aware of is https://github.com/npm/npm/issues/19425. 2FA OTP may timeout during the upload process and thus fail the publish. This is even the case for single npm uploads, so may be also common in lerna context. I'm not saying that 2FA should not be used because of this, just pointing to a related issue that is a big pain for me on slow connections.

Perhaps, lerna could check for 401 during publishing and re-ask OTP in this case?

Great point @kachkaev, it's definitely more of an issue with Lerna given multiple packages even if you have a fast connection (this would be the case with Babel).

It seems like ideally there'd be a way to upload to a temporary location with minimal credentials, then have the 2-factor only be needed for kind of committing those bundles to the registry.

Two phase publishes with staging is something we've been talking about. It's a rather substantial platform change, but it is one we intend to see done.

@iarna Cool! I don't doubt that it'd be quite a large change. Thanks to you and everyone at npm for all your hard work :)

I was chatting about this with Ceej today and we may have an alternative and _much easier to implement_ solution for you all:

Time-limited tokens. You could create an access token for the purposes of publication that does not require 2fa and is valid for the next 5 or 10 minutes. Then use that during the various publications.

Creating the token would require 2fa, but using it would not. And it would auto-delete itself after it times out.

That seems like it'd be a great solution.

That seems like a great solution in general, not just for monorepos. @iarna, any possibility of being able to customize longer periods? Like an hour, perhaps?

Created a thread on npm.community to track/discuss the suggested time-limited token idea outside of this issue.

Any relevant news on this topic? NPM_CONFIG_OTP is not working for us, because we have a lot of packages, which cannot be processed within 30secs

I've mentioned this elsewhere (and perhaps it's already been included), but the only thing I'm aware of that lerna can do to improve the situation as things stand today, would be to generate the tarballs first (npm pack), and then after they're produced, publish them with npm publish <tarball name>. This will at least limit the publication delay to what's happening on the registry, though it probably won't be sufficient to eliminate these issues for users with 100+ modules. The window for publication is actually a bit longer than 30 seconds, but not hugely so.

Time limited tokens _are_ on our list of features we'd like to add to 2fa tokens, both from npm's security team and from my own, but work is not yet scheduled to add them and I'm afraid I don't yet have a timeline for that.

Another thought is that libnpmpublish may help in directly integrating publication into lerna, as it would eliminate the external-process delay. However, it's currently lacking one key puzzle-piece, which is an npm-compatible config loader that can get the registry authentication tokens. That's on our immediate roadmap however, and I expect we'll have it available in January.

I have implemented the "pack first, publish second" algorithm, but unfortunately you still can't run the two phases separately, passing an up-to-date OTP before the publish phase only.

I have a branch with tentative beginnings, mostly about querying the registry to see if 2FA is required. I haven't gotten around to refactoring the publish loop into an E401-catching, OTP-prompting, restartable queue, however...

@evocateur tonight I started working on OTP support, without realising you'd already started working on it (I forgot to check this issue before starting). I've made a few changes:

• Change npm-publish to be able to detect OTP failures for both npm and yarn, with fixtures and tests
• Change npm-publish to not remove package tarballs, and instead do that as part of publish command — this gives a clearer separation of concerns.

I think you've definitely the better direction over in your branch, and I'd be happy to collaborate where possible.

@evocateur my next step was looking into how the publishes actually work, catching the PublishError that I created, and then retrying the batch after requesting a new OTP.

@evocateur we could probably wrap the mapper in pRetry — using onFailedAttempt to catch the PublishError, triggering a call to requestOneTimePassword (from your branch)

I have a branch with tentative beginnings, mostly about querying the registry to see if 2FA is required. I haven't gotten around to refactoring the publish loop into an E401-catching, OTP-prompting, restartable queue, however...

At WordPress we have almost 50 packages maintained with Lerna: https://www.npmjs.com/org/wordpress. It almost impossible to publish more than 15 updated packages with one 2FA token. It would be awesome if you could ask to provide the token again when timeout happens. Is there any way we could contribute to this task?

@gziolo Have a look at #1767 and see if the approach forwards makes sense to you?

It is a major change, but I think it's the best way out of the current complexities that we have in lerna publish.

@ThisIsMissEm, how nice. Thanks for opening this issue. I will take a closer look tomorrow and open an issue in our repository with the detailed description of what issues we had so far and how we would like to update our workflow to make it easier to maintain. I will re-share in the linked issue. We also plan to discuss this a bit tomorrow during weekly WordPress core JS chat.

FYI: When I was attempting to publish the @wordpress packages with Lerna a couple of days ago I had switched my npmjs.com 2FA profile to authorization only mode, fully expecting that supplying a valid npm OTP token at the start of the lerna publish command would be sufficient, it wasn't, it still failed to publish the packages due to OTP time out.

Should this have worked? I was logged in, checked by npom whoami, should have I logged out and back in again first to allow npm to pick up my new 2FA profile of authorization only mode?

That'd be due to: https://npm.community/t/2fa-security-skipping-otp-on-npm-publish-when-relogin/3074

Thanks @ThisIsMissEm, the reply on that thread states the issue has been resolved

I’ve been using the NPM_CONFIG_OTP variable, but it fails often because the one time password expires before publishing finishes.

Until full support for npm 2fa has been implemented in Lerna, would it be reasonable to change the options npm/Yarn is spawned with stdio = 'inherit'? This would allow npm/Yarn to show the normal prompt for OTP when authentication fails due to 2FA. Right now it’s not shown because the commad runs with a non-TTY input stream.

We could probably add that as a flag, but changing the default behavior would be a breaking change.

I'd consider this a good stop-gap solution.

On 3. Dec 2018, at 20:46, Ville Immonen notifications@github.com wrote:

I’ve been using the NPM_CONFIG_OTP variable, but it fails often because the one time password expires before publishing finishes.

Until full support for npm 2fa has been implemented in Lerna, would it be reasonable to change the options npm/Yarn is spawned with to use stdio = 'inherit'? This would allow nom/Yarn to show the normal prompt for OTP when authentication fails due to 2FA. Right now it’s not shown because the commad runs with a non-TTY input stream.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

What's the status of the https://github.com/lerna/lerna/tree/one-time-password-to-rule-them-all branch? I keep doing local patches of it as it is currently the only solution for using lerna with OTP

Can you point me in the right direction as to which file I need to update/patch to change the studio to "inherit"?

Thanks!! :)

Lerna no longer calls npm publish in a subprocess, so that solution is no longer possible.

On Mar 5, 2019, at 15:28, Richard Moore notifications@github.com wrote:

Can you point me in the right direction as to which file I need to update/patch to change the studio to "inherit"?

Thanks!! :)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

I see. That may explain why the export technique isn’t working for me either then?

Is there any existing work around? Even if it involves patching the bin/lerna?

@imaman Can you share your technique for patching? :)

@ricmoo implementation details aside, i've had a ton of success with: https://github.com/ds300/patch-package

@ricmoo: there's a branch called "one-time-password-to-rule-them-all" which contains a proposed solution.

Link to the branch: https://github.com/lerna/lerna/tree/one-time-password-to-rule-them-all

@busticated Oh, I meant specifically what lines and files to modify for the purpose of OTP w/ Lerna. :)

@imaman Is that safe? I checked it out the other day and it was 114 commits behind... :s (or do you mean just copy the otpplease and co?)

@ricmoo: The actual fix is very small so I selectively copied only this part. Unfortunately, I am away from my laptop for the next 10 days so I can't send you a copy-and-paste snippet.

@imaman No worries, that helps a tonne. I'll copy it over (maybe experiment with a smaller test repo first). :)

Published in v3.14.0. Used it to publish it, even. ^_^