[RRFC] require authentication only once during one single npm publish using workspaces

[Lusito]

Motivation ("The Why")

I have a lot of mono-repos, which want to be published every once in a while. When using the workspace option to publish multiple packages at once, I get multiple prompts for authentication.

Yes, I can check the checkbox in the web-UI to not be prompted within the next 5 minutes, but that is not my intention in this case. I only want to publish the specified packages. The option to not be bothered for 5 minutes also seems like an unnecessary risk for this use-case.

I remember, that at least some time ago, lerna was able to publish multiple packages with one OTP prompt. Not sure how they did it, but that was comfortable. Not sure if they still support it though, haven't used it in a while.

Example

I have a mono-repo with 3 packages.

• I adjust the versions on 2 of them and want to publish them via CLI.
• I run npm publish --access public -w pack1 -w pack2
• I have published my packages successfully

How

Current Behaviour

When I run npm publish --access public -w pack1 -w pack2, I have two options for authentication:

• open the web-UI authentication link once per package to be released
• open the first web-UI authentication link and check the checkbox to not be bothered for the next 5 minutes

Desired Behaviour

When I run npm publish --access public -w pack1 -w pack2, I get only one web-UI authentication link, even if I don't check the checkbox to not be bothered for 5 minutes.

References

• n/a

[ljharb]

You can still use the OTP on the cli, and that will give you a time window as well, using the legacy auth config.

[Lusito]

Thanks for the quick response. I will try that, but legacy sounds like it might be removed soon.

Aside from that I still think this should work like I proposed.

[Lusito]

So, I just tried it and the legacy auth has the same issue: I get asked for the OTP twice.

[ljharb]

It’s an unfortunate name, yes.

I think i misunderstood your issue; you want to run one publish command for multiple packages at once, but the way npm workspaces works is to run the command once for each package.

[Lusito]

I might have misunderstood you too. I just read, that you can specify the OTP as a CLI parameter (I thought you meant enter it in the CLI prompt). Using the CLI parameter seems to work. I can work with that as long as it's just unfortunate naming and the auth-type doesn't go away soon.

I still think it is an annoying behavior for the web-UI, but I assume there are more important issues to solve, so I can close this issue if that's what you prefer.

Thanks!