Support 2FA

[tgriesser]

Tried to use this on Nexus at one point, and was unable to publish because I have 2FA on my npm account. Happy to submit a patch for it, if you have any pointers of where this change should be made that'd be super helpful.

[jasonkuhrt]

Can you share the exact error that you encountered?

A good place to start looking into would be: https://github.com/prisma-labs/dripip/blob/121be2334389ab80c64f8990cc331e155e2a2d9d/src/lib/pacman.ts#L36

[jasonkuhrt]

To help work on this I've enabled npm 2fa for publishing on my account. Here is the error I now get:

$ dripip preview
    Error: The following command failed to complete successfully:

            yarn publish --tag next --no-git-tag-version --new-version 0.10.1-next.1

        It ended with this exit code:

            1

        This underlying error occured (null = none occured):

            null

        It received signal (null = no signal received):

            null

        It output on stderr (null = not spawned in pipe mode):

            error Couldn't publish package: "Can't answer a question unless a user TTY"

        It output on stdout (null = not spawned in pipe mode):

Not sure yet but guessing some possible solutions:

1. Forward tty to spawn and let user deal with it directly
2. Present own prompt and forward passed value
3. In addition to above: Accept new flag where user can pass 2fa info
4. In addition to above: Accept new config where 2fa info will be read from (but I don't think this is how 2fa works, its based on transient codes sent to secondary devices... so this doesn't seem like a viable option for anything?)

-- edit

Re 3: I think a flag is weird for OTP, it has to be an interactive thing, flag gives little value over prompt

Re 4: Yep doesn't make sense, too transient.

[jasonkuhrt]

With 2fa enabled here is the login flow:

❯ npm login                  
Username: dripip-2fa
Password: 
Email: (this IS public) dripip.npm@gmail.com
Enter one-time password from your authenticator app: 437488
Logged in as dripip-2fa on https://registry.npmjs.org/.

[jasonkuhrt]

Some official info here https://docs.npmjs.com/about-two-factor-authentication

[jasonkuhrt]

With 2fa enabled here is the publish flow:

❯ npm publish
npm notice 
npm notice 📦  dripip-system-tests@0.0.0-test.2fa.2
npm notice === Tarball Contents === 
npm notice 0    index.js    
npm notice 255B package.json
npm notice === Tarball Details === 
npm notice name:          dripip-system-tests                     
npm notice version:       0.0.0-test.2fa.2                        
npm notice package size:  300 B                                   
npm notice unpacked size: 255 B                                   
npm notice shasum:        450fcb9886ffba6c2d33d756c438ee946bd400a9
npm notice integrity:     sha512-JuIEwOxVr3CBl[...]Ynz4oHpiq7fPA==
npm notice total files:   2                                       
npm notice 
This operation requires a one-time password.
Enter OTP: 352695
+ dripip-system-tests@0.0.0-test.2fa.2

My conclusion is that when 2fa is enabled we should forward the tty to the user.

I don't think this 2fa flow is designed for CI workflows. There is no tty in CI.

Since the OTP is ephemeral, this isn't something that could really ever be stored as an environment variable.

Therefore bringing 2fa support to dripip is about support its manual use by users, rather than unblocking any issues in CI.

I think when we resolve this issue we need to qualify what we mean when we say we support 2fa.

I also think this feature isn't a top priority since CI publishing is a best practice and what dripip is designed for first.

Still manual publishing is an important escape hatch. And I think it feels uncomfortable to use a tool that won't let you go manual if ever you need to.