2FA security - skipping OTP on npm publish when relogin

cli
registry
security
priority:high
triaged

(Michael Duve) #1

What I Wanted to Do

I want to publish my private npm packages to organization. 2FA for publishing was enabled and npm-cli should ask for one time password and fail publishing, when not entered

What Happened Instead

publish went through and NEVER asked for OTP.

Reproduction Steps

  • npm logout
  • (on npmjs.com) enable 2FA ONLY for authentification
  • npm login
  • (on npmjs.com) enable 2FA for authentification AND publishing
  • npm publish (went through)
  • npm logout
  • npm login
  • npm publish (fails)

Details

npm profile get shows “auth-and-writes” for 2FA

This seems like unexpected behaviour, that a user is able to publish a package with one time logging in.

Platform Info

$ npm --versions
{ 'custom-package': '1.0.0',
  npm: '5.6.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.11.3',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }
$ node -p process.platform
darwin

(Nathan LaFreniere) #2

Good find! Thank you for reporting this to us. I’ve corrected the issue and just confirmed that your reproduction steps no longer allow publishing without an OTP.

In the future it would also be wonderful if these types of reports were sent to security@npmjs.com directly to give us time to resolve the issue before making it public.

Again, thank you!


(Kat Marchán) #4

See the second line in the “about”:

I keep the headers themselves short to make the categories view nicer, but one would hope people would check out the pinned post.