npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

2FA security - skipping OTP on npm publish when relogin

What I Wanted to Do

I want to publish my private npm packages to organization. 2FA for publishing was enabled and npm-cli should ask for one time password and fail publishing, when not entered

What Happened Instead

publish went through and NEVER asked for OTP.

Reproduction Steps


npm profile get shows “auth-and-writes” for 2FA

This seems like unexpected behaviour, that a user is able to publish a package with one time logging in.

Platform Info

$ npm --versions
{ 'custom-package': '1.0.0',
  npm: '5.6.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.11.3',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }
$ node -p process.platform

Good find! Thank you for reporting this to us. I’ve corrected the issue and just confirmed that your reproduction steps no longer allow publishing without an OTP.

In the future it would also be wonderful if these types of reports were sent to directly to give us time to resolve the issue before making it public.

Again, thank you!

Thanks for taking care of this so quickly!

Maybe it’s worthwhile to link to the security policy from the community forum header to promote more responsible disclosure? It currently invites to report bugs without differentiation.

See the second line in the “about”:

I keep the headers themselves short to make the categories view nicer, but one would hope people would check out the pinned post.

I could have sworn it was not pinned for me earlier. I recreated my account, and it’s pinned for me now.
Anyway; thanks, and keep up the good work!