Cannot publish large package with 2FA enabled and slow network

security
registry

(Andreas Lind) #1

What I Wanted to Do

Publish a large package on my slow ADSL while having 2FA enabled:

name:          cldr                                    
version:       4.11.0                                  
package size:  20.2 MB                                 
unpacked size: 167.1 MB                                

npm publish

What Happened Instead

After 2 and a half minute, the 401 error and the 2FA prompt appeared. I entered the code, waited another 2 and a half minute, got the prompt again. Etc.

Reproduction Steps

TBH I’ve only tried it with the cldr package, but I suspect it’s a general problem, so:

  1. Enable 2FA for your account
  2. Maybe throttle your Internet connection
  3. Try to publish a large package

Details

I think what’s going on is that the 2FA code isn’t validated until the complete request has been received, and at that point it’s no longer valid due to the time sensitivity.

I propose validating the 2FA code as early as possible instead of waiting.

Also, for packages of non-trivial size it seems wasteful to have to upload the complete package in order to get the initial 401. Maybe something like Expect: 100-continue could be used to avoid that?

Platform Info

$ npm --versions
{ cldr: '33.0',
  npm: '6.2.0',
  ares: '1.14.0',
  http_parser: '2.8.0',
  icu: '61.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.32.0',
  node: '10.4.1',
  openssl: '1.1.0h',
  tz: '2018c',
  unicode: '10.0',
  uv: '1.20.3',
  v8: '6.7.288.45-node.7',
  zlib: '1.2.11' }
$ node -p process.platform
linux

2FA prevents uploads on slow connections
(system) #2

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.