command similar to whoami for determining current token id


(Matt Travi) #1

it would be very useful to have a command to determine the id of the current token for situations where we cannot access the actual token value.

for example, my team uses encrypted environment variables on travis ci to supply secrets like the npm token. in some cases we use a token for publishing and restrict cidr ranges. in other cases, we use a read-only token when we only need to install, but need access to private packages.

in the above scenario, we cannot view the encrypted variable or the .npmrc file that it is written to. we wouldn’t want to echo that value to the build log for obvious reasons. however, sometimes we get confused about which token should be used for which project or want to confirm that the current machine is allowed in the cidr restriction, but there isn’t really a way to confirm which is used without replacing it.

if we could run a command to get the id of the current token, we could then compare that id against the output of npm token ls to confirm if it is read-only or if the cidr-restrictions include what we need them to.

would it be reasonable to add a command like this?