npm dist-tag add with 2FA enabled fails for non-latest tag with 500


(Scott Trinh) #1

According to the CLI docs for dist-tag:

If the tag you’re adding is latest and you have two-factor authentication on auth-and-writes then you’ll need to include an otp on the command line with --otp .

However, I just attempted to update my next tag without passing --otp <OTP>, and it failed with a 500. I’d be happy to make a PR to the docs, but I wanted to make sure I understood the rule here. Did this fail because it was updating an existing tag, rather than adding a new tag? I looked through the npm-registry-client code, and I didn’t find the business logic there, but if there is some other place I can look to derive the proper rule, I’d be happy to write something up.

Thanks npm team for being awesome!


(Rebecca Turner) #2

This seems to have been an intermittent server issue. At least, I can’t reproduce it. I get 401’s when doing what you described:

npm ERR! code E401
npm ERR! Registry returned 401 for PUT on https://registry.npmjs.org/-/package/aproba/dist-tags/latest

To be clear, you can specify an existing tag and it’ll change it. If you have 2FA enabled, you do need to specify --otp and if you don’t, you should get a 401 as above.


(Scott Trinh) #3

Awesome, thanks for the clarification Rebecca! So maybe the docs should read:

If you have two-factor authentication on auth-and-writes then you’ll need to include a one-time password on the command line with --otp <one-time password> .

Does that capture the rule correctly?


(Rebecca Turner) #4

Yup, looks good! :+1:


(system) #5

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.