`npm login/adduser` combines authentication and registration. Can yield into publishing internal artefacts.


(George) #1

What I Wanted to Do

I had a problem on my remote CI. So I decided to take the credentials of our private npm repository (via nexus) and test a local publish. I logged in with user + password by using npm adduser (which is an alias for npm login)

What Happened Instead

  1. I forgot to provide the registry when I executed npm adduser.
  2. This created a new user on the public npm repository instead of authenticating me.
  3. During the publish I provided the registry url again. So the publish failed and brought me to the conclusion that I just created a new user with the user + password credentials of my internal npm registry.

Reproduction Steps

npm adduser
Username: <choose a random string>
Password: <choose a random string>
Email: test@example.com

Results in:

Logged in as on https://registry.npmjs.org/.

Details

This behaviour is really dangerous. If the registry url is not set (by accident or env failure) you could end up creating a new npm account followed by a publish of your internal artefact to the public npm.

The solution is easy - separate authentication and registration.

  1. Remove registration functionality from npm adduser/login
  2. Provide a separate cli action like npm register or npm registeruser

What are the motives to combine both concerns into npm adduser?