How do I publish a package to npm using an API key? - npm

NPM gives the ability to create access tokens with the right to publish packages to the NPM registry, assuming that you've set the package settings to "Require two-factor authentication or automation tokens" in "Publishing access" (and so implicitly it requires 2FA to be enabled, I assume).
How do I use this token to publish? I've checked the output of npm publish -- it asks for an OTP code, either as a prompt or a flag, and before I enabled 2FA it asked me for my password again. Using a fixed token would be easier than having to pull up my authenticator app. I could disable 2FA, but getting the token working is preferable.

For verdaccio or similar you can use this:
> npm config set registry http://verdaccio/npm/
# then create and update local .npmrc file:
> npm config set _authToken=%YOUR_ACCES_TOKEN%
# and publish pointing to your registry
> npm publish --registry http://verdaccio/npm/
For proget:
[~]$ npm config set registry http://proget/npm/private-npm
[~]$ npm config set always-auth true
[~]$ npm config set _auth {ENCODEDAPIKEY}
[~]$ npm config set email {email address}
# then as usual
[~]$npm publish --registry {YOUR_REGISTRY}
Instructions are here proget and here verdaccio

The npm registry has 3 different kinds of token: Read-only, Automation, and Publish.
It sounds like you created a Publish token. You need to create an Automation token instead, since this is the only one that bypasses 2FA.

Related

Setting Nexus auth token from the commandline

I figured this would be a problem that has been solved a million times over, but I just can't find the solution. I wish to setup my Java Maven project to install Angular dependencies from my private Nexus server. I use the frontend-maven-plugin to install a new npm every time, so the configuration must be available for that npm for it to work.
I know I can add the following to my .npmrc file and it works:
registry = http://nexus.global.dns/repository/npm-all/
_authToken = NpmToken.xxx
always-auth = true
The problem I have with this solution is that the auth token gets checked into git and that I have to remove it every time I work outside of my network, where I do not have access to the nexus server. This happens for example when I am developing something for the frontend away from home as my nexus server is not on the cloud. So I wish for nexus to be used only by my jenkins pipelines which will use the frontend-maven-plugin.
I figured I would set the registry the commandline way but that is proving to be a challenge. In my frontend-maven-plugin I have set up executions that run the following lines:
npm set registry http://nexus.global.dns/repository/npm-all/
npm //nexus.global.dns/:_authToken=${NEXUS_NPM_AUTH_TOKEN}
npm install --no-package-lock
This returns a 401 error as it is not able to authenticate: Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"
My next attempt was to remove the explicit mention of the repository I want to use from Nexus, because maybe it can figure out which one it should use:
npm set registry http://nexus.global.dns
npm //nexus.global.dns/:_authToken=${NEXUS_NPM_AUTH_TOKEN}
npm install --no-package-lock
Authentication now seemingly works, but it is trying to pull the dependencies from http://nexus.global.dns as expected. I get the following error: 404 Not Found - GET http://nexus.global.dns/#angular-builders%2fjest
If I navigate to http://nexus.global.dns/repository/npm-all/#angular-builders%2fjest instead I do get the dependency's package.json as a response.
Clearly the registry should be http://nexus.global.dns/repository/npm-all/ but I can't get authentication to work with the command line. I have also tried:
npm //nexus.global.dns/repository/npm-all/:_authToken=${NEXUS_NPM_AUTH_TOKEN}
but this does not work either. How do I set the auth token for my Nexus private server through the command line?

Verdaccio: how to publish to custom server from Github Actions with proper credentials?

I have a working verdaccio server hosted on a google cloud server. I am able manually publish to it, but am struggling to create a GitHub Action to publish to it when I push to master branch.
I have a script that works perfectly when publishing to npmjs public repo. Here is the relevant part that works for npmjs.org
- name: Publish to npm
if: steps.semantic.outputs.new_release_published == 'true'
run: |
yarn install
git checkout upm
npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
Now, for my own server, I have included the following addition in package.json:
"publishConfig": {
"registry": "http://my.ip.0.0:port"
},
And then in the repositories secrets, I have created an NPM_TOKEN secret with my user's token copied from my computer's .npmrc file after logging in.
I'm getting the following error from the Github Actions result:
npm ERR! code E401
npm ERR! Unable to authenticate, your authentication token seems to be invalid.
npm ERR! To correct this please trying logging in again with:
npm ERR! npm login
So I'm clearly not authenticating properly.
I tried (on the server's cli) using npm token create but it gave me an unauthorized error, and I tried the same on my computer locally after logging in too, and got the same error.
How can I authenticate my Github Actions publish to my custom Verdaccio server? I'm pretty new to this whole CI business, so I suspect I'm missing something quite basic. I suspect I'm doing it wrong using NPM_TOKEN, but it worked fine to publish to npmjs.org public repo.
Again, I can manually publish using npm publish from the terminal on my Mac (after logging into custom server with npm login), so I know that the server is set up properly.
After much googling, I found a solution from this tutorial https://remysharp.com/2015/10/26/using-travis-with-private-npm-deps
It's not written for GitHub Actions but the same procedure worked.
First, you need to login to your private server from your computer. In your home folder look at the .npmrc file (turn on show hidden files).
add this line to the yaml action file:
echo "//YOURREGISTRYADDRESS/:_authToken=\${NODE_AUTH_TOKEN}" > .npmrc
Note that it should actually be NODE_AUTH_TOKEN, NOT your actual token.
The part in the quotes should mostly match the entry in your .npmrc file (without the token).
So now it looks like this
- name: Publish to npm
if: steps.semantic.outputs.new_release_published == 'true'
run: |
yarn install
git checkout upm
echo "//YOURREGISTRYADDRESS/:_authToken=\${NODE_AUTH_TOKEN}" > .npmrc
npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
Then in the Settings -> Secrets part of your GitHub repo, add a secret called NPM_TOKEN and paste in the auth token value from the .npmrc. It's a long series of letters and numbers.
Now this script should properly log in. Apparently the issue is that the default Verdaccio authorization plugin expects it to be used interactively. This line basically creates an .npmrc file on the fly and populates it with the correct info, as if you've already logged in interactively. The file isn't actually created though, and disappears after running, which is a nice touch. It also is pretty secure since it stores the token in the secrets part of the repo. The link above does a better job explaining it, so check it out!

Azure DevOps pipeline - authentication failure when trying to connect to private npm registry

I am trying to use a npm package from a private repository hosted in a different Azure DevOps organisation. I am getting the following error on npm install step:
npm ERR! code E401
npm ERR! Unable to authenticate, need: Bearer authorization_uri=https://login.windows.net/2dfb2f0b-4d21-4268-9559-72926144c918, Basic realm="https://pkgsprodcus1.pkgs.visualstudio.com/", TFS-Federated
My project .npmrc file looks like this:
#{scope}:registry=https://pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/
always-auth=true
strict-ssl=false
I have followed the documentation on setting up the PAT token with Packaging Read & Write permission
I have tried connecting by setting up a service connection which did not work.
I have also tried to by adding the credentials to the project .npmrc file and that does not work either.
.npmrc file with creds:
#{scope}:registry=https://pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/
always-auth=true
strict-ssl=false
//pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/:username=ANYTHING-BUT-EMPTY
//pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/:_password=BASE64-ENCODED-PAT
//pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/:email={EMAIL}
/pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/:always-auth=true
I have regenerated the PAT numerous times with different scopes but none worked. (I am generating the PAT from User Settings -> Security in Azure DevOps)
I am able to connect to the feed from my local machine using the vsts-npm-auth package.
Azure DevOps pipeline - authentication failure when trying to connect to private npm registry
According to the document Set up your client's npmrc, we need set the .npmrc containing the credentials in $home for Linux or Mac systems or $env.HOME for win systems in development machine instead of setting it in your the project .npmrc file.
On your development machine, you will also have a .npmrc in $home for
Linux or Mac systems or $env.HOME for win systems. This .npmrc should
contain credentials for all of the registries that you need to connect
to. The NPM client will look at your project's .npmrc, discover the
registry, and fetch matching credentials from $home/.npmrc or
$env.HOME/.npmrc. Credential acquisition will be discussed in the next
section.
And:
You should have a project specific .npmrc containing only your feed's
registry information that you discovered from the "Connect to Feed"
dialog. There should be no credentials in this file and the file
itself is usually adjacent to your project's package.json.
Besides, if you want use the hosted agent, you could use the npm Authenticate task to certification.
Hope this helps.
In my case, I needed to add an explicit npmAuthenticate step to log-in to the private NPM registry using the pipeline's credentials before the step in which npm install / yarn install was called, like so:
- task: npmAuthenticate#0
inputs:
workingFile: "$(Build.SourcesDirectory)/path/to/my/.npmrc"

TeamCity and NPM login via OAuth token

I'm trying to integrate TeamCity Server (Windows) with my private NPM repo. I have create an OAuth token.
But I can't find any examples how to use the token in regards to NPM login alone or via TeamCity?
SOLVED!
In a PowerShell (run as ADMIN) run this:
npm login --registry=https://registry.npmjs.org/
--scope=#your_npm_handle
(NB. Replace the your_npm_handle in the command above with YOUR private NPM handle!)
Enter your username, password and NPM e-mail when prompted
You should now see a successful login to NPM
Now run:
npm config set always-auth true
If you now run:
npm config edit
you should see something like this / 3 lines of code in the file .npmrc
#your_npm_handle=https://registry.npmjs.org/
//registry.npmjs.org/:_authToken=xxxx-xxxx-xxxx-xxxx
always-auth=true
Please remember: To use a placeholder to your AUTH token ID and place the actual AUTH token in an .env file and only ref. to it in the .npmrc file). Replace this: authToken=xxxx-xxxx-xxxx-xxxx with this: authToken=${NPM_TOKEN} and in your .env file add this: NPM_TOKEN=xxxx-xxxx-xxxx-xxxx
Add this .npmrc file in the ROOT of your project.
Commit and publish the .npmrc file to source control (not the .env file!)
TeamCity will now download the .npmrc file together with the rest of your source code and run with success because it will use the NPM config file and thereby be able to access your private NPM repo and download all you private #packages.
Remember to activate F2A to your NPM account + to your NPM AUTH tokens.
Be aware this solution ONLY works on multiple machines as long as none of the machines don't invalidate this single AUTH token. In this case use a separate AUTH token setup for each machine or simply use NPM LOGIN instead each time.
I stumbled upon this while dealing with something similar and i thought sharing a bit, cause the accepted answer is pretty insecure:
a) You should not push your token/keys into a version control. Period. This is a security flaw.
b) You don't need to log in via npm login to retrieve your key. You should log in to npmjs.com where you will see a section called "Access Tokens". There you can create tokens to use for this situation and mark them as read-only as well. (or you can use command line to create tokens as well)
c) Teamcity offers "parameters". You can set up a secret there to use during the build. You can do this at root or project level. Create an "environment" parameter and mark it as read-only and as a password so it is secure.
d) For example if you have a docker build, pass it in as a --build-arg NPM_TOKEN=%env.yourTokenName% as additional parameter, then ${NPM_TOKEN} can be used in your .npmrc file if you set it up in your Dockerfile correctly (ARG NPM_TOKEN)

npm publish azure artifacts

I'm trying to publish a scoped package to a private azure devops artifact feed. I followed the instructions here. I have a project .npmrc with the following entries:
#my-scope:registry=https://pkgs.dev.azure.com/my-org/_packaging/my-feed/npm/registry/
#my-scope:always-auth=true
In my global user .npmrc I have the following entries:
prefix=/usr/local
strict-ssl=false
unsafe-perm=true
//registry.npmjs.org/:_authToken="my-real-token"
//pkgs.dev.azure.com/my-org/_packaging/my-feed/npm/registry/:username=${NPM_USERNAME}
//pkgs.dev.azure.com/my-org/_packaging/my-feed/npm registry/:_password="my-real-base64-token"
//pkgs.dev.azure.com/my-org/_packaging/my-feed/npm/registry/:email=${NPM_EMAIL}
//pkgs.dev.azure.com/my-org/_packaging/my-feed/npm/registry/:always-auth=true
#my-scope:registry=https://pkgs.dev.azure.com/my-org/_packaging/my-feed/npm/registry/
//pkgs.dev.azure.com/my-org/_packaging/my-feed/npm registry/:_authToken="my-real-base64-token"
cafile=${NPM_CERT_LOCATION}
When I try: npm publish I get the following error:
Unable to authenticate, need: Bearer authorization_uri=https://login.windows.net/some-guid, Basic realm="https://pkgsprodcus1.pkgs.visualstudio.com/", TFS-Federated
Based on previous posts I see that I might need to do npm login. Executing npm login gives me this error:
npm verb node v6.9.2
npm verb npm v6.8.0
npm ERR! code E400
npm ERR! 400 Bad Request - PUT https://pkgs.dev.azure.com/my-org/_packaging/my-feed/npm/registry/-/user/org.couchdb.user:my-username
I looked at this and this which seemed to be related. However, neither of them worked.
I've tried: curl and curl -u which gave me the following error:
{"$id":"1","innerException":null,"message":"TF400813: Resource not available for anonymous access. Client authentication required.","typeName":"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server","typeKey":"UnauthorizedRequestException","errorCode":0,"eventId":3000}%
I'v also tried with a proxy and a cert. However, with the same results.
This is a bit old, not sure if you are still stuck, but for Windows you can use this npm package: https://www.npmjs.com/package/vsts-npm-auth:
npm install -g vsts-npm-auth
vsts-npm-auth -config path-to-your\.npmrc
Here is a more complete article from Azure DevOps that walks you through setup, .npmrc and auth and publishing: https://learn.microsoft.com/en-us/azure/devops/artifacts/npm/npmrc?view=azure-devops&tabs=windows:
If you are developing on Linux or Mac, vsts-npm-auth is not supported and we recommend generating a token in the following manner for your $HOME/.npmrc
The Connect to feed dialog box generates an appropriately formatted token that you can place into your .npmrc file with a lifespan of 90 days.
From Azure Artifacts, select Connect to feed.
Select npm.
Select Generate npm credentials. Copy the credentials to add them to your user .npmrc file manually. For Windows this is in %USERPROFILE%.npmrc and can be useful if the above method doesn't work. For Linux it is in $HOME/.npmrc.