diff --git a/commands/publish/README.md b/commands/publish/README.md index d9c67fda4c..7337294241 100644 --- a/commands/publish/README.md +++ b/commands/publish/README.md @@ -26,8 +26,6 @@ During all publish operations, appropriate [lifecycle scripts](#lifecycle-script Check out [Per-Package Configuration](#per-package-configuration) for more details about publishing scoped packages, custom registries, and custom dist-tags. -> If you're using [npm automation access token](https://docs.npmjs.com/creating-and-viewing-access-tokens#creating-access-tokens) please remember to [disable lerna access verification feature](#--no-verify-access). Automation token doesn't grant permissions needed for the verification to be successful. [Click here to read more about this issue](https://github.com/lerna/lerna/issues/2788). - ## Positionals ### bump `from-git` @@ -59,7 +57,7 @@ This is useful when a previous `lerna publish` failed to publish all packages to - [`--legacy-auth`](#--legacy-auth) - [`--no-git-reset`](#--no-git-reset) - [`--no-granular-pathspec`](#--no-granular-pathspec) -- [`--no-verify-access`](#--no-verify-access) +- [`--verify-access`](#--verify-access) - [`--otp`](#--otp) - [`--preid`](#--preid) - [`--pre-dist-tag `](#--pre-dist-tag-tag) @@ -199,15 +197,16 @@ This option makes the most sense configured in lerna.json, as you really don't w The root-level configuration is intentional, as this also covers the [identically-named option in `lerna version`](https://github.com/lerna/lerna/tree/main/commands/version#--no-granular-pathspec). -### `--no-verify-access` +### `--verify-access` -By default, `lerna` will verify the logged-in npm user's access to the packages about to be published. Passing this flag will disable that check. +Historically, `lerna` attempted to fast-fail on authorization/authentication issues by performing some preemptive npm API requests using the given token. These days, however, there are multiple types of tokens that npm supports and they have varying levels of access rights, so there is no one-size fits all solution for this preemptive check and it is more appropriate to allow requests to npm to simply fail with appropriate errors for the given token. For this reason, the legacy `--verify-access` behavior is disabled by default and will likely be removed in a future major version. -If you are using a third-party registry that does not support `npm access ls-packages`, you will need to pass this flag (or set `command.publish.verifyAccess` to `false` in lerna.json). +For now, though, if you pass this flag you can opt into the legacy behavior and `lerna` will preemptively perform this verification before it attempts to publish any packages. -> Please use with caution +You should NOT use this option if: -> For the time being, use this flag/option always when you're handling NPM authorization with the use of [automation access token](https://docs.npmjs.com/creating-and-viewing-access-tokens#creating-access-tokens). [Click here to read more about this issue](https://github.com/lerna/lerna/issues/2788). +1. You are using a third-party registry that does not support `npm access ls-packages` +2. You are using an authentication token without read access, such as a [npm automation access token](https://docs.npmjs.com/creating-and-viewing-access-tokens#creating-access-tokens) ### `--otp` @@ -297,6 +296,10 @@ Useful in [Continuous integration (CI)](https://en.wikipedia.org/wiki/Continuous ## Deprecated Options +### `--no-verify-access` + +The legacy preemptive access verification is now off by default, so `--no-verify-access` is not needed. Requests will fail with appropriate errors when not authorized correctly. To opt-in to the legacy access verification, use [`--verify-access`](#--verify-access). + ### `--skip-npm` Call [`lerna version`](https://github.com/lerna/lerna/tree/main/commands/version#readme) directly, instead. diff --git a/commands/publish/__tests__/get-npm-username.test.js b/commands/publish/__tests__/get-npm-username.test.js index 858b9ecf39..8154f3f985 100644 --- a/commands/publish/__tests__/get-npm-username.test.js +++ b/commands/publish/__tests__/get-npm-username.test.js @@ -68,6 +68,23 @@ describe("getNpmUsername", () => { expect(console.error).toHaveBeenCalledWith("third-party whoami fail"); }); + test("logs failure message when npm returns forbidden response", async () => { + fetch.json.mockImplementationOnce(() => { + const err = new Error("npm profile fail due to insufficient permissions"); + + err.code = "E403"; + + return Promise.reject(err); + }); + + const opts = { registry: "https://registry.npmjs.org/" }; + + await expect(getNpmUsername(opts)).rejects.toThrow( + "Access verification failed. Ensure that your npm access token has both read and write access, or remove the verifyAccess option to skip this verification. Note that npm automation tokens do NOT have read access (https://docs.npmjs.com/creating-and-viewing-access-tokens)." + ); + expect(console.error).toHaveBeenCalledWith("npm profile fail due to insufficient permissions"); + }); + test("allows third-party registries to fail with a stern warning", async () => { fetch.json.mockImplementationOnce(() => { const err = new Error("many third-party registries do not support npm whoami"); diff --git a/commands/publish/__tests__/publish-command.test.js b/commands/publish/__tests__/publish-command.test.js index ef6dd31641..5d4434870c 100644 --- a/commands/publish/__tests__/publish-command.test.js +++ b/commands/publish/__tests__/publish-command.test.js @@ -124,23 +124,8 @@ Map { expect(npmDistTag.remove).not.toHaveBeenCalled(); expect(npmDistTag.add).not.toHaveBeenCalled(); - expect(getNpmUsername).toHaveBeenCalled(); - expect(getNpmUsername).toHaveBeenLastCalledWith( - expect.objectContaining({ registry: "https://registry.npmjs.org/" }) - ); - - expect(verifyNpmPackageAccess).toHaveBeenCalled(); - expect(verifyNpmPackageAccess).toHaveBeenLastCalledWith( - expect.any(Array), - "lerna-test", - expect.objectContaining({ registry: "https://registry.npmjs.org/" }) - ); - - expect(getTwoFactorAuthRequired).toHaveBeenCalled(); - expect(getTwoFactorAuthRequired).toHaveBeenLastCalledWith( - // extra insurance that @lerna/npm-conf is defaulting things correctly - expect.objectContaining({ otp: undefined }) - ); + expect(getNpmUsername).not.toHaveBeenCalled(); + expect(verifyNpmPackageAccess).not.toHaveBeenCalled(); expect(gitCheckout).toHaveBeenCalledWith( // the list of changed files has been asserted many times already @@ -228,12 +213,12 @@ Map { expect(getOneTimePassword).not.toHaveBeenCalled(); }); - it("prompts for OTP when option missing and account-level 2FA enabled", async () => { + it("prompts for OTP when option missing, account-level 2FA enabled, and verify access is true", async () => { const testDir = await initFixture("normal"); getTwoFactorAuthRequired.mockResolvedValueOnce(true); - await lernaPublish(testDir)(); + await lernaPublish(testDir)("--verify-access", true); expect(npmPublish).toHaveBeenCalledWith( expect.objectContaining({ name: "package-1" }), @@ -243,6 +228,22 @@ Map { ); expect(getOneTimePassword).toHaveBeenLastCalledWith("Enter OTP:"); }); + + it("defers OTP prompt when option missing, account-level 2FA enabled, and verify access is not true", async () => { + const testDir = await initFixture("normal"); + + getTwoFactorAuthRequired.mockResolvedValueOnce(true); + + await lernaPublish(testDir)(); + + expect(npmPublish).toHaveBeenCalledWith( + expect.objectContaining({ name: "package-1" }), + "/TEMP_DIR/package-1-MOCKED.tgz", + expect.objectContaining({ otp: undefined }), + expect.objectContaining({ otp: undefined }) + ); + expect(getOneTimePassword).not.toHaveBeenCalled(); + }); }); describe("--legacy-auth", () => { @@ -306,7 +307,74 @@ Map { }); }); + describe("--verify-access", () => { + it("publishes packages after verifying the user's access to each package", async () => { + const testDir = await initFixture("normal"); + + await lernaPublish(testDir)("--verify-access"); + + expect(promptConfirmation).toHaveBeenLastCalledWith("Are you sure you want to publish these packages?"); + expect(packDirectory.registry).toMatchInlineSnapshot(` +Set { + "package-1", + "package-3", + "package-4", + "package-2", +} +`); + expect(npmPublish.registry).toMatchInlineSnapshot(` +Map { + "package-1" => "latest", + "package-3" => "latest", + "package-4" => "latest", + "package-2" => "latest", +} +`); + expect(npmPublish.order()).toEqual([ + "package-1", + "package-3", + "package-4", + "package-2", + // package-5 is private + ]); + expect(npmDistTag.remove).not.toHaveBeenCalled(); + expect(npmDistTag.add).not.toHaveBeenCalled(); + + expect(getNpmUsername).toHaveBeenCalled(); + expect(getNpmUsername).toHaveBeenLastCalledWith( + expect.objectContaining({ registry: "https://registry.npmjs.org/" }) + ); + + expect(verifyNpmPackageAccess).toHaveBeenCalled(); + expect(verifyNpmPackageAccess).toHaveBeenLastCalledWith( + expect.any(Array), + "lerna-test", + expect.objectContaining({ registry: "https://registry.npmjs.org/" }) + ); + + expect(getTwoFactorAuthRequired).toHaveBeenCalled(); + expect(getTwoFactorAuthRequired).toHaveBeenLastCalledWith(expect.objectContaining({ otp: undefined })); + + expect(gitCheckout).toHaveBeenCalledWith( + expect.any(Array), + { granularPathspec: true }, + { cwd: testDir } + ); + }); + }); + describe("--no-verify-access", () => { + it("shows warning that this is the default behavior and that this option is no longer needed", async () => { + const cwd = await initFixture("normal"); + + await lernaPublish(cwd)("--no-verify-access"); + + const logMessages = loggingOutput("warn"); + expect(logMessages).toContain( + "--verify-access=false and --no-verify-access are no longer needed, because the legacy preemptive access verification is now disabled by default. Requests will fail with appropriate errors when not authorized correctly." + ); + }); + it("skips package access verification", async () => { const cwd = await initFixture("normal"); diff --git a/commands/publish/command.js b/commands/publish/command.js index ec2d3e9b0d..2d2273dadc 100644 --- a/commands/publish/command.js +++ b/commands/publish/command.js @@ -102,19 +102,14 @@ exports.builder = (yargs) => { type: "boolean", }, "no-verify-access": { + // proxy for --verify-access describe: "Do not verify package read-write access for current npm user.", type: "boolean", }, "verify-access": { - // proxy for --no-verify-access - hidden: true, + describe: "Verify package read-write access for current npm user.", type: "boolean", }, - // y: { - // describe: "Skip all confirmation prompts.", - // alias: "yes", - // type: "boolean", - // }, }; composeVersionOptions(yargs); diff --git a/commands/publish/index.js b/commands/publish/index.js index 16d12a2c88..f123f352ef 100644 --- a/commands/publish/index.js +++ b/commands/publish/index.js @@ -82,10 +82,11 @@ class PublishCommand extends Command { // inverted boolean options are only respected if prefixed with `--no-`, e.g. `--no-verify-access` this.gitReset = gitReset !== false; - this.verifyAccess = verifyAccess !== false; // consumed by npm-registry-fetch (via libnpmpublish) this.npmSession = crypto.randomBytes(8).toString("hex"); + + this.verifyAccess = verifyAccess; } get userAgent() { @@ -94,6 +95,13 @@ class PublishCommand extends Command { } initialize() { + if (this.options.verifyAccess === false) { + this.logger.warn( + "verify-access", + "--verify-access=false and --no-verify-access are no longer needed, because the legacy preemptive access verification is now disabled by default. Requests will fail with appropriate errors when not authorized correctly." + ); + } + if (this.options.skipNpm) { // TODO: remove in next major release this.logger.warn("deprecated", "Instead of --skip-npm, call `lerna version` directly"); diff --git a/commands/publish/lib/get-npm-username.js b/commands/publish/lib/get-npm-username.js index 9ed75949e6..68e81a95f0 100644 --- a/commands/publish/lib/get-npm-username.js +++ b/commands/publish/lib/get-npm-username.js @@ -54,6 +54,13 @@ function getNpmUsername(options) { opts.log.resume(); if (opts.registry === "https://registry.npmjs.org/") { + if (err.code === "E403") { + throw new ValidationError( + "ENEEDAUTH", + "Access verification failed. Ensure that your npm access token has both read and write access, or remove the verifyAccess option to skip this verification. Note that npm automation tokens do NOT have read access (https://docs.npmjs.com/creating-and-viewing-access-tokens)." + ); + } + throw new ValidationError("EWHOAMI", "Authentication error. Use `npm whoami` to troubleshoot."); }