Usage scenarios

In the CI/CD automatic NPM publishing scenario, most articles on the Internet use the NPM CLI command to input the account password, or build the account password in. NPMRC, and then execute NPM publish. This works, but it’s not very secure, and there’s a risk of compromising your account. So this article is about how to send packets through token in a secure way.

The configuration steps

  1. Open the NPM website to log in and enter the details screen of the package you want to publishsettingsOn the Settings screen (you need to enter the password again), selectRequire two-factor authentication or automation tokensAnd then clickupdate package settingsButton save Settings

2. At this time, the system will ask whether to enable 2FA login (this interface will not be displayed for users who have enabled 2FA), agree to enable 2FA login, select Authorization in 2FA mode, and click Submit

3. The screen prompts you to scan the code and enter the OTP code in the input box. We can download the Authenticator app on the mobile phone, and then scan the code with the app, after which the APP will generate an OTP code. Enter this code into the input box in the previous interface, and then click the submit button to enable 2FA function (after successfully opening the interface will appear several lines of string for you to manually save, there will be no screenshots here).

4. Next, click on your user profile picture in the upper right corner of NPM’s official website, select Access Tokens, and click Generate New Tokens to Generate Tokens (you need to enter your password again). Then create a token of the Automation type, write the token name freely, and click generate token. The interface will return a token to you, remember to manually save the token(because you will not see the whole token after leaving the interface, need to regenerate).

5. After completing the above steps, open the code base of the package we want to send, create.npmrc file in the root directory of the project, and write the following code:

registry=https://registry.npmjs.org/ //registry.npmjs.org/:always-auth=true //registry.npmjs.org/:_authToken=xxxx // XXXX represents the token we generated just nowCopy the code

6. So far we have completed all the steps of sending packets using token. Use NPM logout to test the publication, and then type NPM publish to publish the NPM package without the login password (and without the hassle of entering the OTP code). NPM publish is the only command required to publish packages in the future

Extension: Other ways to log in to NPM

1. The auth

1. Generate auTH first. It is base64 encrypted from a string in the format ‘Account: password’. MAC users can input the console echo -n ‘myuser: mypassword’ | openssl base64 directly generated (remember to use your own password is replacing myuser and mypassword section). Windows users can find a Base64 encryption tool online to generate

2. Step 2 Manually create an. NPMRC file in the root directory of the project

3. Finally, perform the following configuration on the. NPMRC

registry=https://registry.npmjs.org/ / / set up the mirror source / / @ # @ test:registry=http://npm.test.net test at the beginning of the package release to private image source. If necessary, you can add the sentence _auth= XXXXXXX // using the auth generated in step 1Copy the code

2. Account and password

1. Manually create an. NPMRC file in the root directory of the project

2. Perform the following configuration on the. NPMRC

registry=https://registry.npmjs.org/ //registry.npmjs.org/:always-auth=true //registry.npmjs.org/:username=xxxx // XXXX on behalf of the user name / / registry.npmjs.org/:password=xxxx / / XXXX representative base64 encrypted passwordCopy the code