Publish npm packages with 2FA on CircleCI?

Question

I have some Circle workflows that automatically publish npm packages. Is there any way to integrate two factor authentication into that flow?

I imagine that all of the test/build steps would run and then hold before actually publishing and wait for a one time code to be input. Is this possible?

Answer 1

It is possible if you want to use a little more services. Using a self-hosted Hashicorp Vault, you can enable TOTP and store your secret key given by npm CLI when you enable 2FA for auth-and-writes.

When you got that, you can call your Vault server to provide you the OTP needed to publish and give it to the npm publish command with --otp option.

For more details, you can read this article, How to deploy npm package with 2FA enabled on write. This article gives an example with Travis, but it should apply to CircleCI without any major changes. The big difference should be how to encrypt your secrets (npm token, Vault token, etc) within your configuration.

Answer 2

I have just make a test about how to publish with 2FA on npmjs and the steps to publish correctly are the following:

1. Create an account on npmjs and enable 2FA for auth only (not enable 2FA for publishing)
2. Generate a new token and copy it. I did it with npm login command to authenticate with 2FA
3. Copy your token to CircleCI environment variables to keep it secret and remove it from your computer to keep it only for CircleCI

I don't know if it is the best process, but that works for me with recently tokens invalidation.

EDIT: I let here my example repo, but package have been unpublished from npmjs to not make noise: https://github.com/sergiohgz/test-publish-2fa-circleci