1

Why do my read-only tokens keep getting deleted from npm's site?

Repro steps:

I create a new read-only token using npm's web portal:

enter image description here

It is successfully created.

enter image description here

I then store the token in my command line config (.zshrc in my case)

export NPM_TOKEN=f00ba4ba-2f00-ba4b-a2f0-0ba4ba2f00ba

And reference it in my .npmrc (in my project folder).

This works great. npm whoami works as intended, and I'm able to pull from our private repo.

...for a while...

A little while later, it's just gone. Pulling from our private repo fails with a 404. npm whoami returns a 402. And the token is gone from the npm web interface.

I thought maybe they have a one hour life time, but I can't see anywhere is the documentation where it says they have any expire time at all.

Is there an npm command that a side-effect of deleting an auth-token?

Thanks in advance!

cutmancometh
  • 1,677
  • 3
  • 20
  • 28

1 Answers1

2

I figured it out. I must have run npm logout from the command line at some point.

Some context about how npm login and logout work:

When you run npm login it creates a "publish" token and stores it in your .npmrc in your user's home directory.

When you run npm logout it destroys that token; removes it from npm's auth system and delete's it from the .npmrc in your home folder.

But it's worth digging a little deeper into how npm auth works.

When you do anything from the command line that needs auth permissions from npm, it first looks at the .npmrc in your project directory to see if there's an auth token in there. If there is, it uses that one when checking the npm auth server. Only if there's no auth token in that .npmrc does it check .npmrc in your user's home folder. (I'm sure it's more complex than this; I'm just saying, it checks the project folder before it checks your home folder).

But it does the same thing when you run npm logout. If there's an auth token in .npmrc in your project folder it assumes that's your identity, and invalidates that token.

So, that's what happened to my, I believe.

  1. I referenced the token in .npmrc in my project folder.
  2. I ran npm logout at some point. (I don't remember why I did this, but I must have – I've since replicated this behavior).
  3. When I ran logout npm used the token in my project folder as my identity, and invalidated the token. It didn't care that it was a "read-only" token and not a "publish" token. Nor did it care that the token had been generated manually via the web portal instead of programatically via the cli.

Hopes this helps someone.

cutmancometh
  • 1,677
  • 3
  • 20
  • 28
  • How did I not know about this? Thanks for documenting it. This is a really bad usability issue IMO. – Nate May 23 '23 at 22:33