Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
npm-profile
Advanced tools
Provides functions for fetching and updating an npmjs.com profile.
const profile = require('npm-profile')
const result = await profile.get({token})
//...
The API that this implements is documented here:
> profile.adduser(opener, prompter, [opts]) → Promise
Tries to create a user new web based login, if that fails it falls back to using the legacy CouchDB APIs.
opener
Function (url) → Promise, returns a promise that resolves after a browser has been opened for the user at url
.prompter
Function (creds) → Promise, returns a promise that resolves to an object with username
, email
and password
properties.An object with the following properties:
token
String, to be used to authenticate further API callsusername
String, the username the user authenticated asAn error object indicating what went wrong.
The headers
property will contain the HTTP headers of the response.
If the action was denied because it came from an IP address that this action
on this account isn't allowed from then the code
will be set to EAUTHIP
.
Otherwise the code will be 'E'
followed by the HTTP response code, for
example a Forbidden response would be E403
.
> profile.login(opener, prompter, [opts]) → Promise
Tries to login using new web based login, if that fails it falls back to using the legacy CouchDB APIs.
opener
Function (url) → Promise, returns a promise that resolves after a browser has been opened for the user at url
.prompter
Function (creds) → Promise, returns a promise that resolves to an object with username
, and password
properties.An object with the following properties:
token
String, to be used to authenticate further API callsusername
String, the username the user authenticated asAn error object indicating what went wrong.
The headers
property will contain the HTTP headers of the response.
If the action was denied because an OTP is required then code
will be set
to EOTP
. This error code can only come from a legacy CouchDB login and so
this should be retried with loginCouch.
If the action was denied because it came from an IP address that this action
on this account isn't allowed from then the code
will be set to EAUTHIP
.
Otherwise the code will be 'E'
followed by the HTTP response code, for
example a Forbidden response would be E403
.
> profile.adduserWeb(opener, [opts]) → Promise
Tries to create a user new web based login, if that fails it falls back to using the legacy CouchDB APIs.
opener
Function (url) → Promise, returns a promise that resolves after a browser has been opened for the user at url
.opts
ObjectAn object with the following properties:
token
String, to be used to authenticate further API callsusername
String, the username the user authenticated asAn error object indicating what went wrong.
The headers
property will contain the HTTP headers of the response.
If the registry does not support web-login then an error will be thrown with
its code
property set to ENYI
. You should retry with adduserCouch
.
If you use adduser
then this fallback will be done automatically.
If the action was denied because it came from an IP address that this action
on this account isn't allowed from then the code
will be set to EAUTHIP
.
Otherwise the code will be 'E'
followed by the HTTP response code, for
example a Forbidden response would be E403
.
> profile.loginWeb(opener, [opts]) → Promise
Tries to login using new web based login, if that fails it falls back to using the legacy CouchDB APIs.
opener
Function (url) → Promise, returns a promise that resolves after a browser has been opened for the user at url
.opts
Object (optional)An object with the following properties:
token
String, to be used to authenticate further API callsusername
String, the username the user authenticated asAn error object indicating what went wrong.
The headers
property will contain the HTTP headers of the response.
If the registry does not support web-login then an error will be thrown with
its code
property set to ENYI
. You should retry with loginCouch
.
If you use login
then this fallback will be done automatically.
If the action was denied because it came from an IP address that this action
on this account isn't allowed from then the code
will be set to EAUTHIP
.
Otherwise the code will be 'E'
followed by the HTTP response code, for
example a Forbidden response would be E403
.
> profile.adduserCouch(username, email, password, [opts]) → Promise
const {token} = await profile.adduser(username, email, password, {registry})
// `token` can be passed in through `opts` for authentication.
Creates a new user on the server along with a fresh bearer token for future
authentication as this user. This is what you see as an authToken
in an
.npmrc
.
If the user already exists then the npm registry will return an error, but this is registry specific and not guaranteed.
username
Stringemail
Stringpassword
Stringopts
Object (optional)An object with the following properties:
token
String, to be used to authenticate further API callsusername
String, the username the user authenticated asAn error object indicating what went wrong.
The headers
property will contain the HTTP headers of the response.
If the action was denied because an OTP is required then code
will be set
to EOTP
.
If the action was denied because it came from an IP address that this action
on this account isn't allowed from then the code
will be set to EAUTHIP
.
Otherwise the code will be 'E'
followed by the HTTP response code, for
example a Forbidden response would be E403
.
> profile.loginCouch(username, password, [opts]) → Promise
let token
try {
{token} = await profile.login(username, password, {registry})
} catch (err) {
if (err.code === 'otp') {
const otp = await getOTPFromSomewhere()
{token} = await profile.login(username, password, {otp})
}
}
// `token` can now be passed in through `opts` for authentication.
Logs you into an existing user. Does not create the user if they do not
already exist. Logging in means generating a new bearer token for use in
future authentication. This is what you use as an authToken
in an .npmrc
.
username
Stringemail
Stringpassword
Stringopts
Object (optional)An object with the following properties:
token
String, to be used to authenticate further API callsusername
String, the username the user authenticated asAn error object indicating what went wrong.
If the object has a code
property set to EOTP
then that indicates that
this account must use two-factor authentication to login. Try again with a
one-time password.
If the object has a code
property set to EAUTHIP
then that indicates that
this account is only allowed to login from certain networks and this ip is
not on one of those networks.
If the error was neither of these then the error object will have a
code
property set to the HTTP response code and a headers
property with
the HTTP headers in the response.
> profile.get([opts]) → Promise
const {name, email} = await profile.get({token})
console.log(`${token} belongs to https://npm.im/~${name}, (mailto:${email})`)
Fetch profile information for the authenticated user.
opts
ObjectAn object that looks like this:
// "*" indicates a field that may not always appear
{
tfa: null |
false |
{"mode": "auth-only", pending: Boolean} |
["recovery", "codes"] |
"otpauth://...",
name: String,
email: String,
email_verified: Boolean,
created: Date,
updated: Date,
cidr_whitelist: null | ["192.168.1.1/32", ...],
fullname: String, // *
homepage: String, // *
freenode: String, // *
twitter: String, // *
github: String // *
}
An error object indicating what went wrong.
The headers
property will contain the HTTP headers of the response.
If the action was denied because an OTP is required then code
will be set
to EOTP
.
If the action was denied because it came from an IP address that this action
on this account isn't allowed from then the code
will be set to EAUTHIP
.
Otherwise the code will be the HTTP response code.
> profile.set(profileData, [opts]) → Promise
await profile.set({github: 'great-github-account-name'}, {token})
Update profile information for the authenticated user.
profileData
An object, like that returned from profile.get
, but see
below for caveats relating to password
, tfa
and cidr_whitelist
.opts
Object (optional)password
This is used to change your password and is not visible (for obvious
reasons) through the get()
API. The value should be an object with old
and new
properties, where the former has the user's current password and
the latter has the desired new password. For example
await profile.set({
password: {
old: 'abc123',
new: 'my new (more secure) password'
}
}, {token})
cidr_whitelist
The value for this is an Array. Only valid CIDR ranges are allowed in it.
Be very careful as it's possible to lock yourself out of your account with
this. This is not currently exposed in npm
itself.
await profile.set({
cidr_whitelist: [ '8.8.8.8/32' ]
}, {token})
// ↑ only one of google's dns servers can now access this account.
tfa
Enabling two-factor authentication is a multi-step process.
profile.get
and check the status of tfa
. If pending
is true then
you'll need to disable it with profile.set({tfa: {password, mode: 'disable'}, …)
.profile.set({tfa: {password, mode}}, {registry, token})
password
is required here in the tfa
object,
regardless of how you're authenticating.mode
is either auth-only
which requires an otp
when calling login
or createToken
, or mode
is auth-and-writes
and an otp
will be
required on login, publishing or when granting others access to your
modules.tfa
property set to an otpauth
URL, as
used by Google Authenticator.
You will need to show this to the user for them to add to their
authenticator application. This is typically done as a QRCODE, but you
can also show the value of the secret
key in the otpauth
query string
and they can type or copy paste that in.profile.set
with tfa
set to an array of TWO codes from the user's
authenticator, eg: profile.set(tfa: [otp1, otp2]}, {registry, token})
tfa
property that has an
array of one-time-use recovery codes. These are used to authenticate
later if the second factor is lost and generally should be printed and
put somewhere safe.Disabling two-factor authentication is more straightforward, set the tfa
attribute to an object with a password
property and a mode
of disable
.
await profile.set({tfa: {password, mode: 'disable'}}, {token})
An object reflecting the changes you made, see description for profile.get
.
An error object indicating what went wrong.
The headers
property will contain the HTTP headers of the response.
If the action was denied because an OTP is required then code
will be set
to EOTP
.
If the action was denied because it came from an IP address that this action
on this account isn't allowed from then the code
will be set to EAUTHIP
.
Otherwise the code will be the HTTP response code.
> profile.listTokens([opts]) → Promise
const tokens = await profile.listTokens({registry, token})
console.log(`Number of tokens in your accounts: ${tokens.length}`)
Fetch a list of all of the authentication tokens the authenticated user has.
opts
Object (optional)An array of token objects. Each token object has the following properties:
An error object indicating what went wrong.
The headers
property will contain the HTTP headers of the response.
If the action was denied because an OTP is required then code
will be set
to EOTP
.
If the action was denied because it came from an IP address that this action
on this account isn't allowed from then the code
will be set to EAUTHIP
.
Otherwise the code will be the HTTP response code.
> profile.removeToken(token|key, opts) → Promise
await profile.removeToken(key, {token})
// token is gone!
Remove a specific authentication token.
token|key
String, either a complete authentication token or the key returned by profile.listTokens
.opts
Object (optional)No value.
An error object indicating what went wrong.
The headers
property will contain the HTTP headers of the response.
If the action was denied because an OTP is required then code
will be set
to EOTP
.
If the action was denied because it came from an IP address that this action
on this account isn't allowed from then the code
will be set to EAUTHIP
.
Otherwise the code will be the HTTP response code.
> profile.createToken(password, readonly, cidr_whitelist, [opts]) → Promise
const newToken = await profile.createToken(
password, readonly, cidr_whitelist, {token, otp}
)
// do something with the newToken
Create a new authentication token, possibly with restrictions.
password
Stringreadonly
Booleancidr_whitelist
Arrayopts
Object OptionalThe promise will resolve with an object very much like the one's returned by
profile.listTokens
. The only difference is that token
is not truncated.
{
token: String,
key: String, // sha512 hash of the token UUID
cidr_whitelist: [String],
created: Date,
readonly: Boolean
}
An error object indicating what went wrong.
The headers
property will contain the HTTP headers of the response.
If the action was denied because an OTP is required then code
will be set
to EOTP
.
If the action was denied because it came from an IP address that this action
on this account isn't allowed from then the code
will be set to EAUTHIP
.
Otherwise the code will be the HTTP response code.
The various API functions accept an optional opts
object as a final
argument.
Options are passed to
npm-registry-fetch
options, so
anything provided to this module will affect the behavior of that one as
well.
Of particular note are opts.registry
, and the auth-related options:
opts.creds
Object, passed through to prompter, common values are:
username
String, default value for usernameemail
String, default value for emailopts.username
and opts.password
- used for Basic authopts.otp
String, the two-factor-auth one-time-password (Will prompt for
this if needed and not provided.)opts.hostname
String, the hostname of the current machine, to show the
user during the WebAuth flow. (Defaults to os.hostname()
.)This modules logs by emitting log
events on the global process
object
via proc-log
.
These events look like this:
procLog[loglevel]('feature', 'message part 1', 'part 2', 'part 3', 'etc')
loglevel
can be one of: error
, warn
, notice
, http
, info
, verbose
, and silly
.
feature
is any brief string that describes the component doing the logging.
The remaining arguments are evaluated like console.log
and joined together with spaces.
A real world example of this is:
procLog.http('request', '→', conf.method || 'GET', conf.target)
To handle the log events, you would do something like this:
process.on('log', (level, feature, ...args) => {
console.log(level, feature, ...args)
})
FAQs
Library for updating an npmjs.com profile
We found that npm-profile demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.