fix: Uses the npm-profile package to create tokens with GAT support

Author: owlstronaut

lib/commands/token.js

@@ -1,14 +1,29 @@
 const { log, output } = require('proc-log')
-const { listTokens, createToken, removeToken } = require('npm-profile')
+const { listTokens, createGatToken, removeToken } = require('npm-profile')
 const { otplease } = require('../utils/auth.js')
 const readUserInfo = require('../utils/read-user-info.js')
 const BaseCommand = require('../base-cmd.js')
 
 class Token extends BaseCommand {
   static description = 'Manage your authentication tokens'
   static name = 'token'
-  static usage = ['list', 'revoke <id|token>', 'create [--read-only] [--cidr=list]']
-  static params = ['read-only', 'cidr', 'registry', 'otp']
+  static usage = ['list', 'revoke <id|token>', 'create --name=<name> [--token-description=<desc>] [--packages=<pkg1,pkg2>] [--packages-all] [--scopes=<scope1,scope2>] [--orgs=<org1,org2>] [--packages-and-scopes-permission=<read-only|read-write|no-access>] [--orgs-permission=<read-only|read-write|no-access>] [--expires=<days>] [--cidr=<ip-range>] [--bypass-2fa] [--password=<pass>]']
+  static params = ['name',
+    'token-description',
+    'expires',
+    'packages',
+    'packages-all',
+    'scopes',
+    'orgs',
+    'packages-and-scopes-permission',
+    'orgs-permission',
+    'cidr',
+    'bypass-2fa',
+    'password',
+    'registry',
+    'otp',
+    'read-only',
+  ]
 
   static async completion (opts) {
     const argv = opts.conf.argv.remain
@@ -127,15 +142,72 @@ class Token extends BaseCommand {
     const json = this.npm.config.get('json')
     const parseable = this.npm.config.get('parseable')
     const cidr = this.npm.config.get('cidr')
-    const readonly = this.npm.config.get('read-only')
+    const name = this.npm.config.get('name')
+    const tokenDescription = this.npm.config.get('token-description')
+    const expires = this.npm.config.get('expires')
+    const packages = this.npm.config.get('packages')
+    const packagesAll = this.npm.config.get('packages-all')
+    const scopes = this.npm.config.get('scopes')
+    const orgs = this.npm.config.get('orgs')
+    const packagesAndScopesPermission = this.npm.config.get('packages-and-scopes-permission')
+    const orgsPermission = this.npm.config.get('orgs-permission')
+    const bypassTwoFactor = this.npm.config.get('bypass-2fa')
+    let password = this.npm.config.get('password')
 
     const validCIDR = await this.validateCIDRList(cidr)
-    const password = await readUserInfo.password()
+
+    /* istanbul ignore if - skip testing read input */
+    if (!password) {
+      password = await readUserInfo.password()
+    }
+
+    const tokenData = {
+      name: name,
+      password: password,
+    }
+
+    if (tokenDescription) {
+      tokenData.description = tokenDescription
+    }
+
+    if (packages?.length > 0) {
+      tokenData.packages = packages
+    }
+    if (packagesAll) {
+      tokenData.packages_all = true
+    }
+    if (scopes?.length > 0) {
+      tokenData.scopes = scopes
+    }
+    if (orgs?.length > 0) {
+      tokenData.orgs = orgs
+    }
+
+    if (packagesAndScopesPermission) {
+      tokenData.packages_and_scopes_permission = packagesAndScopesPermission
+    }
+    if (orgsPermission) {
+      tokenData.orgs_permission = orgsPermission
+    }
+
+    // Add expiration in days
+    if (expires) {
+      tokenData.expires = parseInt(expires, 10)
+    }
+
+    // Add optional fields
+    if (validCIDR?.length > 0) {
+      tokenData.cidr_whitelist = validCIDR
+    }
+    if (bypassTwoFactor) {
+      tokenData.bypass_2fa = true
+    }
+
     log.info('token', 'creating')
     const result = await otplease(
       this.npm,
       { ...this.npm.flatOptions },
-      c => createToken(password, readonly, validCIDR, c)
+      c => createGatToken(tokenData, c)
     )
     delete result.key
     delete result.updated
@@ -145,12 +217,15 @@ class Token extends BaseCommand {
       Object.keys(result).forEach(k => output.standard(k + '\t' + result[k]))
     } else {
       const chalk = this.npm.chalk
-      // Identical to list
-      const level = result.readonly ? 'read only' : 'publish'
+      // Display based on access level
+      const level = result.access === 'read-only' || result.readonly ? 'read only' : 'publish'
       output.standard(`Created ${chalk.blue(level)} token ${result.token}`)
       if (result.cidr_whitelist?.length) {
         output.standard(`with IP whitelist: ${chalk.green(result.cidr_whitelist.join(','))}`)
       }
+      if (result.expires) {
+        output.standard(`expires: ${result.expires}`)
+      }
     }
   }
 
@@ -180,7 +255,7 @@ class Token extends BaseCommand {
     for (const cidr of list) {
       if (isCidrV6(cidr)) {
         throw this.invalidCIDRError(
-          `CIDR whitelist can only contain IPv4 addresses${cidr} is IPv6`
+          `CIDR whitelist can only contain IPv4 addresses, ${cidr} is IPv6`
         )
       }
 

tap-snapshots/test/lib/commands/config.js.test.cjs

@@ -23,6 +23,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "before": null,
   "bin-links": true,
   "browser": null,
+  "bypass-2fa": false,
   "ca": null,
   "cache-max": null,
   "cache-min": 0,
@@ -48,6 +49,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "engine-strict": false,
   "expect-result-count": null,
   "expect-results": null,
+  "expires": null,
   "fetch-retries": 2,
   "fetch-retry-factor": 10,
   "fetch-retry-maxtimeout": 60000,
@@ -97,6 +99,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "logs-dir": null,
   "logs-max": 10,
   "long": false,
+  "name": null,
   "maxsockets": 15,
   "message": "%s",
   "node-gyp": "{CWD}/node_modules/node-gyp/bin/node-gyp.js",
@@ -108,13 +111,15 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "omit": [],
   "omit-lockfile-registry-resolved": false,
   "only": null,
+  "orgs": null,
   "optional": null,
   "os": null,
   "otp": null,
   "package": [],
   "package-lock": true,
   "package-lock-only": false,
   "pack-destination": ".",
+  "packages": [],
   "parseable": false,
   "prefer-dedupe": false,
   "prefer-offline": false,
@@ -141,6 +146,11 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "sbom-format": null,
   "sbom-type": "library",
   "scope": "",
+  "scopes": null,
+  "packages-all": false,
+  "packages-and-scopes-permission": null,
+  "orgs-permission": null,
+  "token-description": null,
   "script-shell": null,
   "searchexclude": "",
   "searchlimit": 20,
@@ -187,6 +197,7 @@ auth-type = "web"
 before = null
 bin-links = true
 browser = null
+bypass-2fa = false
 ca = null
 ; cache = "{CACHE}" ; overridden by cli
 cache-max = null
@@ -214,6 +225,7 @@ editor = "{EDITOR}"
 engine-strict = false
 expect-result-count = null
 expect-results = null
+expires = null
 fetch-retries = 2
 fetch-retry-factor = 10
 fetch-retry-maxtimeout = 60000
@@ -266,6 +278,7 @@ logs-max = 10
 ; long = false ; overridden by cli
 maxsockets = 15
 message = "%s"
+name = null
 node-gyp = "{CWD}/node_modules/node-gyp/bin/node-gyp.js"
 node-options = null
 noproxy = [""]
@@ -275,13 +288,19 @@ omit = []
 omit-lockfile-registry-resolved = false
 only = null
 optional = null
+orgs = null
+orgs-permission = null
 os = null
 otp = null
 pack-destination = "."
 package = []
 package-lock = true
 package-lock-only = false
+packages = []
+packages-all = false
+packages-and-scopes-permission = null
 parseable = false
+password = (protected)
 prefer-dedupe = false
 prefer-offline = false
 prefer-online = false
@@ -307,6 +326,7 @@ save-prod = false
 sbom-format = null
 sbom-type = "library"
 scope = ""
+scopes = null
 script-shell = null
 searchexclude = ""
 searchlimit = 20
@@ -321,6 +341,7 @@ strict-ssl = true
 tag = "latest"
 tag-version-prefix = "v"
 timing = false
+token-description = null
 umask = 0
 unicode = false
 update-notifier = true