Support web otp

[bluwy]

Changesets currently only support token-based otp (aka classic otp):

changesets/packages/cli/src/commands/publish/npm-utils.ts

Lines 238 to 252 in 097afd9

	// The first case is no 2fa provided, the second is when the 2fa is wrong (timeout or wrong words)
	if (
	(json.error.code === "EOTP" ||
	(json.error.code === "E401" &&
	json.error.detail.includes("--otp=<code>"))) &&
	!isCI
	) {
	if (twoFactorState.token !== null) {
	// the current otp code must be invalid since it errored
	twoFactorState.token = null;
	}
	// just in case this isn't already true
	twoFactorState.isRequired = Promise.resolve(true);
	return internalPublish(packageJson, opts, twoFactorState);
	}

Web-based otp, which opens the browser to login is not supported, which is required for newer 2fa types like webauthn and passkeys, which is being pushed by npm and at the same time sunsetting TOTP (which I think is stupid).

Anyways, we probably need to copy npm's flow:

https://github.com/npm/cli/blob/7f7223833b9f655ea82039cf389ed8d03fb3b212/lib/utils/auth.js#L6-L33
https://github.com/npm/npm-profile/blob/92b3c147b18d2122b5eee5880d2848625068bd8c/lib/index.js#L80

---

Alternatively, we should figure a flow that doesn't require us to manually implement them, something for next perhaps.

[lexuzieel]

What's the state of this issue? Currently when I'm trying to publish using npx changeset publish I get:

🦋  info This operation requires a one-time password from your authenticator.
🦋  Enter one-time password: ‣  

[IzumiSy]

This took me 4-5 hours until I knew the prompt was coming from changeset.

[lexuzieel]

This took me 4-5 hours until I knew the prompt was coming from changeset.

For the time being I have resorted to publishing using npm run publish in a loop over directories. This also prompts to open the browser to confirm the action since npm has updated their publishing process recently.

For CI there seems to be a way to store the token but I haven’t tried it yet: https://github.com/orgs/community/discussions/179562#discussioncomment-15272186

[tangzijun]

This took me 4-5 hours until I knew the prompt was coming from changeset.

Me too, it's a disaster.

[ahmadawais]

Is there no progress on this? When npm moved to passkey the removed 2FA apps. So we can't get the new one time pass. And can't publish.

[Andarist]

This is on my radar, a release addressing this should come out this week.

[Andarist]

status update: I'm looking into how we could work around the lack of authUrl and doneUrl in the returned error until this lands: npm/cli#8952

[Andarist]

• we can either try to add npm-registry-fetch dep and handle this stuff ourselves (best compat and robustness but adds a dep)
• we can try to forward to npm itself (the CLI output might get messy given changesets and npm stuff would get mixed in a single stream, we won't be able to read the token ourselves so we'd have to limit all publishes to 1 at a time, overall - this would get messy and kinda clunky, i feel, but it's somewhat doable)
• we can only support this with npm 11.9.0 (released today, a nice turnaround from my yesterday's PR: fix(webauth): improve error messages around webauth in non-TTY npm/cli#8952 ). It still requires us to handle some stuff on our end (replicating what npm does internally) but I feel that's worth it - UX-wise. Obvious downside... it requires npm 11.9.0 and we can't easily even distinguish between classic and web otps... so we cant finetune messaging around this for versions earlier than 11.9.0

@bluwy WDYT?

[58bits]

Hi @Andarist - thanks a lot for looking at this.

Not sure if this helps, but my only request would be continued support for printing the auth URL to the console as a fallback for when npm / pnpm cannot open the browser.

For example...

This is a WSL 2 session.