Skip to content

feat(publish): handle OTP and web-based authentication flows#11019

Merged
zkochan merged 3 commits into
mainfrom
pr-10834-rebased
Mar 18, 2026
Merged

feat(publish): handle OTP and web-based authentication flows#11019
zkochan merged 3 commits into
mainfrom
pr-10834-rebased

Conversation

@zkochan

@zkochan zkochan commented Mar 18, 2026

Copy link
Copy Markdown
Member

Summary

Rebased version of #10834 on current main (which now includes the "stop reading settings from pnpm field" change).

  • Adds OTP handling to pnpm publish with support for classic OTP prompts and web-based authentication (QR code + doneUrl polling)
  • Extracts OTP logic into a dedicated otp.ts module with dependency injection for testability
  • Consolidates shared context for OIDC and OTP flows into utils/shared-context.ts
  • Sends npm-auth-type: web and npm-command: publish headers to signal web auth support to the registry

Test plan

  • Compiles cleanly
  • Lint passes
  • OTP unit tests cover: classic prompt flow, web auth polling, timeout, non-interactive terminal, second challenge error, retry-after header

Supersedes #10834.

🤖 Generated with Claude Code

@KSXGitHub @claude @zkochan
feat(publish): handle OTP and web-based authentication flows (#10834)
b2a945d 
Add OTP handling to `pnpm publish` with support for:
- Classic OTP prompt (manual code entry)
- Web-based authentication flow with QR code display and doneUrl polling
- `npm-auth-type: web` header to signal web auth support to the registry

Extract OTP logic into a dedicated `otp.ts` module with dependency
injection for testability. Consolidate shared context for OIDC and OTP.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 18, 2026 21:32
Copilot AI reviewed Mar 18, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds OTP challenge handling to pnpm publish (both classic OTP prompt and modern web-based auth with QR + doneUrl polling), consolidating publish/OIDC/OTP dependencies into a shared DI context and updating publish options to advertise web auth support to registries.

Changes:

  • Introduce publishWithOtpHandling() with classic OTP retry + web auth polling flow and dedicated error types.
  • Add DI-driven SHARED_CONTEXT for OIDC + OTP dependencies (fetch/enquirer/publish/process/Date/setTimeout) and update OIDC modules to use it.
  • Update publishPackedPkg to call the OTP wrapper and to send npm-auth-type: web / npm-command: publish headers plus authType/npmCommand options.

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
releasing/commands/src/publish/otp.ts New OTP/web-auth handling module with DI + error types.
releasing/commands/src/publish/utils/shared-context.ts New consolidated shared DI context for OIDC + OTP flows.
releasing/commands/src/publish/publishPackedPkg.ts Route publishing through OTP handler; add web-auth signaling options/headers.
releasing/commands/src/publish/oidc/authToken.ts Update shared-context import path.
releasing/commands/src/publish/oidc/idToken.ts Update shared-context import path.
releasing/commands/src/publish/oidc/provenance.ts Update shared-context import path.
releasing/commands/src/publish/oidc/utils/shared-context.ts Remove old OIDC-only shared context module.
releasing/commands/test/publish/otp.test.ts Add unit tests covering OTP and web-auth flows (polling/timeout/retry-after/etc).
releasing/commands/package.json Add qrcode-terminal and @types/qrcode-terminal deps.
pnpm-workspace.yaml Add catalog entries for qrcode-terminal and its types.
pnpm-lock.yaml Lockfile updates for new dependencies.
cspell.json Add OTP/webauth-related words.
.changeset/tangy-pans-pull.md Document new OTP prompt and QR-based web auth behavior.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread releasing/commands/src/publish/otp.ts Outdated
Comment thread releasing/commands/src/publish/otp.ts Outdated
zkochan and others added 2 commits March 18, 2026 22:37
@zkochan
Potential fix for pull request finding
c14949b 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@zkochan
Potential fix for pull request finding
8d0cbfa 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@zkochan zkochan mentioned this pull request Mar 18, 2026
Closed
@zkochan zkochan added this to the v11.0 milestone Mar 18, 2026
@zkochan zkochan merged commit 88ad21d into main Mar 18, 2026
12 checks passed
@zkochan zkochan deleted the pr-10834-rebased branch March 18, 2026 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v11.0

Development

Successfully merging this pull request may close these issues.

3 participants

@zkochan @KSXGitHub