Skip to content

fix(cli): enable web auth for package:init#2415

Open
ehs5 wants to merge 1 commit intonpmx-dev:mainfrom
ehs5:fix/package-init-web-auth
Open

fix(cli): enable web auth for package:init#2415
ehs5 wants to merge 1 commit intonpmx-dev:mainfrom
ehs5:fix/package-init-web-auth

Conversation

@ehs5
Copy link
Copy Markdown

@ehs5 ehs5 commented Apr 7, 2026
edited
Loading

🔗 Linked issue

Fixes #2414

🧭 Context

package:init (Claim Package) never attempted web auth (AKA interactive mode) when requested by frontend. A special case had been put in place to cause this behaviour in cli/src/server.ts - but this completely blocked users who only have set up 2FA with passkeys from claiming a package. The only other option to proceed was OTP, which is not available to set up as a 2FA method at npmjs.com anymore.

I suspect npm users that have not set up any 2FA also could not complete the "Claim package" operation - though I haven't verified this entirely.

📚 Description

The root cause of the issue was in cli/src/server.ts. In executeOperation(), there was a special case where interactive mode was not executed when operation was of type "package:init".

I rewrote this so that in case "package:init", packageInit() now takes execOptions as param instead of just otp code, making it run similarly to other operations. The execOptions object contains necessary params to complete the web auth procedure.

To make this work, packageInit() in cli/src/npm-client.ts now runs execNpm() similarly to the other operations, whereas before it had its own, mostly duplicated, execution of execFileAsync(). To achieve this, an optional cwd param had to be added to the ExecNpmOptions type. This is so that the tempDir path (where package.json is temporarily stored when claiming package) can be passed down to execFileAsync() for OTP and pty.spawn() for interactive, allowing for running the npm commands in the temp folder.

The code has been successfully run from my local env allowing my account, that does not have OTP as 2FA, to claim a package.

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
npmx.dev Ready Ready Preview, Comment Apr 7, 2026 11:05pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
docs.npmx.dev Ignored Ignored Preview Apr 7, 2026 11:05pm
npmx-lunaria Ignored Ignored Apr 7, 2026 11:05pm

Request Review

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 7, 2026

Hello! Thank you for opening your first PR to npmx, @ehs5! 🚀

Here’s what will happen next:

  1. Our GitHub bots will run to check your changes.
    If they spot any issues you will see some error messages on this PR.
    Don’t hesitate to ask any questions if you’re not sure what these mean!

  2. In a few minutes, you’ll be able to see a preview of your changes on Vercel

  3. One or more of our maintainers will take a look and may ask you to make changes.
    We try to be responsive, but don’t worry if this takes a few days.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 7, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 7, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The changes refactor how the package initialisation operation handles npm command-line interface options. The ExecNpmOptions interface gains an optional cwd property for specifying working directory. The packageInit function signature is updated to accept ExecNpmOptions instead of a standalone OTP parameter. The npm client execution paths are modified to propagate the cwd option through both interactive and non-interactive execution methods. The server routing for the package:init operation is updated to pass the full execution options object instead of only the OTP value.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR fully addresses issue #2414 by enabling web auth for package:init, allowing passkeys-only 2FA users to claim packages as requested.
Out of Scope Changes check ✅ Passed All changes are scoped to fixing the package:init web auth issue: adding cwd parameter, refactoring packageInit to use execOptions, and removing the special-case blocking in server.ts.
Description check ✅ Passed The pull request description clearly relates to the changeset, explaining the root cause, context, and implementation details of fixing web auth for package:init operations.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@graphieros graphieros added the needs review This PR is waiting for a review from a maintainer label Apr 8, 2026
@serhalp serhalp self-requested a review April 8, 2026 14:10
@serhalp serhalp self-assigned this Apr 8, 2026
@serhalp serhalp added this to the v0.9.0 milestone Apr 8, 2026
@github-project-automation github-project-automation bot moved this to Backlog in Releases Apr 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@serhalp serhalp Awaiting requested review from serhalp

At least 1 approving review is required to merge this pull request.

Assignees

@serhalp serhalp

Labels

needs review This PR is waiting for a review from a maintainer

Projects

Releases
Status: Backlog

Milestone

v0.9

Development

Successfully merging this pull request may close these issues.

Claiming a package is not possible with passkeys-only 2FA

3 participants

@ehs5 @serhalp @graphieros