feat(otp): Adds opts.otpPrompt to provide an OTP on demand

This adds support for an opts.otpPrompt function which will be called
whenever an OTP is needed.  The request will then be retried with the
OTP provided.  If the method throws or fails to provide an OTP value,
then the 401 error is raised.

Author: isaacs

README.md

@@ -418,6 +418,19 @@ This is a one-time password from a two-factor authenticator. It is required for
 certain registry interactions when two-factor auth is enabled for a user
 account.
 
+##### <a name="opts-otpPrompt"></a> `opts.otpPrompt`
+
+* Type: Function
+* Default: null
+
+This is a method which will be called to provide an OTP if the server
+responds with a 401 response indicating that a one-time-password is
+required.
+
+It may return a promise, which must resolve to the OTP value to be used.
+If the method fails to provide an OTP value, then the fetch will fail with
+the auth error that indicated an OTP was needed.
+
 ##### <a name="opts-password"></a> `opts.password`
 
 * Alias: `_password`

index.js

@@ -1,5 +1,6 @@
 'use strict'
 
+const { HttpErrorAuthOTP } = require('./errors.js')
 const checkResponse = require('./check-response.js')
 const getAuth = require('./auth.js')
 const fetch = require('make-fetch-happen')
@@ -98,40 +99,57 @@ function regFetch (uri, /* istanbul ignore next */ opts_ = {}) {
     opts.preferOnline = true
   }
 
-  const doFetch = (body) => fetch(uri, {
-    agent: opts.agent,
-    algorithms: opts.algorithms,
-    body,
-    cache: getCacheMode(opts),
-    cacheManager: opts.cache,
-    ca: opts.ca,
-    cert: opts.cert,
-    headers,
-    integrity: opts.integrity,
-    key: opts.key,
-    localAddress: opts.localAddress,
-    maxSockets: opts.maxSockets,
-    memoize: opts.memoize,
-    method: method,
-    noProxy: opts.noProxy,
-    proxy: opts.httpsProxy || opts.proxy,
-    retry: opts.retry ? opts.retry : {
-      retries: opts.fetchRetries,
-      factor: opts.fetchRetryFactor,
-      minTimeout: opts.fetchRetryMintimeout,
-      maxTimeout: opts.fetchRetryMaxtimeout,
-    },
-    strictSSL: opts.strictSSL,
-    timeout: opts.timeout || 30 * 1000,
-  }).then(res => checkResponse({
-    method,
-    uri,
-    res,
-    registry,
-    startTime,
-    auth,
-    opts,
-  }))
+  const doFetch = async body => {
+    const p = fetch(uri, {
+      agent: opts.agent,
+      algorithms: opts.algorithms,
+      body,
+      cache: getCacheMode(opts),
+      cacheManager: opts.cache,
+      ca: opts.ca,
+      cert: opts.cert,
+      headers,
+      integrity: opts.integrity,
+      key: opts.key,
+      localAddress: opts.localAddress,
+      maxSockets: opts.maxSockets,
+      memoize: opts.memoize,
+      method: method,
+      noProxy: opts.noProxy,
+      proxy: opts.httpsProxy || opts.proxy,
+      retry: opts.retry ? opts.retry : {
+        retries: opts.fetchRetries,
+        factor: opts.fetchRetryFactor,
+        minTimeout: opts.fetchRetryMintimeout,
+        maxTimeout: opts.fetchRetryMaxtimeout,
+      },
+      strictSSL: opts.strictSSL,
+      timeout: opts.timeout || 30 * 1000,
+    }).then(res => checkResponse({
+      method,
+      uri,
+      res,
+      registry,
+      startTime,
+      auth,
+      opts,
+    }))
+
+    if (typeof opts.otpPrompt === 'function') {
+      return p.catch(async er => {
+        if (er instanceof HttpErrorAuthOTP) {
+          // if otp fails to complete, we fail with that failure
+          const otp = await opts.otpPrompt()
+          // if no otp provided, throw the original HTTP error
+          if (!otp)
+            throw er
+          return regFetch(uri, { ...opts, otp })
+        }
+        throw er
+      })
+    } else
+      return p
+  }
 
   return Promise.resolve(body).then(doFetch)
 }

test/errors.js

@@ -4,6 +4,7 @@ const npa = require('npm-package-arg')
 const npmlog = require('npmlog')
 const t = require('tap')
 const tnock = require('./util/tnock.js')
+const { HttpErrorAuthOTP } = require('./errors.js')
 
 const fetch = require('../index.js')
 
@@ -24,7 +25,11 @@ t.test('generic request errors', t => {
   tnock(t, OPTS.registry)
     .get('/ohno/oops')
     .reply(400, 'failwhale!')
-  return fetch('/ohno/oops', OPTS)
+  // verify that the otpPrompt won't save from non-OTP errors
+  const otpPrompt = () => {
+    throw new Error('nope')
+  }
+  return fetch('/ohno/oops', { ...OPTS, otpPrompt })
     .then(
       () => {
         throw new Error('should not have succeeded!')
@@ -128,6 +133,89 @@ t.test('OTP error', t => {
     )
 })
 
+t.test('OTP error with prompt', t => {
+  let OTP = null
+  tnock(t, OPTS.registry)
+    .get('/otplease').times(2)
+    .matchHeader('npm-otp', otp => {
+      if (otp) {
+        OTP = otp[0]
+        t.strictSame(otp, ['12345'], 'got expected otp')
+      }
+      return true
+    })
+    .reply((...args) => {
+      if (OTP === '12345')
+        return [200, { ok: 'this is fine' }, {}]
+      else
+        return [401, { error: 'otp, please' }, { 'www-authenticate': 'otp' }]
+    })
+
+  const otpPrompt = async () => '12345'
+  return fetch('/otplease', { ...OPTS, otpPrompt })
+    .then(res => {
+      t.strictSame(res.status, 200, 'got 200 response')
+      return res.json()
+    }).then(body => {
+      t.strictSame(body, { ok: 'this is fine' }, 'got expected body')
+    })
+})
+
+t.test('OTP error with prompt, expired OTP in settings', t => {
+  let OTP = null
+  tnock(t, OPTS.registry)
+    .get('/otplease').times(2)
+    .matchHeader('npm-otp', otp => {
+      if (otp) {
+        if (!OTP)
+          t.strictSame(otp, ['98765'], 'got invalid otp first')
+        else
+          t.strictSame(otp, ['12345'], 'got expected otp')
+        OTP = otp[0]
+      }
+      return true
+    })
+    .reply((...args) => {
+      if (OTP === '12345')
+        return [200, { ok: 'this is fine' }, {}]
+      else
+        return [401, { error: 'otp, please' }, { 'www-authenticate': 'otp' }]
+    })
+
+  const otpPrompt = async () => '12345'
+  return fetch('/otplease', { ...OPTS, otpPrompt, otp: '98765' })
+    .then(res => {
+      t.strictSame(res.status, 200, 'got 200 response')
+      return res.json()
+    }).then(body => {
+      t.strictSame(body, { ok: 'this is fine' }, 'got expected body')
+    })
+})
+
+t.test('OTP error with prompt that fails', t => {
+  tnock(t, OPTS.registry)
+    .get('/otplease')
+    .reply((...args) => {
+      return [401, { error: 'otp, please' }, { 'www-authenticate': 'otp' }]
+    })
+
+  const otpPrompt = async () => {
+    throw new Error('whoopsie')
+  }
+  return t.rejects(fetch('/otplease', { ...OPTS, otpPrompt }), HttpErrorAuthOTP)
+})
+
+t.test('OTP error with prompt that returns nothing', t => {
+  tnock(t, OPTS.registry)
+    .get('/otplease')
+    .reply((...args) => {
+      return [401, { error: 'otp, please' }, { 'www-authenticate': 'otp' }]
+    })
+
+  const otpPrompt = async () => {}
+  return t.rejects(fetch('/otplease', { ...OPTS, otpPrompt }), HttpErrorAuthOTP)
+})
+
 t.test('OTP error when missing www-authenticate', t => {
   tnock(t, OPTS.registry)
     .get('/otplease')