Avatar
degenrocket 1mo ago

The standard practice of storing your NPM token in a plain text file isn't just lazy; it's a security disaster waiting to happen. With NPM supply chain attacks becoming a regular event, leaving your NPM token unencrypted is like leaving a public dildo on your front porch. It's an open invitation to get fucked. Hard.

While the whole NPM ecosystem is slave tech that cannot be fixed, let's at least get some basic protection by encrypting access tokens.

Firstly, create a new NPM token and encrypt it with OpenSSL:

```

echo -n 'YOUR_NPM_TOKEN' | openssl enc -aes-256-cbc -a -salt -pbkdf2 -iter 1000000 > ~/.npm/tokens/.npmtoken-your-project.enc

```

Then, create a bash script to publish your NPM package using this encrypted token:

```

#!/bin/bash

cd ~/path/to/your/project/

# Prompt for the passphrase

read -s -p "Enter passphrase for .npmtoken-your-project.enc: " passphrase

# Decrypt the token

npm_token=$(openssl enc -aes-256-cbc -d -a -salt -pbkdf2 -iter 1000000 -pass pass:$passphrase -in ~/.npm/tokens/.npmtoken-your-project.enc)

# Check if the decryption was successful

if [ $? -ne 0 ]; then

echo "Decryption failed. Aborting."

exit 1

fi

echo "Token is decrypted."

# Assign the decrypted token to the NPM_TOKEN environment variable

export NPM_TOKEN="$npm_token"

# Make sure that authToken set to NPM_TOKEN in ~/.npmrc

# //registry.npmjs.org/:_authToken=${NPM_TOKEN}

# Use the NPM_TOKEN environment variable for npm publish

npm publish --registry https://registry.npmjs.org/

# Check the exit code of npm publish

if [ $? -eq 0 ]; then

echo "Package published successfully!"

else

echo "Error: npm publish failed."

exit 1

fi

# Clean up the token from the environment

unset NPM_TOKEN

echo "Done."

```

Next, save this script into `~/.local/bin/npm.publish.your-project` and make it executable.

```

chmod +x ~/.local/bin/npm.publish.your-project

```

Now you can publish your NPM package by executing this script, which will prompt you to enter your password:

```

npm.publish.your-project

```

By encrypting your token with OpenSSL, you're not removing the dildo from your porch, but at least you've put a lockbox on it. It's still a target, but now you've made the bastard work for it, which is more than most people can be bothered to do.

Reply to this note

Please Login to reply.

Discussion

No replies yet.