{
"_from": "npm-profile@4.0.4",
"_id": "npm-profile@4.0.4",
"_inBundle": false,
"_integrity": "sha512-Ta8xq8TLMpqssF0H60BXS1A90iMoM6GeKwsmravJ6wYjWwSzcYBTdyWa3DZCYqPutacBMEm7cxiOkiIeCUAHDQ==",
"_location": "/npm/npm-profile",
"_phantomChildren": {},
"_requested": {
"escapedName": "npm-profile",
"fetchSpec": "4.0.4",
"name": "npm-profile",
"raw": "npm-profile@4.0.4",
"rawSpec": "4.0.4",
"registry": true,
"saveSpec": null,
"type": "version"
},
"_requiredBy": [
"#USER",
"/npm",
"/npm/libnpm"
],
"_resolved": "https://registry.npmjs.org/npm-profile/-/npm-profile-4.0.4.tgz",
"_shasum": "28ee94390e936df6d084263ee2061336a6a1581b",
"_shrinkwrap": null,
"_spec": "npm-profile@4.0.4",
"_where": "/Users/darcyclarke/Documents/Repos/npm/cli",
"author": {
"email": "me@re-becca.org",
"name": "Rebecca Turner",
"url": "http://re-becca.org/"
},
"bugs": {
"url": "https://github.com/npm/npm-profile/issues"
},
"bundleDependencies": false,
"dependencies": {
"aproba": "^1.1.2 || 2",
"figgy-pudding": "^3.4.1",
"npm-registry-fetch": "^4.0.0"
},
"deprecated": false,
"description": "Library for updating an npmjs.com profile",
"devDependencies": {},
"files": [
"CHANGELOG.md",
"index.js"
],
"homepage": "https://github.com/npm/npm-profile/tree/latest/lib#readme",
"keywords": [],
"license": "ISC",
"main": "index.js",
"name": "npm-profile",
"optionalDependencies": {},
"publishConfig": {
"tag": "legacy-v4"
},
"readme": "# npm-profile\n\nProvides functions for fetching and updating an npmjs.com profile.\n\n```js\nconst profile = require('npm-profile')\nconst result = await profile.get(registry, {token})\n//...\n```\n\nThe API that this implements is documented here:\n\n* [authentication](https://github.com/npm/registry/blob/master/docs/user/authentication.md)\n* [profile editing](https://github.com/npm/registry/blob/master/docs/user/profile.md) (and two-factor authentication)\n\n## Table of Contents\n\n* [API](#api)\n * Login and Account Creation\n * [`adduser()`](#adduser)\n * [`login()`](#login)\n * [`adduserWeb()`](#adduser-web)\n * [`loginWeb()`](#login-web)\n * [`adduserCouch()`](#adduser-couch)\n * [`loginCouch()`](#login-couch)\n * Profile Data Management\n * [`get()`](#get)\n * [`set()`](#set)\n * Token Management\n * [`listTokens()`](#list-tokens)\n * [`removeToken()`](#remove-token)\n * [`createToken()`](#create-token)\n\n## API\n\n### <a name=\"adduser\"></a> `> profile.adduser(opener, prompter, [opts]) → Promise`\n\nTries to create a user new web based login, if that fails it falls back to\nusing the legacy CouchDB APIs.\n\n* `opener` Function (url) → Promise, returns a promise that resolves after a browser has been opened for the user at `url`.\n* `prompter` Function (creds) → Promise, returns a promise that resolves to an object with `username`, `email` and `password` properties.\n* [`opts`](#opts) Object (optional) plus extra keys:\n * `creds` Object, passed through to prompter, common values are:\n * `username` String, default value for username\n * `email` String, default value for email\n\n#### **Promise Value**\n\nAn object with the following properties:\n\n* `token` String, to be used to authenticate further API calls\n* `username` String, the username the user authenticated as\n\n#### **Promise Rejection**\n\nAn error object indicating what went wrong.\n\nThe `headers` property will contain the HTTP headers of the response.\n\nIf the action was denied because it came from an IP address that this action\non this account isn't allowed from then the `code` will be set to `EAUTHIP`.\n\nOtherwise the code will be `'E'` followed by the HTTP response code, for\nexample a Forbidden response would be `E403`.\n\n### <a name=\"login\"></a> `> profile.login(opener, prompter, [opts]) → Promise`\n\nTries to login using new web based login, if that fails it falls back to\nusing the legacy CouchDB APIs.\n\n* `opener` Function (url) → Promise, returns a promise that resolves after a browser has been opened for the user at `url`.\n* `prompter` Function (creds) → Promise, returns a promise that resolves to an object with `username`, and `password` properties.\n* [`opts`](#opts) Object (optional) plus extra keys:\n * `creds` Object, passed through to prompter, common values are:\n * `name` String, default value for username\n\n#### **Promise Value**\n\nAn object with the following properties:\n\n* `token` String, to be used to authenticate further API calls\n* `username` String, the username the user authenticated as\n\n#### **Promise Rejection**\n\nAn error object indicating what went wrong.\n\nThe `headers` property will contain the HTTP headers of the response.\n\nIf the action was denied because an OTP is required then `code` will be set\nto `EOTP`. This error code can only come from a legacy CouchDB login and so\nthis should be retried with loginCouch.\n\nIf the action was denied because it came from an IP address that this action\non this account isn't allowed from then the `code` will be set to `EAUTHIP`.\n\nOtherwise the code will be `'E'` followed by the HTTP response code, for\nexample a Forbidden response would be `E403`.\n\n### <a name=\"adduser-web\"></a> `> profile.adduserWeb(opener, [opts]) → Promise`\n\nTries to create a user new web based login, if that fails it falls back to\nusing the legacy CouchDB APIs.\n\n* `opener` Function (url) → Promise, returns a promise that resolves after a browser has been opened for the user at `url`.\n* [`opts`](#opts) Object\n\n#### **Promise Value**\n\nAn object with the following properties:\n\n* `token` String, to be used to authenticate further API calls\n* `username` String, the username the user authenticated as\n\n#### **Promise Rejection**\n\nAn error object indicating what went wrong.\n\nThe `headers` property will contain the HTTP headers of the response.\n\nIf the registry does not support web-login then an error will be thrown with\nits `code` property set to `ENYI` . You should retry with `adduserCouch`.\nIf you use `adduser` then this fallback will be done automatically.\n\nIf the action was denied because it came from an IP address that this action\non this account isn't allowed from then the `code` will be set to `EAUTHIP`.\n\nOtherwise the code will be `'E'` followed by the HTTP response code, for\nexample a Forbidden response would be `E403`.\n\n### <a name=\"login-web\"></a> `> profile.loginWeb(opener, [opts]) → Promise`\n\nTries to login using new web based login, if that fails it falls back to\nusing the legacy CouchDB APIs.\n\n* `opener` Function (url) → Promise, returns a promise that resolves after a browser has been opened for the user at `url`.\n* [`opts`](#opts) Object (optional)\n\n#### **Promise Value**\n\nAn object with the following properties:\n\n* `token` String, to be used to authenticate further API calls\n* `username` String, the username the user authenticated as\n\n#### **Promise Rejection**\n\nAn error object indicating what went wrong.\n\nThe `headers` property will contain the HTTP headers of the response.\n\nIf the registry does not support web-login then an error will be thrown with\nits `code` property set to `ENYI` . You should retry with `loginCouch`.\nIf you use `login` then this fallback will be done automatically.\n\nIf the action was denied because it came from an IP address that this action\non this account isn't allowed from then the `code` will be set to `EAUTHIP`.\n\nOtherwise the code will be `'E'` followed by the HTTP response code, for\nexample a Forbidden response would be `E403`.\n\n### <a name=\"adduser-couch\"></a> `> profile.adduserCouch(username, email, password, [opts]) → Promise`\n\n```js\nconst {token} = await profile.adduser(username, email, password, {registry})\n// `token` can be passed in through `opts` for authentication.\n```\n\nCreates a new user on the server along with a fresh bearer token for future\nauthentication as this user. This is what you see as an `authToken` in an\n`.npmrc`.\n\nIf the user already exists then the npm registry will return an error, but\nthis is registry specific and not guaranteed.\n\n* `username` String\n* `email` String\n* `password` String\n* [`opts`](#opts) Object (optional)\n\n#### **Promise Value**\n\nAn object with the following properties:\n\n* `token` String, to be used to authenticate further API calls\n* `username` String, the username the user authenticated as\n\n#### **Promise Rejection**\n\nAn error object indicating what went wrong.\n\nThe `headers` property will contain the HTTP headers of the response.\n\nIf the action was denied because an OTP is required then `code` will be set\nto `EOTP`.\n\nIf the action was denied because it came from an IP address that this action\non this account isn't allowed from then the `code` will be set to `EAUTHIP`.\n\nOtherwise the code will be `'E'` followed by the HTTP response code, for\nexample a Forbidden response would be `E403`.\n\n### <a name=\"login-couch\"></a> `> profile.loginCouch(username, password, [opts]) → Promise`\n\n```js\nlet token\ntry {\n {token} = await profile.login(username, password, {registry})\n} catch (err) {\n if (err.code === 'otp') {\n const otp = await getOTPFromSomewhere()\n {token} = await profile.login(username, password, {otp})\n }\n}\n// `token` can now be passed in through `opts` for authentication.\n```\n\nLogs you into an existing user. Does not create the user if they do not\nalready exist. Logging in means generating a new bearer token for use in\nfuture authentication. This is what you use as an `authToken` in an `.npmrc`.\n\n* `username` String\n* `email` String\n* `password` String\n* [`opts`](#opts) Object (optional)\n\n#### **Promise Value**\n\nAn object with the following properties:\n\n* `token` String, to be used to authenticate further API calls\n* `username` String, the username the user authenticated as\n\n#### **Promise Rejection**\n\nAn error object indicating what went wrong.\n\nIf the object has a `code` property set to `EOTP` then that indicates that\nthis account must use two-factor authentication to login. Try again with a\none-time password.\n\nIf the object has a `code` property set to `EAUTHIP` then that indicates that\nthis account is only allowed to login from certain networks and this ip is\nnot on one of those networks.\n\nIf the error was neither of these then the error object will have a\n`code` property set to the HTTP response code and a `headers` property with\nthe HTTP headers in the response.\n\n### <a name=\"get\"></a> `> profile.get([opts]) → Promise`\n\n```js\nconst {name, email} = await profile.get({token})\nconsole.log(`${token} belongs to https://npm.im/~${name}, (mailto:${email})`)\n```\n\nFetch profile information for the authenticated user.\n\n* [`opts`](#opts) Object\n\n#### **Promise Value**\n\nAn object that looks like this:\n\n```js\n// \"*\" indicates a field that may not always appear\n{\n tfa: null |\n false |\n {\"mode\": \"auth-only\", pending: Boolean} |\n [\"recovery\", \"codes\"] |\n \"otpauth://...\",\n name: String,\n email: String,\n email_verified: Boolean,\n created: Date,\n updated: Date,\n cidr_whitelist: null | [\"192.168.1.1/32\", ...],\n fullname: String, // *\n homepage: String, // *\n freenode: String, // *\n twitter: String, // *\n github: String // *\n}\n```\n\n#### **Promise Rejection**\n\nAn error object indicating what went wrong.\n\nThe `headers` property will contain the HTTP headers of the response.\n\nIf the action was denied because an OTP is required then `code` will be set\nto `EOTP`.\n\nIf the action was denied because it came from an IP address that this action\non this account isn't allowed from then the `code` will be set to `EAUTHIP`.\n\nOtherwise the code will be the HTTP response code.\n\n### <a name=\"set\"></a> `> profile.set(profileData, [opts]) → Promise`\n\n```js\nawait profile.set({github: 'great-github-account-name'}, {token})\n```\n\nUpdate profile information for the authenticated user.\n\n* `profileData` An object, like that returned from `profile.get`, but see\n below for caveats relating to `password`, `tfa` and `cidr_whitelist`.\n* [`opts`](#opts) Object (optional)\n\n#### **SETTING `password`**\n\nThis is used to change your password and is not visible (for obvious\nreasons) through the `get()` API. The value should be an object with `old`\nand `new` properties, where the former has the user's current password and\nthe latter has the desired new password. For example\n\n```js\nawait profile.set({\n password: {\n old: 'abc123',\n new: 'my new (more secure) password'\n }\n}, {token})\n```\n\n#### **SETTING `cidr_whitelist`**\n\nThe value for this is an Array. Only valid CIDR ranges are allowed in it.\nBe very careful as it's possible to lock yourself out of your account with\nthis. This is not currently exposed in `npm` itself.\n\n```js\nawait profile.set({\n cidr_whitelist: [ '8.8.8.8/32' ]\n}, {token})\n// ↑ only one of google's dns servers can now access this account.\n```\n\n#### **SETTING `tfa`**\n\nEnabling two-factor authentication is a multi-step process.\n\n1. Call `profile.get` and check the status of `tfa`. If `pending` is true then\n you'll need to disable it with `profile.set({tfa: {password, mode: 'disable'}, …)`.\n2. `profile.set({tfa: {password, mode}}, {registry, token})`\n * Note that the user's `password` is required here in the `tfa` object,\n regardless of how you're authenticating.\n * `mode` is either `auth-only` which requires an `otp` when calling `login`\n or `createToken`, or `mode` is `auth-and-writes` and an `otp` will be\n required on login, publishing or when granting others access to your\n modules.\n * Be aware that this set call may require otp as part of the auth object.\n If otp is needed it will be indicated through a rejection in the usual\n way.\n3. If tfa was already enabled then you're just switch modes and a\n successful response means that you're done. If the tfa property is empty\n and tfa _wasn't_ enabled then it means they were in a pending state.\n3. The response will have a `tfa` property set to an `otpauth` URL, as\n [used by Google Authenticator](https://github.com/google/google-authenticator/wiki/Key-Uri-Format).\n You will need to show this to the user for them to add to their\n authenticator application. This is typically done as a QRCODE, but you\n can also show the value of the `secret` key in the `otpauth` query string\n and they can type or copy paste that in.\n4. To complete setting up two factor auth you need to make a second call to\n `profile.set` with `tfa` set to an array of TWO codes from the user's\n authenticator, eg: `profile.set(tfa: [otp1, otp2]}, {registry, token})`\n5. On success you'll get a result object with a `tfa` property that has an\n array of one-time-use recovery codes. These are used to authenticate\n later if the second factor is lost and generally should be printed and\n put somewhere safe.\n\nDisabling two-factor authentication is more straightforward, set the `tfa`\nattribute to an object with a `password` property and a `mode` of `disable`.\n\n```js\nawait profile.set({tfa: {password, mode: 'disable'}}, {token})\n```\n\n#### **Promise Value**\n\nAn object reflecting the changes you made, see description for `profile.get`.\n\n#### **Promise Rejection**\n\nAn error object indicating what went wrong.\n\nThe `headers` property will contain the HTTP headers of the response.\n\nIf the action was denied because an OTP is required then `code` will be set\nto `EOTP`.\n\nIf the action was denied because it came from an IP address that this action\non this account isn't allowed from then the `code` will be set to `EAUTHIP`.\n\nOtherwise the code will be the HTTP response code.\n\n### <a name=\"list-tokens\"></a> `> profile.listTokens([opts]) → Promise`\n\n```js\nconst tokens = await profile.listTokens({registry, token})\nconsole.log(`Number of tokens in your accounts: ${tokens.length}`)\n```\n\nFetch a list of all of the authentication tokens the authenticated user has.\n\n* [`opts`](#opts) Object (optional)\n\n#### **Promise Value**\n\nAn array of token objects. Each token object has the following properties:\n\n* key — A sha512 that can be used to remove this token.\n* token — The first six characters of the token UUID. This should be used\n by the user to identify which token this is.\n* created — The date and time the token was created\n* readonly — If true, this token can only be used to download private modules. Critically, it CAN NOT be used to publish.\n* cidr_whitelist — An array of CIDR ranges that this token is allowed to be used from.\n\n#### **Promise Rejection**\n\nAn error object indicating what went wrong.\n\nThe `headers` property will contain the HTTP headers of the response.\n\nIf the action was denied because an OTP is required then `code` will be set\nto `EOTP`.\n\nIf the action was denied because it came from an IP address that this action\non this account isn't allowed from then the `code` will be set to `EAUTHIP`.\n\nOtherwise the code will be the HTTP response code.\n\n### <a name=\"remove-token\"><a> `> profile.removeToken(token|key, opts) → Promise`\n\n```js\nawait profile.removeToken(key, {token})\n// token is gone!\n```\n\nRemove a specific authentication token.\n\n* `token|key` String, either a complete authentication token or the key returned by `profile.listTokens`.\n* [`opts`](#opts) Object (optional)\n\n#### **Promise Value**\n\nNo value.\n\n#### **Promise Rejection**\n\nAn error object indicating what went wrong.\n\nThe `headers` property will contain the HTTP headers of the response.\n\nIf the action was denied because an OTP is required then `code` will be set\nto `EOTP`.\n\nIf the action was denied because it came from an IP address that this action\non this account isn't allowed from then the `code` will be set to `EAUTHIP`.\n\nOtherwise the code will be the HTTP response code.\n\n### <a name=\"create-token\"></a> `> profile.createToken(password, readonly, cidr_whitelist, [opts]) → Promise`\n\n```js\nconst newToken = await profile.createToken(\n password, readonly, cidr_whitelist, {token, otp}\n)\n// do something with the newToken\n```\n\nCreate a new authentication token, possibly with restrictions.\n\n* `password` String\n* `readonly` Boolean\n* `cidr_whitelist` Array\n* [`opts`](#opts) Object Optional\n\n#### **Promise Value**\n\nThe promise will resolve with an object very much like the one's returned by\n`profile.listTokens`. The only difference is that `token` is not truncated.\n\n```js\n{\n token: String,\n key: String, // sha512 hash of the token UUID\n cidr_whitelist: [String],\n created: Date,\n readonly: Boolean\n}\n```\n\n#### **Promise Rejection**\n\nAn error object indicating what went wrong.\n\nThe `headers` property will contain the HTTP headers of the response.\n\nIf the action was denied because an OTP is required then `code` will be set\nto `EOTP`.\n\nIf the action was denied because it came from an IP address that this action\non this account isn't allowed from then the `code` will be set to `EAUTHIP`.\n\nOtherwise the code will be the HTTP response code.\n\n### <a name=\"opts\"></a> options objects\n\nThe various API functions accept an optional `opts` object as a final\nargument. This opts object can either be a regular Object, or a\n[`figgy-pudding`](https://npm.im/figgy-pudding) options object instance.\n\nUnless otherwise noted, the options accepted are the same as the\n[`npm-registry-fetch`\noptions](https://www.npmjs.com/package/npm-registry-fetch#fetch-opts).\n\nOf particular note are `opts.registry`, and the auth-related options:\n\n* `opts.token` - used for Bearer auth\n* `opts.username` and `opts.password` - used for Basic auth\n* `opts.otp` - the 2fa OTP token\n\n## <a name=\"logging\"></a> Logging\n\nThis modules logs by emitting `log` events on the global `process` object.\nThese events look like this:\n\n```js\nprocess.emit('log', 'loglevel', 'feature', 'message part 1', 'part 2', 'part 3', 'etc')\n```\n\n`loglevel` can be one of: `error`, `warn`, `notice`, `http`, `timing`, `info`, `verbose`, and `silly`.\n\n`feature` is any brief string that describes the component doing the logging.\n\nThe remaining arguments are evaluated like `console.log` and joined together with spaces.\n\nA real world example of this is:\n\n```js\n process.emit('log', 'http', 'request', '→', conf.method || 'GET', conf.target)\n```\n\nTo handle the log events, you would do something like this:\n\n```js\nconst log = require('npmlog')\nprocess.on('log', function (level) {\n return log[level].apply(log, [].slice.call(arguments, 1))\n})\n```\n",
"readmeFilename": "README.md",
"repository": {
"type": "git",
"url": "git+https://github.com/npm/npm-profile.git"
},
"version": "4.0.4"
}