fix: Uses the npm-profile package to create tokens with GAT support

Author: owlstronaut

lib/commands/token.js

@@ -1,14 +1,25 @@
 const { log, output } = require('proc-log')
-const { listTokens, createToken, removeToken } = require('npm-profile')
+const { listTokens, createGatToken, removeToken } = require('npm-profile')
 const { otplease } = require('../utils/auth.js')
 const readUserInfo = require('../utils/read-user-info.js')
 const BaseCommand = require('../base-cmd.js')
 
 class Token extends BaseCommand {
   static description = 'Manage your authentication tokens'
   static name = 'token'
-  static usage = ['list', 'revoke <id|token>', 'create [--read-only] [--cidr=list]']
-  static params = ['read-only', 'cidr', 'registry', 'otp']
+  static usage = ['list', 'revoke <id|token>', 'create --name=<name> --access=<read-only|read-write> [--expires=<YYYY-MM-DD>] [--packages=<pkg1,pkg2>] [--scopes=<scope1,scope2>] [--orgs=<org1,org2>] [--cidr=<ip-range>] [--bypass-2fa]']
+  static params = ['name',
+    'expires',
+    'access',
+    'packages',
+    'scopes',
+    'orgs',
+    'cidr',
+    'bypass-2fa',
+    'registry',
+    'otp',
+    'read-only',
+  ]
 
   static async completion (opts) {
     const argv = opts.conf.argv.remain
@@ -127,15 +138,66 @@ class Token extends BaseCommand {
     const json = this.npm.config.get('json')
     const parseable = this.npm.config.get('parseable')
     const cidr = this.npm.config.get('cidr')
-    const readonly = this.npm.config.get('read-only')
+    const name = this.npm.config.get('name')
+    const expires = this.npm.config.get('expires')
+    const access = this.npm.config.get('access')
+    const packages = this.npm.config.get('packages')
+    const scopes = this.npm.config.get('scopes')
+    const orgs = this.npm.config.get('orgs')
+    const bypassTwoFactor = this.npm.config.get('bypass-2fa')
+
+    // Validate required parameters
+    if (!name) {
+      throw this.usageError('--name is required for token creation')
+    }
+    if (!access) {
+      throw this.usageError('--access is required (use "read-only" or "read-write")')
+    }
+    if (!['read-only', 'read-write'].includes(access)) {
+      throw this.usageError('--access must be either "read-only" or "read-write"')
+    }
 
     const validCIDR = await this.validateCIDRList(cidr)
+
+    // Prompt for password (required by backend for token creation)
     const password = await readUserInfo.password()
+
+    // Build GAT token data structure matching backend expectations
+    const tokenData = {
+      token_type: 'granular',
+      name: name,
+      access: access,
+      password: password,
+    }
+
+    // Add packages, scopes, and orgs as separate arrays (not nested objects)
+    if (packages?.length > 0) {
+      tokenData.packages = packages
+    }
+    if (scopes?.length > 0) {
+      tokenData.scopes = scopes
+    }
+    if (orgs?.length > 0) {
+      tokenData.orgs = orgs
+    }
+    if (expires) {
+      tokenData.expires = 10 // Hardcoding for now. Backend expects # of days as an integer
+    }
+
+    // Add optional fields
+    if (validCIDR?.length > 0) {
+      tokenData.cidr_whitelist = validCIDR
+    }
+    if (bypassTwoFactor) {
+      tokenData.bypass_2fa = true
+    }
+
     log.info('token', 'creating')
+    log.silly('token', 'request body:', JSON.stringify(tokenData, null, 2))
     const result = await otplease(
       this.npm,
       { ...this.npm.flatOptions },
-      c => createToken(password, readonly, validCIDR, c)
+      c => createGatToken(tokenData, c)
     )
     delete result.key
     delete result.updated
@@ -145,12 +207,15 @@ class Token extends BaseCommand {
       Object.keys(result).forEach(k => output.standard(k + '\t' + result[k]))
     } else {
       const chalk = this.npm.chalk
-      // Identical to list
-      const level = result.readonly ? 'read only' : 'publish'
+      // Display based on access level
+      const level = result.access === 'read-only' || result.readonly ? 'read only' : 'publish'
       output.standard(`Created ${chalk.blue(level)} token ${result.token}`)
       if (result.cidr_whitelist?.length) {
         output.standard(`with IP whitelist: ${chalk.green(result.cidr_whitelist.join(','))}`)
       }
+      if (result.expires) {
+        output.standard(`expires: ${result.expires}`)
+      }
     }
   }
 
@@ -180,7 +245,7 @@ class Token extends BaseCommand {
     for (const cidr of list) {
       if (isCidrV6(cidr)) {
         throw this.invalidCIDRError(
-          `CIDR whitelist can only contain IPv4 addresses${cidr} is IPv6`
+          `CIDR whitelist can only contain IPv4 addresses, ${cidr} is IPv6`
         )
       }
 

tap-snapshots/test/lib/commands/config.js.test.cjs

@@ -23,6 +23,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "before": null,
   "bin-links": true,
   "browser": null,
+  "bypass-2fa": false,
   "ca": null,
   "cache-max": null,
   "cache-min": 0,
@@ -48,6 +49,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "engine-strict": false,
   "expect-result-count": null,
   "expect-results": null,
+  "expires": null,
   "fetch-retries": 2,
   "fetch-retry-factor": 10,
   "fetch-retry-maxtimeout": 60000,
@@ -97,6 +99,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "logs-dir": null,
   "logs-max": 10,
   "long": false,
+  "name": null,
   "maxsockets": 15,
   "message": "%s",
   "node-gyp": "{CWD}/node_modules/node-gyp/bin/node-gyp.js",
@@ -108,13 +111,15 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "omit": [],
   "omit-lockfile-registry-resolved": false,
   "only": null,
+  "orgs": null,
   "optional": null,
   "os": null,
   "otp": null,
   "package": [],
   "package-lock": true,
   "package-lock-only": false,
   "pack-destination": ".",
+  "packages": [],
   "parseable": false,
   "prefer-dedupe": false,
   "prefer-offline": false,
@@ -141,6 +146,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "sbom-format": null,
   "sbom-type": "library",
   "scope": "",
+  "scopes": null,
   "script-shell": null,
   "searchexclude": "",
   "searchlimit": 20,
@@ -187,6 +193,7 @@ auth-type = "web"
 before = null
 bin-links = true
 browser = null
+bypass-2fa = false
 ca = null
 ; cache = "{CACHE}" ; overridden by cli
 cache-max = null
@@ -214,6 +221,7 @@ editor = "{EDITOR}"
 engine-strict = false
 expect-result-count = null
 expect-results = null
+expires = null
 fetch-retries = 2
 fetch-retry-factor = 10
 fetch-retry-maxtimeout = 60000
@@ -266,6 +274,7 @@ logs-max = 10
 ; long = false ; overridden by cli
 maxsockets = 15
 message = "%s"
+name = null
 node-gyp = "{CWD}/node_modules/node-gyp/bin/node-gyp.js"
 node-options = null
 noproxy = [""]
@@ -275,12 +284,14 @@ omit = []
 omit-lockfile-registry-resolved = false
 only = null
 optional = null
+orgs = null
 os = null
 otp = null
 pack-destination = "."
 package = []
 package-lock = true
 package-lock-only = false
+packages = []
 parseable = false
 prefer-dedupe = false
 prefer-offline = false
@@ -307,6 +318,7 @@ save-prod = false
 sbom-format = null
 sbom-type = "library"
 scope = ""
+scopes = null
 script-shell = null
 searchexclude = ""
 searchlimit = 20