feat!: Adds Granular Access Token (GAT) support to npm token command

BREAKING CHANGE: The `npm token create` command now requires the `--name` and `--access` parameters for creating tokens. The `--read-only` flag has been deprecated in favor of the more flexible `--access` parameter which accepts `read-only` or `read-write`. Additional parameters such as `--expires`, `--packages`, `--scopes`, `--orgs`, and `--bypass-2fa` have been added to support GAT features.

Author: owlstronaut

lib/commands/token.js

@@ -1,14 +1,24 @@
 const { log, output } = require('proc-log')
 const { listTokens, createToken, removeToken } = require('npm-profile')
 const { otplease } = require('../utils/auth.js')
-const readUserInfo = require('../utils/read-user-info.js')
 const BaseCommand = require('../base-cmd.js')
 
 class Token extends BaseCommand {
   static description = 'Manage your authentication tokens'
   static name = 'token'
-  static usage = ['list', 'revoke <id|token>', 'create [--read-only] [--cidr=list]']
-  static params = ['read-only', 'cidr', 'registry', 'otp']
+  static usage = ['list', 'revoke <id|token>', 'create --name=<name> --access=<read-only|read-write> [--expires=<YYYY-MM-DD>] [--packages=<pkg1,pkg2>] [--scopes=<scope1,scope2>] [--orgs=<org1,org2>] [--cidr=<ip-range>] [--bypass-2fa]']
+  static params = ['name',
+    'expires',
+    'access',
+    'packages',
+    'scopes',
+    'orgs',
+    'cidr',
+    'bypass-2fa',
+    'registry',
+    'otp',
+    'read-only',
+  ]
 
   static async completion (opts) {
     const argv = opts.conf.argv.remain
@@ -127,15 +137,91 @@ class Token extends BaseCommand {
     const json = this.npm.config.get('json')
     const parseable = this.npm.config.get('parseable')
     const cidr = this.npm.config.get('cidr')
-    const readonly = this.npm.config.get('read-only')
+    const name = this.npm.config.get('name')
+    const expires = this.npm.config.get('expires')
+    const access = this.npm.config.get('access')
+    const packages = this.npm.config.get('packages')
+    const scopes = this.npm.config.get('scopes')
+    const orgs = this.npm.config.get('orgs')
+    const bypassTwoFactor = this.npm.config.get('bypass-2fa')
+
+    // Validate required parameters
+    if (!name) {
+      throw this.usageError('--name is required for token creation')
+    }
+    if (!access) {
+      throw this.usageError('--access is required (use "read-only" or "read-write")')
+    }
+    if (!['read-only', 'read-write'].includes(access)) {
+      throw this.usageError('--access must be either "read-only" or "read-write"')
+    }
 
     const validCIDR = await this.validateCIDRList(cidr)
-    const password = await readUserInfo.password()
+    // Build GAT token data structure
+    const tokenData = {
+      token_type: 'granular',
+      token_name: name,
+    }
+
+    // Convert access to permission action (read-only -> read, read-write -> write)
+    const permissionAction = access === 'read-only' ? 'read' : 'write'
+
+    // Build scopes array (combines packages, scopes, and orgs)
+    const scopesArray = []
+    if (packages?.length > 0) {
+      packages.forEach(pkg => {
+        scopesArray.push({ type: 'package', name: pkg })
+      })
+    }
+    if (scopes?.length > 0) {
+      scopes.forEach(scope => {
+        scopesArray.push({ type: 'package', name: scope })
+      })
+    }
+    if (orgs?.length > 0) {
+      orgs.forEach(org => {
+        scopesArray.push({ type: 'org', name: org })
+      })
+    }
+    tokenData.scopes = scopesArray
+
+    // Build permissions array based on what types are present
+    const permissionsArray = []
+    const hasPackageScope = packages?.length > 0 || scopes?.length > 0
+    const hasOrgScope = orgs?.length > 0
+
+    if (hasPackageScope) {
+      permissionsArray.push({ name: 'package', action: permissionAction })
+    }
+    if (hasOrgScope) {
+      permissionsArray.push({ name: 'org', action: permissionAction })
+    }
+    tokenData.permissions = permissionsArray
+
+    // Add expiration in days (default to 7 days if not provided)
+    if (expires) {
+      const expiresDate = new Date(expires)
+      const now = new Date()
+      const diffDays = Math.ceil((expiresDate - now) / (1000 * 60 * 60 * 24))
+      tokenData.expirationInDays = Math.max(1, diffDays) // minimum 1 day
+    } else {
+      tokenData.expirationInDays = 7
+    }
+
+    // Add optional fields
+    if (validCIDR?.length > 0) {
+      tokenData.cidr_whitelist = validCIDR
+    }
+    if (bypassTwoFactor) {
+      tokenData.bypass_2fa = true
+    }
+
     log.info('token', 'creating')
+    log.silly('token', 'request body:', JSON.stringify(tokenData, null, 2))
     const result = await otplease(
       this.npm,
       { ...this.npm.flatOptions },
-      c => createToken(password, readonly, validCIDR, c)
+      c => createToken(tokenData, c)
     )
     delete result.key
     delete result.updated
@@ -145,12 +231,15 @@ class Token extends BaseCommand {
       Object.keys(result).forEach(k => output.standard(k + '\t' + result[k]))
     } else {
       const chalk = this.npm.chalk
-      // Identical to list
-      const level = result.readonly ? 'read only' : 'publish'
+      // Display based on access level
+      const level = result.access === 'read-only' || result.readonly ? 'read only' : 'publish'
       output.standard(`Created ${chalk.blue(level)} token ${result.token}`)
       if (result.cidr_whitelist?.length) {
         output.standard(`with IP whitelist: ${chalk.green(result.cidr_whitelist.join(','))}`)
       }
+      if (result.expires) {
+        output.standard(`expires: ${result.expires}`)
+      }
     }
   }
 
@@ -180,7 +269,7 @@ class Token extends BaseCommand {
     for (const cidr of list) {
       if (isCidrV6(cidr)) {
         throw this.invalidCIDRError(
-          `CIDR whitelist can only contain IPv4 addresses${cidr} is IPv6`
+          `CIDR whitelist can only contain IPv4 addresses, ${cidr} is IPv6`
         )
       }
 

tap-snapshots/test/lib/commands/config.js.test.cjs

@@ -23,6 +23,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "before": null,
   "bin-links": true,
   "browser": null,
+  "bypass-2fa": false,
   "ca": null,
   "cache-max": null,
   "cache-min": 0,
@@ -48,6 +49,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "engine-strict": false,
   "expect-result-count": null,
   "expect-results": null,
+  "expires": null,
   "fetch-retries": 2,
   "fetch-retry-factor": 10,
   "fetch-retry-maxtimeout": 60000,
@@ -97,6 +99,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "logs-dir": null,
   "logs-max": 10,
   "long": false,
+  "name": null,
   "maxsockets": 15,
   "message": "%s",
   "node-gyp": "{CWD}/node_modules/node-gyp/bin/node-gyp.js",
@@ -108,13 +111,15 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "omit": [],
   "omit-lockfile-registry-resolved": false,
   "only": null,
+  "orgs": null,
   "optional": null,
   "os": null,
   "otp": null,
   "package": [],
   "package-lock": true,
   "package-lock-only": false,
   "pack-destination": ".",
+  "packages": [],
   "parseable": false,
   "prefer-dedupe": false,
   "prefer-offline": false,
@@ -141,6 +146,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "sbom-format": null,
   "sbom-type": "library",
   "scope": "",
+  "scopes": null,
   "script-shell": null,
   "searchexclude": "",
   "searchlimit": 20,
@@ -187,6 +193,7 @@ auth-type = "web"
 before = null
 bin-links = true
 browser = null
+bypass-2fa = false
 ca = null
 ; cache = "{CACHE}" ; overridden by cli
 cache-max = null
@@ -214,6 +221,7 @@ editor = "{EDITOR}"
 engine-strict = false
 expect-result-count = null
 expect-results = null
+expires = null
 fetch-retries = 2
 fetch-retry-factor = 10
 fetch-retry-maxtimeout = 60000
@@ -266,6 +274,7 @@ logs-max = 10
 ; long = false ; overridden by cli
 maxsockets = 15
 message = "%s"
+name = null
 node-gyp = "{CWD}/node_modules/node-gyp/bin/node-gyp.js"
 node-options = null
 noproxy = [""]
@@ -275,12 +284,14 @@ omit = []
 omit-lockfile-registry-resolved = false
 only = null
 optional = null
+orgs = null
 os = null
 otp = null
 pack-destination = "."
 package = []
 package-lock = true
 package-lock-only = false
+packages = []
 parseable = false
 prefer-dedupe = false
 prefer-offline = false
@@ -307,6 +318,7 @@ save-prod = false
 sbom-format = null
 sbom-type = "library"
 scope = ""
+scopes = null
 script-shell = null
 searchexclude = ""
 searchlimit = 20