Google has promised to take some of the pain – or at least some of the risk – out of publishing to npm, with the open sourcing of its Wombat Dressing Room npm registry proxy.
The cloud giant’s Benjamin Coe said it had been using Wombat Dressing Room to manage Google Cloud client libraries “for over a year now in our fully automated library release process.”
The aim is to better automate the process of publishing to npm, and maintain good security practices. One good security practice is of course 2FA. Unfortunately, says Coe, “It’s difficult to automate the step of entering a code off a cellphone. As a result, folks often opt to turn off 2FA in their automation.” Which of course is not a good practice.
“With Wombat Dressing Room, rather than an individual configuring two factor authentication in an authenticator app, 2FA is managed by a shared proxy server. Publications are then directed at the Wombat Dressing Room proxy,” he continues.
Or, as the services GitHub page puts it, “You publish to Wombat Dressing Room, and it enforces additional security rules, before redirecting to registry.npmjs.org….Publishes are made from a single npm account with 2FA enabled (a bot account).” In addition, “Publishes can be made using the npm CLI, by making Wombat Dressing Room the default registry.”
Unsurprisingly, using the service requires an npm account, and even less surprisingly, a Google Cloud Platform account to deploy to and a GitHub OAuth Application to perform authentication and authorization.
The Wombat Dressing Room proxy can provide per-package publication tokens, which “are tied to a single GitHub repository, which the user generating the token must have push permissions for.”
That way, writes Coe, “If a per-package publication token is leaked, an attacker can only hijack the single package that the token is associated with.”
The service can also generate tokens with a 24 hour lifespan. Alternatively, users can opt for GitHub releases as 2FA, where “a package can only be published to npm if a GitHub release with a corresponding tag is found on GitHub.”
You can find full details of how to set up the service here.