When automating the publishing of an NPM package, 2FA can get in the way, as you can’t really automate entering a 2FA auth code off a cellphone. Enter Wombat Dressing Room from Google:
With Wombat Dressing Room, rather than an individual configuring two factor authentication in an authenticator app, 2FA is managed by a shared proxy server..
- You publish to Wombat Dressing Room, and it enforces additional security rules, before redirecting to
- Publishes are made from a single npm account with 2FA enabled (a bot account).
- Publishes can be made using the npm CLI, by making Wombat Dressing Room the default registry (
npm config set registry https://external-project.appspot.com).
The Wombat Dressing Room is deployed to Google App Engine. They’ve been using it themselves internally for over a year, in case you were wondering if it is “production ready”.