rfcs icon indicating copy to clipboard operation
rfcs copied to clipboard

Published 20 hours ago verified publisher icon npm

RFC: Verified Account Linking

Open djsauble opened this issue 6 years ago • 13 comments

What / Why

Add a verified way to link your npm account with other accounts that you own.

OSS works because of its web of trust. When anyone can masquerade as anyone else, this web of trust is weakened. We need a way for someone linking their (for example) GitHub or Twitter account to prove ownership of those linked accounts.

See the RFC for more details.

djsauble avatar Nov 26 '19 16:11 djsauble

Would this be queryable from the outside, ie, if i know someone's github, i could trivially determine which npm account is linked to it?

ljharb avatar Nov 26 '19 18:11 ljharb

Potentially, yes! The registry will store that information. This RFC outlines a CLI-based interface for interacting with that information, which doesn't preclude making it available via a general-purpose API.

djsauble avatar Nov 26 '19 18:11 djsauble

Would these all just be OAuth handshakes? I know I've come across similar features on other platforms. If I make an account on npm, and want to link my github, I have to log into github to prove I own that account. Which is an OAuth flow right? Can we still accomplish this from the CLI?

mikemimik avatar Jan 21 '20 16:01 mikemimik

The CLI can provide you a URL you need to visit to complete the oauth flow, which is a standard way to complete the oauth dance from the CLI.

ljharb avatar Jan 21 '20 16:01 ljharb

@djsauble have you looked into something like how keybase verifies identity? https://keybase.io/docs/proof_integration_guide

ThisIsMissEm avatar Feb 14 '20 16:02 ThisIsMissEm

This has already been implemented for GitHub and Twitter.

nickserv avatar Jan 02 '23 12:01 nickserv

@nickmccurdy is this queryable via the api? also, can i link an npm org to a github org?

ljharb avatar Jan 02 '23 19:01 ljharb

is this queryable via the api?

Yes: https://registry.npmjs.org/-/npm/v1/user

also, can i link an npm org to a github org?

I can't confirm this since I'm not in any npm orgs, but I'm assuming no, since this is documented as an account level feature.

nickserv avatar Jan 02 '23 20:01 nickserv

I'm not sure the RFC can be considered completed if it doesn't work for orgs?

ljharb avatar Jan 02 '23 22:01 ljharb

You could at least verify based on who published the package though, right?

nickserv avatar Jan 03 '23 03:01 nickserv

if it was based on publishes it’d be in package.json; this is a momentary setting that isn’t connected to publishes.

ljharb avatar Jan 03 '23 04:01 ljharb

I mean you could programatically find the publishing user and then look up their profile via the api.

nickserv avatar Jan 04 '23 05:01 nickserv

true - altho unfortunately the packument only preserves the npm username at the time of publish, not the github account they were linked with at the time, and i'm not sure the github api can tell me what historical permissions an account had

ljharb avatar Jan 04 '23 06:01 ljharb