Npm login alias leads to unintended account creations

So obviously npm login is an alias to adduser, which creates or verifies username entered, but I would argue that these are distinct.

Login should be for an existing user, not for registry usear creation.

Though it may be about semantics, I believe login is a distinct action where only an existing member of the system can be authenticated and authorized, as opposed to adding a user to a system which can then login. So I don’t understand why these are bound by the same command.

I believe this causes confusion and leads to plenty of unintended, unused accounts. This is also contradicts any web registration process I’ve ever encountered for any service. You always have to create/register an account before being able to login, at times even with prompts when a username doesn’t exist.

This scenario actually happened to me back in March because I was fiddling around new setup scripts and forgot to add the --registry flag on the actual attempt to login into a private registry. I contacted support via email about this (said they would pass this to the Product Team for future improvement) in order to have that account deleted as I have intention in using this.

Current Behavior

npm login will create a new account if entering credentials that are non-existent on npmjs.org

Expected Behavior

npm login to do one of the following:

  • report account does not exist and exit
  • ask to register new account
  • have a flag (e.g. --create) to create account in the eventuality that it doesn’t exist

Creating/registering a new account with a non-existing username/email should not be the default.

Steps to Reproduce

npm login
Username: nonExistentUsername
Password: 
Email: (this IS public) nonExistentUsername@email.com
Logged in as nonExistentUsername on https://registry.npmjs.org/.

Environment

  • OS: macOS Catalina 10.15.7
  • Node: v14.17.1
  • npm: 6.14.13

Last Thoughts

Maybe someone has some insight as to why this is the case and the reasoning behind it.

Sure, it can speed up account creation, but who does that rather than going to the website? And maybe there is a use case for this, but it shouldn’t be the default for login to be an alias to adduser, rather it should be a command that could call adduser.

1 Like

Think you are missing the fact that this is meant to add a user to your credential file - in that sense the wording login is not correct. In that context addUser is not correct either as you are discussing a potential createUser. To give you a better perspective, using npmjs.com as well as other private registries, you maybe log in once a year, the only real times you are using those commands are when you want to transpose your login details into per-repository .npmrc settings.

Are you familiar with other registries ? There’s no consensus or standards, they are designed to handle the ecosystem of said programming language and in that sense and context it is mostly the developer-users of that programming language that decide what is required or useful. In node terms, package management and distribution is divided npm, yarn, pnpm have (somewhat) divergent features while using the npmjs.com registry as http default.

Don’t know how much this helps you right now but you can hard-code more than your login credentials to a per-project/folder .npmrc file and that way you would never hit the account creation or duplication scenario

@bretonics did you indeed confirm that the user that gets created/prompted in the command line by the npm CLI is actually a user you can login with to npmjs.org?

Ohh, totally. I confirmed it back when I noticed it earlier this year (could log in and saw account creation date, and had support confirm account was created and asked for its deletion).

I also retried it before making this post (well was hoping to put in an issue in the repo instead, but instructions led me here) with an email I knew I hadn’t used, and sure enough, new account created. Got email confirmation, logged in, and saw account creation date was just a few minutes since.

1 Like

Got it. That’s… unfortunate. Hope the team works out a better workflow.