What is Optic?
Optic is an ecosystem composed of:
- Mobile application: The mobile app securely stores npm secrets, generates OTPs, and sends push notifications.
- GitHub action: The action creates and publishes new GitHub and npm releases. While publishing npm releases it can request an One Time Password (OTP) from the mobile app.
- GitHub app: The GitHub App is a helper that creates the pull requests and releases on github. This application should be installed on the repositories (or the organization) where you want to use the action.
- Backend server: The backend server manages app subscriptions and generates Optic tokens.
Why Optic?
Updates to packages have been made easier by tools like GitHub's Dependabot and Actions, but releasing them manually with 2FA enabled can still be a pain.
Did you know that npm has recently enforced 2FA for the top 500 packages?
With tens of thousands of packages released every month, wouldn't it be great if there was a way to completely automate the release process?
Optic does exactly that!
Optic enables you to automate the release process of your npm packages, apps and actions without compromising security. The Optic mobile app helps you to securely generate OTP tokens on the fly for 2FA protected npm accounts. It allows you to do all that directly from the deployment pipeline at the click of a button!
How Optic works
In a nutshell, Optic works by automating the build and versioning process, as well as publishing npm packages. It does all that without compromising the security. Publishing an npm package requires you to authenticate using a publish token issued by npm. These tokens are used when publishing packages using the npm CLI. An OTP is also required for the publishing process if you have (2FA) enabled.
Features in Optic
- Auto publish npm packages using 2FA
- Push notifications for OTP approvals
- Multiple repo owners/collaborators supported
- Privacy first! Your npm secret token never leaves your device
- Mobile app with slick UI and biometric authentication
- Completely open source with self hosting support
Architecture
Optic uses a Fastify server as the backend. The Firebase Firestore database stores app subscriptions and necessary user information. The mobile app is built using React Native and uses secure storage for storing npm tokens.
Optic GitHub action is used to trigger the release process. You can set up Optic on your own servers. All instructions are mentioned in the repository README.
Motivation
Why do I need this when I can create npm automation tokens?
Although you can generate an automation token which will bypass two-factor authentication when publishing, Optic lets you use the publish token and request a token on the fly while publishing. It will call Optic service which would request the OTP from your phone and only after your approval will the release proceed.
Optic without npm?
Optic is a very versatile tool that can work with different release pipelines. It can also be used for doing releases with python/pip or rust/cargo or any other combination!
All you need to do is configure the Optic GitHub action with the correct parameters for your release pipeline.
Wrapping up
Web application attacks are increasingly becoming stepping stones to more complex attacks. There is no time like the present to improve the security of your npm account.
As the industry moves towards Zero-Trust Authentication, 2FA is a very important part of that strategy. Optic provides an easy and secure way to automate npm releases. It eliminates all the hassles involved in manually publishing packages. It requires minimal resources to run on the server and database and has a lot of other features.
The NearForm team is constantly working on improving the application and adding new features.