This repo: #68

Another repo: node-casbin/mongoose-adapter#45

Currently, Casbin.js is a self-made authorization mechanism called Authorizer, which is much different with Casbin's enforcer.

Now we decided to remove all those stuff and let Casbin.js just be a wrapper of Node-Casbin. Node-Casbin can run both on browser and Node.js. For browser use, it has been used in Casbin online editor: https://github.com/casbin/casbin-editor

But Node-Casbin may need to be adjusted like adding Sync functions, to facilitate the use of frontend.

Hi, when I add Casbin.js to my react project I get the error below. To use Casbin.js I need to downgrade Casbin.js to a version that is not tied to babel-loader 8.2.2, but this cannot be the long term solution. Can you advise how to proceed?

The react-scripts package provided by Create React App requires a dependency:

"babel-loader": "8.1.0"

Don't try to install it manually: your package manager does it automatically.
However, a different version of babel-loader was detected higher up in the tree:

/Users/kavindapelpola/src/atos-ams/packages/ams/ui/node_modules/babel-loader (version: 8.2.2)

The problem is that CasbinJsGetPermissionForUser on backend reeturns this:

{
    "m": "[request_definition]\nr = sub, dom, obj, act\n[policy_definition]\np = sub, dom, obj, act\n[role_definition]\ng = _, _, _\n[policy_effect]\ne = some(where (p.eft == allow))\n[matchers]\nm = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act\n",
    "p": [
        [
            "p",
            "admin",
            "default",
            "users",
            "read"
        ],
        [
            "p",
            "admin",
            "default",
            "users",
            "write"
        ]
    ]
}

My policies are

p, admin, default, users, read
p, admin, default, users, write

g, demo1, admin, default

My model is:

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

On frontend side ( react with casbin.js )
I'm doing this:

const authorizer = new casbinjs.Authorizer("manual");
/* other code... */
authorizer.setPermission(responseFromCasbinJsGetPermissionForUser);

 let can = await authorizer.can('read', 'users'); // -> Return FALSE, which is wrong

Why is not working?

          > I got solution for above mentioned issue

pls provide the solution here

Originally posted by @vasanth123 in #273 (comment)

The link to the example react app appears to be broken.

I tried using casbin.js in my Angular project but it seems casbin is dependent on some core node.js modules, path stream and fs to be more specific. Angular 12 uses webpack 5 which does not allow core node.js modules to be included in a web app. I tried some workarounds but finally gave up since I found out that casbin.js does not support RBAC with domains as mentioned here #31.

I currently working on react typescript application and using casbin.js package, but when I started to react server I getting the following error. Please Help Me

Module parse failed: Unexpected token (158:32)
File was processed with these loaders:

• ./node_modules/babel-loader/lib/index.js
  You may need an additional loader to handle the result of these loaders.
  | async buildIncrementalRoleLinks(rm, op, sec, ptype, rules) {
  | if (sec === 'g') {

  await this.model.get(sec)?.get(ptype)?.buildIncrementalRoleLinks(rm, op, rules);

| }
| } // buildRoleLinks initializes the roles in RBAC.

Now we see that the casbin.js asks the server explicitly
GET /permissions/[email protected]
it allows the attacker to exploit casbin issues to break into the system.

I propose to rename the casbin_subject to subject

Node-Casbin is only for backend Node.js applications. It can run on frontend but some functionalities like file read/write, DB access will certainly be disabled. So we need a new library for front-end only. It should be:

1. Can communicate with backend servers (e.g, via Node-Casbin), sync policies into browser.
2. Enforce the policy locally inside a browser.
3. Add some friendly functions especially for web, like isButtonAllowedToBeClicked().

See:

• #2
• #12

I use casbin.js in my frontend project.

I follow the docs: https://casbin.org/docs/en/frontend#advanced-usage. It occur error when I initialize casbinjs.Authorizer.
code:

    const authorizer = new casbinjs.Authorizer(
        'auto', // mode
        { 'http_address' }
    );

error:

Uncaught TypeError: casbinjs.Authorizer is not a constructor

When calling casbinJsGetPermissionForUser, all policy rules appear to be returned. Based on reading the code, my understanding is that this is not intended--rather, only rules applicable to the subject should be returned.

Can you clarify the expected behavior or whether I'm just doing it wrong? Here are test results:

const model = 
`
[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
# Role: platform:ids:admin is allowed to everything.
m = (g(r.sub, p.sub) && keyMatch2(r.obj, p.obj)) || g(r.sub, 'platform:admin')
`;

const policy =
`
p, alice, data1, read
p, bob, data2, write


g, root, platform:admin
`;
const enforcer = await newEnforcer(newModelFromString(model), new StringAdapter(policy));

const perms = await casbinJsGetPermissionForUser(enforcer, 'bob');
console.log(JSON.parse(perms))

Expected result:

{
  m: '[request_definition]\n' +
    'r = sub, obj, act\n' +
    '[policy_definition]\n' +
    'p = sub, obj, act\n' +
    '[role_definition]\n' +
    'g = _, _\n' +
    '[policy_effect]\n' +
    'e = some(where (p.eft == allow))\n' +
    '[matchers]\n' +
    "m = (g(r.sub, p.sub) && keyMatch2(r.obj, p.obj)) || g(r.sub, 'platform:admin')",
  p: [
    [ 'p', 'bob', 'data2', 'write' ]
  ]
}

Actual result (note the alice rule):

{
  m: '[request_definition]\n' +
    'r = sub, obj, act\n' +
    '[policy_definition]\n' +
    'p = sub, obj, act\n' +
    '[role_definition]\n' +
    'g = _, _\n' +
    '[policy_effect]\n' +
    'e = some(where (p.eft == allow))\n' +
    '[matchers]\n' +
    "m = (g(r.sub, p.sub) && keyMatch2(r.obj, p.obj)) || g(r.sub, 'platform:admin')",
  p: [
    [ 'p', 'alice', 'data1', 'read' ],
    [ 'p', 'bob', 'data2', 'write' ]
  ]
}

Hi

would it be possible to add an authorization header (e.g. Bearer token) for the auto mode and therefore having the user attribute optional?

Alex

I'm using it on Next.js as port of a backend Casbin service. But its gives me this error.
Maybe it is from the Webpack settings?

Hello. According to my comment from docs it really will be helpful to implements CasbinJsGetPermissionForUser for .NET because of needs to use dynamic auth on the frontend.
Idk it should be a derived library or a part of the existing one, but I think the first variant is better.

Is there contributors can do this?
@hsluoyz

Hey everyone,

I'm checking out casbin because I'm considering to use it for a project. What especially caught my interest, is the new casbin.js because no other go authorization framework seems to provide anything similar. While I was playing around with it, I noticed limitations of CasbinJsGetPermissionForUser, which I would like to discuss:

(I hope this is the right repository to discuss, otherwise feel free to move the issue around)

deny permissions

CasbinJsGetPermissionForUser(...) cannot be used with any allow/deny models because the .eft information is completely stripped, i.e. any deny permission becomes an allow permission.

Standard rbac_with_deny_model.conf and rbac_with_deny_policy.csv make CasbinJsGetPermissionForUser(e, "alice") return

{"read":["data1","data2"],"write":["data2","data2"]}

Not only is data2 duplicated, but the second time it's actually a deny rule and here it shows up as a allow rule.

Idea

This might be solvable by more or less directly serializing the permissions as they are returned from e.GetImplicitPermissionsForUser(user). Otherwise I'm afraid with whatever we come up, will miss information for other model configurations because of the generic nature of casbin.

This would probably mean that casbin.js would need to have access to the model definition to know how to interpret the permissions?
If that wasn't the case, we wouldn't need the model configuration on the server side either ...

role inheritance

CasbinJsGetPermissionForUser(...) does not handle permissions for subroles.

Standard rbac_with_resource_roles_model.conf and rbac_with_resource_roles_policy.csv make CasbinJsGetPermissionForUser(e, "alice") return

{"read":["data1"],"write":["data_group"]}

So e.Enforce("alice", "data2", "write") will be true on the backend, but false on the frontend because because subroles are missing from the response and so unknown to the frontend.

Idea

For this very specific use case I added this to the loop:

                subRoles, err := e.GetUsersForRole(role)
		if err != nil {
			continue
		}
		for j := 0; j < len(subRoles); j++ {
			permission[action] = append(permission[action], subRoles[j])
		}

and it works. But it only handles one level of subroles (does casbin on the server side handle nested resource role permission deeper than one level?) and it seems to be very specific to this use case.

To make this a bit more abstract:
all roles of the user and the roles of resources that the user has permissions for should be known to the frontend.

Can this be done in a generic way at all and especially without leaking possibly sensitive information to the frontend?

Conclusion

CasbinJsGetPermissionForUser (and the format it returns) is in my humble opinion too limited. The structure of the response should be adjusted to be more generic and casbin.js should be adjusted to reflect a new structure.
If possible the data returned should be extended with resource roles.

I think it's rather easy to come up with a solution that works for a specific use case, but doing it in a generic way that's "upstreamable" might be rather hard. I'd be happy to hear your thoughts what can be done with reasonable effort as someone who is new to the project and then I'd be happy to work on that and upstream it.

Best regards,
Dominik

P.S.: I'm also in your Gitter channel and happy to answer questions or discuss there too

"Domain tenant" is useful in multi-group scenario. However, the API does not support multi-tenant at this stage, like lack of grouping policy, "can" function doesn't support "domain" param.
So I wonder whether the project plans to increase support for domain, or needs some PR support？

This is a demo for multi-tenant domain.

const casbin = require('casbin');
const data = {
    m: `
        [request_definition]
        r = sub, dom, obj, act
        [policy_definition]
        p = sub, dom, obj, act
        [role_definition]
        g = _, _, _
        g2 = _, _, _
        [policy_effect]
        e = some(where (p.eft == allow))
        [matchers]
        m = g(r.sub, p.sub, r.dom) && g2(r.obj, p.obj, r.dom) && r.dom == p.dom && r.act == p.act
    `,
    p: [
        ['p', 'admin', 'domain1', 'data1', 'read'],
        ['p', 'admin', 'domain1', 'data1', 'write'],
        ['p', 'admin', 'domain2', 'data2', 'read'],
        ['p', 'admin', 'domain2', 'data2', 'write'],
        ['p', 'data_group_admin', 'domain2', 'data_group', 'write'],
    ],
    g: [
        ['g', 'alice', 'admin', 'domain1'],
        ['g', 'alice', 'data_group_admin', 'domain2'],
        ['g2', 'data1', 'data_group', 'domain1'],
        ['g2', 'data2', 'data_group', 'domain2'],
    ],
};

const model = casbin.newModelFromString(data.m);
const enforcer = await casbin.newEnforcer(model);

const policies = data.p;
policies.forEach(async (policy) => {
    const policyResult = await enforcer.addNamedPolicy(...policy);
    console.log(`policy: ${policy.join(',')}, policyResult: ${policyResult}`);
});

const roles = data.g;
roles.forEach(async (role) => {
    const roleResult = await enforcer.addNamedGroupingPolicy(...role);
    console.log(`role: ${role.join(',')}, roleResult: ${roleResult}`);
})

const result = await enforcer.enforce('alice', 'domain1', 'data1', 'read');
console.log(`casbin result: ${result}`);

Recently, I will package a Vue plug-in library that simply uses casbin. The design and use will refer to the implementation method of Vue router. We need a more concise, convenient and user-friendly parameter transmission method. I hope to listen to your opinions. These are some simple designs, which will be supplemented later

`import Vue from 'vue'
import { VueCasbin } from 'vue-casbin-v2.x'

Vue.use(VueCasbin, { })

new Vue({
methods: {
async vcasbin () {
//todo
}
},
template: '<button @click="vcasbin">Execute use vue-casbin-v2.x'
})`

All our recent CIs failed like: https://github.com/casbin/casbin.js/pull/122/checks?check_run_id=3120761219

We need to changed to use YARN official registry: https://registry.yarnpkg.com

Our latest v0.1.2 has been reported to have bugs when importing:

We should stop such things happening again.

So, I just updated my Casbin.js version from 0.4.0 to 1.0.1 and I've run into the following error:

TS2305: Module '"/node_modules/casbin.js/lib"' has no exported member 'Authorizer'.

It seems that the Authorizer class is not being exported anymore. I looked into the docs (here in Github and in the Casbin website), and both still cites the Authorizer on how to use the lib.

Was the Authorizer removal by design or is this a bug?

Steps to reproduce the error

1. Simply install any version of Casbin after the version 0.4.0;
2. Try to import Authorizer, as noted in the docs:

	import { Authorizer } from 'casbin.js';

or

	import * as casbinjs from 'casbin.js';

	const authorizer = new casbinjs.Authorizer("manual")

Environment

I was able to reproduce this error in two different scenarios:

1. Using React with CRA
2. Using React with Vite

This error also persisted from the version 1.0.0-beta.1, from what I tested.

Error on updating latest version(0.1.0) of casbin.js
https://github.com/casbin-js/examples/tree/master/react

package.json

{
  "name": "app",
  "version": "0.1.0",
  "private": true,
  "dependencies": {
    "@testing-library/jest-dom": "^4.2.4",
    "@testing-library/react": "^9.3.2",
    "@testing-library/user-event": "^7.1.2",
    "casbin.js": "^0.1.0",
    "react": "^16.13.1",
    "react-dom": "^16.13.1",
    "react-scripts": "3.4.1"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": "react-app"
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead",
      "not op_mini all"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }
}

I'm trying to integrate casbin.js for a ReactJS app that needs to have roles but it seems that this library can't support roles. (I've tested with permissions and it works)

I've tried using golang (using CasbinJsGetPermissionForUser to retrieve data) and C# (with CasbinJsGetPermissionForUser defined as a custom function) as backend to test if was my implementation issue or not.

I've used the default RBAC model.conf file and both MSSQL database and default csv file for policies

I'm using the latest version of both casbin.js and node-casbin as dependencies.

Now I ask, is this a missing feature or a bug?
Thanks in advance.

Hello
I am trying to get casbin.js (0.3.2) working in ReactJS. I added the code as described in the example:

const getAuthorizer = async () => {
        const auth = new Authorizer(
            'auto', // mode
            { endpoint: url.href });
        await auth.setUser(enforce.user);
        const perms = await auth.can(enforce.action, enforce.resource)
        setPermissions(perms)
        return auth

    }

The response from the API:

The result is an error: Uncaught (in promise) TypeError: can't access property "toString", args[2] is undefined

What am I missing?

Thanks
Bohdan

In this doc we told users to install Casbin.js via

npm install casbin.js

But node reported an error:

Error: Cannot find module 'casbin'

I used the command

npm install casbin

then the code worked properly.
So I wonder if this is a bug, or just a mistake in our docs.

See more details at: #70

Hello

in

Therefore, the use of this library fails with: Unexpected token o in JSON at position 1

Solution:
Either set the Axios responseType to text or remove the json.Parse() completely.

Alex

Hello

I am trying to get casbin.js working in ReactJS. I added the code as described in the example:

const authorizer = new Authorizer('auto', {
      endpoint: '/api/casbin'
});
authorizer.setUser(userID);
    authorizer.can('admin', 'account_123').then(() => {
      console.log('it works');
    });

The response from the API:

The result is an error: Unhandled Rejection (Error): Enforcer not initialized

What am I missing?

Thanks
Alex

When I use Authorizer.can() in manual mode it returns a Boolean while when using Authorizer.can() in auto mode it returns an Array containing whether or not the user has access.

Also would be great to have a sample response from the API that is needed to use this in auto mode.

Hi everyone,

it would be great if you can also support Angular.

Best regards,
Thomas

https://github.com/casbin/casbin-core is archived, is there any replace package can use?

Hi, is there a timeline for this ?

The node-casbin enforcer's enforce is async, yet you call it as if it was sync in both the readme of this project and the example project linked.

It is not trivial to use an async enforcer together with React rendering, probably makes sense to not make it look simpler than it is.

I am using basic_model.conf and basic_policy.csv as follows.

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

p, alice, data1, read
p, bob, data2, write

Backend service is defined as follows.

app.get('/api/casbin', async (req, res) => {
        // Get the user identity from URL.
        const user = String(req.query["casbin_subject"]);
        console.log(user)
        const enforcer = await newEnforcer('/path/to/basic_model.conf', '/path/to/basic_policy.csv');
        const ne = await casbinJsGetPermissionForUser(enforcer,user)
        // Return the response to the client-side.
        await res.status(200).json({
            message: 'ok',
            data: ne
        })
    })

In my react application, I uses

  async componentDidMount () {
    const authorizer = new casbinjs.Authorizer('auto', {endpoint: 'http://localhost:3000/api/casbin'});
    await authorizer.setUser("alice");
    let me = await authorizer.can("read", "data1")
    console.log(me) // this gives false which is incorrect
}

For user alice can read data1 according to the model. However, authorizer.can("read", "data1") returns false which is incorrect.

Casbin.js is one of GSoC 2020 projects for Casbin community. See the Main Page for more details.
Refer to Casbin.js documentation for usage instructions and star our origin repo.

This report illustrates Casbin.js features and our current challenges (by Aug. 2020). This reports also serves as the final evaluation report for GSoC 2020.

Features

Casbin.js was built from zero during the past three months. The purpose of Casbin.js is to extend the existed access control management functionalities of Casbin to the frontend webpages. In our picture, Casbin.js can unify authorization management at the client sides, while avoid the potential security risks like the divulge of access data.

Currently, Casbin.js can be perfected integrated with a server-side Casbin core and provides some foolproof interfaces for enforcing the permission of the client-side visitors.

Casbin.js have supported the following modes by now:

1. Manual. User can specify the permissions manually with files and objects when the authorizer is activated.
2. Auto. This is the core modes of Casbin.js. Casbin.js will monitor the changes of the frontend user's identity and sync the permission with a predefined backend service.
3. (Experimental) Cookies. To maintain the permission of the frontend user via cookies.

Casbin.js is now perfectly support diverse access control models that Casbin originally supports, including the ACL, RBAC and ABAC.

Casbin.js support dynamic environment. If you are using React or Vue, you can install Casbin.js with npm or yarn. Casbin.js can also be used directly in the browser by referring its bundled version.

To avoid unnecessary syncing, Casbin.js is equipped with a built-in cache system.

Challenges

Casbin.js is a new-born baby, and it still faces a series of challenges.

One of the most tough challenges is the implementation of a simple version of enforcer with no sacrifice on the available features. Temporarily Casbin.js uses part of the functionalities of Node-Casbin in the enforcer in order to support ABAC. However, this requires the integration with Node-Casbin, which greatly increases the size of Casbin.js and brings up with lots of redundancy. I am currently working on developing a "small" enforcer that suitable for the frontend.

Another tough problem is to minimize the cost of describing a user's permission. Originally, for ACL and RBAC, a dedicatedly designed object is enough for profiling what a user can do. However, advanced model like ABAC and ABAC with custom rules require a more flexible and robust data structure.

Contribution

Main Event

I develop Casbin.js from zero during the GSoC coding period. At the beginning, my mentors and I have a heated discussion on the features of Casbin.js. Most of the ideas and the architecture follow my proposal. Originally, Casbin.js was designed to support ACL and RBAC. However, earlier this month, I have a strong debate with my mentors and we finally determine to move Casbin.js to support ABAC and ABACaccess control model.

Start of Casbin.js architecture: #4 (Authorizer, message synchronization)

Permission handlers and basic APIs: #5

Support as a UMD module: #6

Add cookie mode: #7

Local storage cache: #9

Breaking change: Support for ABAC and other AC models: #11

I wrote a demo in React, which shows the basic methodology of Casbin.js:
https://github.com/casbin-js/examples/tree/master/react

I provided the necessary API for backend service in both go Casbin and Node-Casbin. I'll add the API to the Casbin of other languages later on.

casbin/casbin#557

casbin/node-casbin#179

casbin/node-casbin#186

I also try to create something named CSS controller in the native HTML environment. The CSS controller can monitor and manipulate the styles according to the user's permission. I slow it down temporarily because I think it's not really useful. See https://github.com/kingiw/casbin.js/commits/cssctl for more details.

Others

DynamoDB Adapter

I write an adapter for DynamoDB for jCasbin. See the gist for more details.

Casbin Forum

I made some contributions to casbin-forum. My major work is to unify the access-control management modules using RBAC+ABAC model with Casbin. Temporarily I've done the work on the server sides and waiting for the updates of Casbin. See https://github.com/casbin/casbin-forum/pull/65/files. Also, as the experiments, I will use Casbin.js in the Casbin forum client side.

Casbin Documentation

I participated in the development and maintenance of our official website of Casbin. Including the following two parts:

1. Fix a severe bug of the annotations of translated docs. See casbin/casbin-website#95.
2. Work on the Chinese translation for some parts of the documentation.

After GSoC

I will continue developing Casbin.js after the end of GSoC. Fixing the challenges mentioned above will be my major work.

Some of the features raised in my proposal were not implemented: to integrate Casbin.js with modern frontend framework and provide easily used interfaces. I believe this feature is not a must for Casbin.js, so I didn't prioritize that. I will do this task after fixing the biggest challenges of Casbin.js.

Acknowledgement

I wish to express my heartfelt appreciation to my mentor and the creator of Casbin @hsluoyz, as well as Casbin member @nodece and @GopherJ. They all give me lots of assistance, guidance and inspiration during the past three months.

Help me please to understand how casbin.js client side library will behave if access related data will be live on backend side... Do all authorizer.can("read", "data1") calls will make request for a server or it is somehow caching the data or load all data related to app on initialization step? Because i guess it would decrease UX if every time will knock backend when need to interact with interface

See:

• #2
• #12

Finally, this middleware will be tested and used on our own forum: https://github.com/casbin/casbin-forum

Using yarn install in react example (cabinjs ^0.1.0)
I get this warning when installing for first time
casbin.js > [email protected]: Critical security vulnerability fixed in v0.21.1.
any plans for updating the dependency?

I'd like to use the keymatching I use on my backend on the frontend. An example policy using keyMatch would looks like

p, admin, *, GET
p, admin, *, POST

with a corresponding model.conf

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && keyMatch(r.obj, p.obj) && r.act == p.act

The returned permissions from the casbin backend for admin looks like

{
  'GET': ['*'],
  'POST': ['*']
}

Then on the frontend using keyMatch would allow

authorizer.setUser('admin')
console.log(authorizer.can('GET', '/users/1') // true
console.log(authorizer.can('POST', '/posts')) //true

Ideally we want to have all the badges that Node-Casbin has: https://github.com/casbin/node-casbin#node-casbin

Hi.
Long story short, I need to update my project's react-scripts from v4 to v5.
The issue is that the casbin.js package throws an atrocious list of errors saying that lots of modules that webpack exported in v4 no longer are exported in v5 and breaks everything.

In particular, fs, buffer, stream (from csv-parser dependency in your casbin package), path (from casbin's picomatch package dependency).

There are any plans to support react-scripts 5 or should I consider to try ways to fix this issue myself?

Thanks in advance.

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Invalid npm token.

The npm token configured in the NPM_TOKEN environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/.

If you are using Two Factor Authentication for your account, set its level to "Authorization only" in your account settings. semantic-release cannot publish with the default "
Authorization and writes" level.

Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.

Good luck with your project ✨

Your semantic-release bot 📦🚀