Bug Report: 2FA Authentication Loop and Broken UI Elements on npmjs.com

[SyedArbaazHussain]

Select Topic Area

Bug

Body

1. Incident Summary

I am reporting a critical failure in the npm login and web authentication flow. While credentials are accepted, the Two-Factor Authentication (2FA) step fails to process to passkeys, resulting in a page refresh loop or no changes at all. This is a part of many UI bugs where UI on the login, support, and settings pages are non-responsive, indicating a significant front-end issue and possibly backend issues.

2. Technical Symptoms

2FA Failure: Submitting a request to use security key results in a page refresh or unresponsive behaviour rather than authentication. This behavior is identical when attempting to use backup recovery codes.

UI Regressions: Critical buttons and forms across the "Sign In," "Support," and various other pages are completely unresponsive to user clicks from frontend or backend bugs.

CLI Impact: Because the browser-based 2FA handshake never completes, the CLI process hangs indefinitely.

3. Environment Details

Browsers: Chrome , Microsoft Edge

Operating System: Windows 11

4. Steps to Reproduce (CLI Flow)

• Initiate npm login from the terminal.
• Follow the generated link to the browser-based login portal.
• Enter username and password (results in intermittent success or indefinite loading).
• The page renders: "Click the button below when you are ready to authenticate."

Result: Clicking the button fails to trigger the passkey window or redirect; the CLI never receives the authentication token.

5. Steps to Reproduce (Website Flow)

• Navigate to npmjs.com and click "Sign In."
• Enter username and password (successful).
• The page renders: "Click the button below when you are ready to authenticate."
• Click the authentication button (fails to respond).
• Click "Use a recovery code or request a reset." (The page renders, but the submission fails).

Result: The UI fails to redirect, a page refresh occurs, and the session is never established.

6. Troubleshooting Attempted

Cleared browser cache and tested via Incognito/Private modes.

Tested across multiple browsers (Chrome and Edge), with UI and 2FA issues persisting in both environments.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[kovalllllll]

Connect Before Clicking: Ensure your hardware security key is physically connected and recognized before you click the button; the browser may simply ignore the click if it detects no compatible device.

Reset the Environment: Try using an Incognito window or creating a completely fresh Chrome profile to verify that your current session isn't in a "restricted state" or corrupted.

Check for Policy Blocks: Verify that the WebAuthn API is not being actively blocked by specific browser extensions or strict Enterprise/Group policies on your Windows machine.

Debug via Console: Press F12 to open the Developer Tools and check the Console tab for red WebAuthn error messages immediately after clicking the button to see exactly why the request failed.

[Qrzy]

It's not just 2FA, the whole account-related part of the website is broken and I believe it comes from the fact some JS (may be critical for that) fails to load due to CORS:

For that reason I am not able to navigate to my profile nor (once there by finding some direct URls) create a token or connect trusted publisher for a package, buttons are simply doing nothing, access/expiration controls do nothing, either.

[SyedArbaazHussain]

It's not just 2FA, the whole account-related part of the website is broken and I believe it comes from the fact some JS (may be critical for that) fails to load due to CORS: For that reason I am not able to navigate to my profile nor (once there by finding some direct URls) create a token or connect trusted publisher for a package, buttons are simply doing nothing, access/expiration controls do nothing, either.

Strangely it worked in mobile for me, the UI bugs were not there, except the security key 2FA process. I used the backup code to login and then disabled 2FA until this gets fixed.

[noyon-360]

The original reporter and others found this effective workaround:

1. Switch to a mobile browser (phone or tablet) where the UI loads correctly.
2. Go to npmjs.com, sign in with your username/password.
3. When prompted for 2FA, select "Use a recovery code" and enter one of your backup codes (you should have saved these when enabling 2FA).
4. Once logged in, go to account settings and temporarily disable 2FA.
5. You can then log in normally on desktop/CLI without 2FA interruptions until the bug is fixed.

Additional troubleshooting steps (if the above doesn't work):

1. Open browser Dev Tools (F12) → Console tab, reproduce the issue, and look for CORS or WebAuthn errors — this can confirm the JS loading failure.
2. Try a fresh browser profile, disable extensions (e.g., ad blockers), or test on another network/device.
3. If you can access settings later, try disabling then re-enabling 2FA (as suggested in similar past reports).

[SyedArbaazHussain]

The original reporter and others found this effective workaround:

1. Switch to a mobile browser (phone or tablet) where the UI loads correctly.
2. Go to npmjs.com, sign in with your username/password.
3. When prompted for 2FA, select "Use a recovery code" and enter one of your backup codes (you should have saved these when enabling 2FA).
4. Once logged in, go to account settings and temporarily disable 2FA.
5. You can then log in normally on desktop/CLI without 2FA interruptions until the bug is fixed.

Additional troubleshooting steps (if the above doesn't work):

1. Open browser Dev Tools (F12) → Console tab, reproduce the issue, and look for CORS or WebAuthn errors — this can confirm the JS loading failure.
2. Try a fresh browser profile, disable extensions (e.g., ad blockers), or test on another network/device.
3. If you can access settings later, try disabling then re-enabling 2FA (as suggested in similar past reports).

Beware though, the recovery codes are not reusable(according to my testing though), once used recovery codes to login cannot be used to login again, so you might have just 5 attempts due to 5 recovery codes.

Can anyone else also check whether its was right finding??