Had a look at NPM tokens (generate, revoke) but wasn’t helpful.
We are taking a look at the security aspects of using npm tokens and would like to have more description from Sonatype on the following points which are not described in the official documentation.
- What is the time to live of a npm token once generated against NX3
- For user accounts being in the LDAP, if the password change in the LDAP, is the token invalidated?
- How can the NX3 administrator list all current npm tokens
- How can the NX3 administrators revoke some or all npm tokens
We had some tests and and seems the npm token stays valid for a user even when its password has been updated (LDAP account in our test).
Thank you for your support