[FEATURE] Split authentication from .npmrc to separate file

[nmschulte]

Split authentication aspect of .npmrc to a separate file. This will allow per-project npm configuration, for example of the registry and always-auth values, to be source controlled and not impacted by specific authentication requirements of an (e.g. development) environment. That is: configuring registry authentication is separate from other configuration; authentication can be configured system-wide/globally ("prefix"; $PREFIX/etc/npmrc), configured at the user-level ("userconfig"; $HOME/.npmrc), configured per-project ($PWD/.npmrc), or configured on the CLI or via environment variables, without modifying a source-controlled file.

Previous requests:
circa 2014, re: _auth: npm/npm#4905
circa 2017, re: _authToken: npm/npm#17812

Particularly, npm/npm#17812 has a very good rationale and breakdown of the situation, including examples of other projects/situations where this is common practice. More importantly, the author and commenters of that issue have expressed interest in implementing this capability.

Possibly related, indicating that authentication cannot be configured by environment variables (and perhaps then also via CLI): #290

[zypA13510]

If I'm not mistaken, what you said can already be done. Just as you said,

authentication can be configured system-wide/globally ("prefix"; $PREFIX/etc/npmrc), configured at the user-level ("userconfig"; $HOME/.npmrc)

My current setup works like this: every token goes into ~/.npmrc, and in the repository, I commit my .npmrc file including @myscope:registry, but not including _authtoken. And it worked for me.

Not sure if it works with settings other than registry though.

[nmschulte]

@zypA13510, the difference between what is requested and what currently exists is a matter of "centralized" vs "decentralized" (w/re: project/package) configuration.

What exists allows splitting authentication from the rest of the project configuration, but only in a single centralized location: the user-wide $HOME/.npmrc, for all projects. This does not allow, for example, different authentications per project for the same registry.

What is requested is a new file, i.e. sibling to .npmrc, in decentralized locations: in project-wide ./.npmrc, for any project.

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.