_auth doesn't depend on repository #17
Description
Copy-pasting my issue from npm/npm#4711 :
Login and password are stored and transferred over a wire in plain text.
It might be fine, but it's too easy to send them into the wrong place:
$ npm adduser
$ npm publish --reg http://localhost:12345/
$ nc -l 12345
POST /_session HTTP/1.1
host: localhost:1234
accept: application/json
content-type: application/json
content-length: 27
Connection: keep-alive
{"name":"foo","password":"bar"}Whoops.
Add-auth option is especially dangerous, because npm install whatever --registry http://localhost:12345/ --add-auth=true will send your credentials even on install.
Web browser will never send your password to a different domain, so npm behaviour is unexpected and might open a few social engineering possibilities.
Ideally, the fix would be to lock "_auth" string with a "repository" it belongs to, and drop it if repository changes for whatever reason.