Remove fallback npmjs.org auth data

[danez]

Problem

The current behaviour is that for scoped packages (@<scope>/<pkgName>) yarn always sends an authentication to the registry. This was introduced in #1146 in order to support private packages on npmjs.org
When a user is loggedin on the cli to npmjs.org and has configured a different pirvate registry, which in most cases is a proxy to npmjs.org, yarn still sends the npmjs.org auth data to the private registry, making the private-registry fail as it does not know anything about npmjs.org credentials.

Summary

The technical reason this happens is that because of the changes in #1146 the flag ‘always-auth’ is set to true for scoped packages (which is actually fine I think), but the method to retrieve the authToken/credentials has a fallback to npmjs.org auth data.
https://github.com/yarnpkg/yarn/blob/master/src/registries/npm-registry.js#L175
The fix was simply to remove all fallbacks from getAuth().
Imho the Fallback to npmjs.org-credentials should never happen, as yarn should never ever send credentials from npmjs.org to any other API besides npmjs.org.
The fallback to '' is most probably in there with old npm clients which were storing credentials without a registry-scope in the config. I couldn't find where --registry was added but it was already available in 1.4.

By looking at it I saw that it still supports insecure plaintext basic auth which is a feature from npm <= 1.4, so I took the risk and removed it. Neither npm >= 2 or yarn do save basic auth data anymore and npm 2 was released in 2014. (_token is also dropped in npm@5)

Test plan

I could add some unit-tests for npm-registry, though the critical part would more be to do integration tests.
But I wait for initial feedback before writing tests.

Fixes #2953 #2151

[danez]

The tests are failing because of timeouts.

[arcanis]

When a user is loggedin on the cli to npmjs.org and has configured a different registry, which in most cases is a proxy to npmjs.org, yarn still sends the npmjs.org auth data to the registry, making the proxy-registry fail as it does not know anything about npmjs.org credentials.

That doesn't look like a wrong behavior to me. Shouldn't users logout instead if they don't wish to be authenticated to the registry? Wouldn't this patch prevent people from setting up authentication-protected registries?

[danez]

This patch simply removes the fallback to npmjs.org credentials. Currently yarn would send my npmjs.org credentials (which i configured to be able to publish to npmjs.org) to the private repository that some of my work repositories have set.
But the private repositories (at least all I've seen) have their own user management (usually LDAP etc.). So the npmjs.org credentials will not work, and therefore the requests to the private repo fail for scoped packages (which have always-auth enabled always).
And I do not want to logout of npmjs.org just to be able to use my private repository :)

[bestander]

That sounds reasonable although I don't understand the full impact of the change.
Some examples and e2e tests will help for sure

[danez]

Fixed by #3231