[FEATURE] registry-scoped certfile and keyfile options

[jenseng]

What

Add support for registry-scoped certfile and keyfile options, e.g.

{
  "//my.registry.example/npm/:certfile": "~/.secret/stuff.crt",
  "//my.registry.example/npm/:keyfile": "~/.secret/stuff.key"
}

Why

1. Currently you can only set a cert and key at the top level, which means it could be used in connections against any registry. If your options are coming from @npmcli/config, then there's not a good way to control this. Ideally a client certificate would only be presented to the registry that actually needs it, and you should be able to use different ones depending on the registry.
2. The current cert and key options are the actual contents of the cert/key, rather than paths to them. If your options are coming from @npmcli/config, and the cert/key are auto-generated elsewhere, you need to then keep your use .npmrc in sync with that process or specify them as env vars. Both options potentially weaken security (e.g. could be accidentally checked in, .npmrc might be readable by other users, key could be extracted from /proc/<pid>/environ, etc.).

Current Workarounds

• Specify npm_config_cert and npm_config_key env vars:
  1. You also have to specify some (possibly bogus) credentials due to [BUG] ENEEDAUTH when authenticating against a registry via mTLS cli#4765.
  2. If your registry validates the explicit credentials (in addition to mTLS) this may not work
  3. Security concerns (see Why section)
• Dynamically generate a temp .npmrc with the desired settings and use it via npm_config_userconfig:
  1. You also have to specify some (possibly bogus) credentials due to [BUG] ENEEDAUTH when authenticating against a registry via mTLS cli#4765.
  2. If your registry validates the explicit credentials (in addition to mTLS) this may not work
  3. Security concerns (see Why section)
• Spin up a local mTLS proxy to your registry and use it via HTTP_PROXY (or other env/config)
  1. May still require you to specify some (bogus) credentials due to [BUG] ENEEDAUTH when authenticating against a registry via mTLS cli#4765.
• Monkey-patch npm-registry-fetch to inject the key/cert as necessary
  1. May still require you to specify some (bogus) credentials, or monkey-patch @npmcli/config as well 😅

All the workarounds are problematic, and get even more complicated in dual-publishing scenarios. For example, you might want to scope the (bogus) credentials, but that can't be done via env vars due to this bug.

Notes

1. I'd be happy to put together PRs around this if the idea is acceptable. A corresponding change would likely also be needed to getCredentialsByURI/etc. in @npmcli/config
2. This feature is related to [FEATURE] Raise ENEEDAUTH error if doing a write to something other than login #38 and [BUG] ENEEDAUTH when authenticating against a registry via mTLS cli#4765 in the sense that these could be considered new authN-related options, i.e. custom registry authN could solely be done via mTLS, in which case we shouldn't throw ENEEDAUTH if these are set but token/credentials are not.