Revert "Migrate npm handler to OIDCRegistry"

[kbukum1]

We are reverting the change because the OIDC audience behaviour seems to changed. We need to test in original to find out the cause.

Reverts #91

[Copilot]

Pull request overview

Reverts the prior migration of the NPM registry handler to OIDCRegistry, returning NPM OIDC handling to a simpler host-keyed credential map approach to help investigate changed OIDC audience behavior.

Changes:

• Replaced NPM’s OIDCRegistry usage with a map[host]*oidc.OIDCCredential and inline token injection logic.
• Updated OIDC handling tests to expect host-only registration log lines for NPM.
• Removed the test covering multiple NPM OIDC credentials on the same host with different URL paths.

Show a summary per file

File	Description
internal/handlers/npm_registry.go	Reverts NPM OIDC auth flow from OIDCRegistry back to a host-keyed credential map with inline token/header handling.
internal/handlers/oidc_handling_test.go	Adjusts NPM OIDC registration log expectations and removes the same-host/different-paths NPM OIDC test.

Copilot's findings

Comments suppressed due to low confidence (2)

internal/handlers/npm_registry.go:92

• OIDC credentials are stored keyed by host, but HandleRequest looks them up with reqHost directly. Because this is a case-sensitive map lookup, requests whose URL hostname differs in case (or other normalizable forms) from the config host will miss OIDC auth. Normalize the key consistently (e.g., lower-case/IDNA) on both insert and lookup, or use helpers.CheckHost/AreHostnamesEqual-based matching instead of direct indexing.

	// Try OIDC credentials first
	h.mutex.RLock()
	oidcCred, hasOIDC := h.oidcCredentials[reqHost]
	h.mutex.RUnlock()

internal/handlers/npm_registry.go:105

• This OIDC auth block duplicates logic that already exists in oidc.TryAuthOIDCRequestWithPrefix (including Cloudsmith header selection and consistent error logging). Reusing the shared helper would reduce drift across handlers and avoid needing to special-case providers by string comparison here.

	if hasOIDC {
		token, err := oidc.GetOrRefreshOIDCToken(oidcCred, req.Context())
		if err != nil {
			logging.RequestLogf(ctx, "* failed to get token via OIDC for %s: %v", reqHost, err)
			// Fall through to try static credentials
		} else {
			if oidcCred.Provider() == "cloudsmith" {
				logging.RequestLogf(ctx, "* authenticating npm registry request with OIDC API key (host: %s)", reqHost)
				req.Header.Set("X-Api-Key", token)
			} else {
				logging.RequestLogf(ctx, "* authenticating npm registry request with OIDC token (host: %s)", reqHost)
				req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
			}

• Files reviewed: 2/2 changed files
• Comments generated: 2