From eb8f7af3c102834856604c1be664b00ca0fe8ef2 Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Sun, 23 Feb 2020 21:40:58 -0800
Subject: [PATCH] fix: remove referer header and opts.refer

Re: https://github.com/npm/cli/issues/930

BREAKING CHANGE: Removes the 'opts.refer' option and the HTTP Referer
header (unless explicitly added to the 'headers' option, of course).

PR-URL: https://github.com/npm/npm-registry-fetch/pull/25
Credit: @isaacs
Close: #25
Reviewed-by: @mikemimik
---
 README.md     |  8 --------
 index.js      | 14 +++++++++-----
 test/index.js | 24 ++++++++++++++++++++++--
 3 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index da72282..31a10a7 100644
--- a/README.md
+++ b/README.md
@@ -501,14 +501,6 @@ using
 If the request URI already has a query string, it will be merged with
 `opts.query`, preferring `opts.query` values.
 
-##### <a name="opts-refer"></a> `opts.refer`
-
-* Type: String
-* Default: null
-
-Value to use for the `Referer` header. The npm CLI itself uses this to serialize
-the npm command line using the given request.
-
 ##### <a name="opts-registry"></a> `opts.registry`
 
 * Type: URL
diff --git a/index.js b/index.js
index 2942db2..8e05f41 100644
--- a/index.js
+++ b/index.js
@@ -113,7 +113,6 @@ function regFetch (uri, /* istanbul ignore next */ opts_ = {}) {
     method: method,
     noProxy: opts.noProxy,
     proxy: opts.httpsProxy || opts.proxy,
-    referer: opts.refer,
     retry: opts.retry ? opts.retry : {
       retries: opts.fetchRetries,
       factor: opts.fetchRetryFactor,
@@ -176,12 +175,17 @@ function getCacheMode (opts) {
 function getHeaders (registry, uri, opts) {
   const headers = Object.assign({
     'npm-in-ci': !!opts.isFromCI,
-    'npm-scope': opts.projectScope,
-    'npm-session': opts.npmSession,
-    'user-agent': opts.userAgent,
-    referer: opts.refer
+    'user-agent': opts.userAgent
   }, opts.headers || {})
 
+  if (opts.projectScope) {
+    headers['npm-scope'] = opts.projectScope
+  }
+
+  if (opts.npmSession) {
+    headers['npm-session'] = opts.npmSession
+  }
+
   const auth = getAuth(registry, opts)
   // If a tarball is hosted on a different place than the manifest, only send
   // credentials on `alwaysAuth`
diff --git a/test/index.js b/test/index.js
index e618c3a..5ad6917 100644
--- a/test/index.js
+++ b/test/index.js
@@ -497,6 +497,26 @@ test('npm-in-ci header with forced CI=false', t => {
 // TODO
 // * npm-session
 // * npm-scope
-// * referer (opts.refer)
 // * user-agent
-test('miscellaneous headers')
+test('miscellaneous headers', t => {
+  tnock(t, OPTS.registry)
+    .matchHeader('npm-session', session =>
+      t.strictSame(session, ['foobarbaz'], 'session set from options'))
+    .matchHeader('npm-scope', scope =>
+      t.strictSame(scope, ['@foo'], 'scope set from options'))
+    .matchHeader('user-agent', ua =>
+      t.strictSame(ua, ['agent of use'], 'UA set from options'))
+    .matchHeader('npm-in-ci', ci =>
+      t.strictSame(ci, ['false'], 'CI set from options'))
+    .get('/hello')
+    .reply(200, { hello: 'world' })
+
+  return fetch('/hello', {
+    ...OPTS,
+    npmSession: 'foobarbaz',
+    projectScope: '@foo',
+    userAgent: 'agent of use'
+  }).then(res => {
+    t.equal(res.status, 200, 'got successful response')
+  })
+})