Add support for HTTP Bearer authentication

[robn]

Reorganises the auth and session setup code to support multiple auth schemes and server discovery of available schemes, and then adds Bearer support in addition to Basic.

When Bearer is selected, it just uses the configured password command as the token as normal. I thought about making this a separate config option but I'm not sure there's a lot of point really. If I was starting fresh maybe I'd call it credential_command but eh.

Closes #39.

[robn]

You can test this against Fastmail right now by creating an API token at https://beta.fastmail.com/settings/security/tokens, and then in your mujmap config setting session_url to https://betaapi.fastmail.com/jmap/session. (You won't have to change session_url once Fastmail launch this; discovery will be updated to match then).

[nickwynja]

I tried with password_command = "echo 'fmu1-my-long-token'" and was receiving the following error:

error: Could not sync mail: Could not open remote session: Could not open session at https://betaapi.fastmail.com/jmap/session: Bad Header: invalid header 'Authorization: Bearer -n fmu1-my-long-token
'

It took a little while but I noticed the linebreak that snuck in. printf 'fmu1-my-long-token' worked. I think a nice enhancement here would be to strip newlines since it seems common enough that people will just echo their token and expect it to work.

[robn]

@nickwynja hah, same thing happened to me, and I hadn't quite decided what to do with it. I think I will fix it in the password_command handler; it's technically wrong for Basic auth too, but the use of base64 there papers over it. I'll do a separate PR for that soon.

[robn]

@nickwynja #41 fyi, but its of little consequence - your workaround is just fine!

[elizagamedev]

Hmm, from the article:

You may also notice that the autodiscovery information for Fastmail’s API endpoint will change. You’ll soon be pointed to api.fastmail.com via DNS autodiscovery, and GET-ing https://api.fastmail.com/.well-known/jmap will get your session resource.

Is this why I'm getting 401 errors now with basic auth following the SRV record of fastmail.com? This blog article is only two days old, so it's quite an abrupt breakage. I'm more than happy that non-basic auth schemes are available now, but I would have preferred more warning.

(Also, thanks for the blog link, I'll be following its updates closely from now on)

[robn]

I'm actually on leave until next week, so I don't know for sure. I was surprised to see it go out today as well; (I was just hacking on this on my vacation for something to do :confused:)