ignore unknown authentication parameters in the Basic authentication scheme

[sstrollo]

I received the following WWW-Authenticate header (while using gun towards AWS's ECR):

Basic realm="https://123456789012.dkr.ecr.eu-north-1.amazonaws.com/",service="ecr.amazonaws.com"

which made cow_http_hd:parse_www_authenticate/1 crash on a function clause. First I thought the header was wrong, but if I understand https://www.rfc-editor.org/rfc/rfc7617.html#section-2 right, it is permitted to include other authentication parameters in the response (although only charset has a defined meaning).

I made the attached fix, which basically throws away all authentication parameters other than "realm" for the Basic scheme. Perhaps one would like to return the other params, but I don't see a backwards compatible way of doing so (maybe returning {basic,Realm} when there are no other parameters and {basic, Realm, Params} when there are would be more "future proof" - but also more work for the client...)

[essen]

This was written before RFC7617 so I guess that explains the discrepancy. I don't think we need to return the other params, at least not according to the RFC. Even the charset doesn't seem super useful to have.

[sstrollo]

This was written before RFC7617 so I guess that explains the discrepancy.

👍

I don't think we need to return the other params, at least not according to the RFC. Even the charset doesn't seem super useful to have.

I agree.

[sstrollo]

Now without the redundant www_auth_scheme/2 clause.

[essen]

Merged, thanks!