Basic Auth without web form for remote services, or 'get back something like remote.php' #34733
Description
While working on an update to an ancient app of mine - OPDS Catalog - I seem to be hitting something of a brick wall which can only be circumvented in a hackish and very much unsupported/undocumented way: NC insists on using its web form whenever authentication is required without offering the option of having the client present a Basic Auth request. The only endpoint which seems to still request Basic Auth when required is remote.php as used by DAV:
https://github.com/nextcloud/server/blob/47da08fe850b374d30ef68c55775600747bbd35c/remote.php
This piece of code has a number of DAV-related endpoints hardcoded but also offers the option of using a user-provided endpoint by setting a preference for the core app named remote_XXX pointing at a piece of code implementing the endpoint:
Line 115 in 47da08f
e.g. core | remote_mozilla_sync | mozilla_sync/appinfo/remote.php
While most NC apps do not require Basic Auth for their operation some decidedly do, OPDS Catalog being one of them. The (1.x) OPDS standard does not specify authentication options so this is left up to implementers. Some OPDS client apps do not support any authentication options but those which do support it nearly invariably support Basic Auth only. These clients do not work when confronted with the NC login web form since they expect either an OPDS feed (i.e. an XML document starting with a <feed> tag) or 401 request for authentication.
As far as I know NC does currently not offer any officially sanctioned way to have apps use Basic Auth only - or am I wrong? It does support app passwords but it does not send bare 401 replies when requests without Basic Auth come in, instead redirecting to the login web form. What I'd like to see is an option to disable the web form so that a bare 401 is sent back, triggering an authentication request on the client.