Allow basic-auth for programmatic access

[Seros]

Summary

Allow basic-auth for a more feasible way to authenticate for a wide range of web apps

Related issues

Fixes #3687

User Explanation

Check if basic-auth headers are available and if so use them to authenticate your app in a programmatic way, using pomerium as default user name and the JWT as password.

Checklist

• reference any related issues
• updated docs
• updated unit tests
• updated UPGRADING.md
• add appropriate tag (improvement / bug / etc)
• ready for review

[CLAassistant]

All committers have signed the CLA.

[calebdoxsey]

The challenge with this is that other applications may be expecting to use Basic Auth for themselves and we'd be intercepting it. So this is a potentially breaking change.

For the Authorization header we had Authorization: Pomerium and Authorization: Bearer Pomerium- to help prevent that from happening. Is there a way we could do something similar for Basic Auth?

[Seros]

Thanks for you comment! I see your point about the interception but I think this has already been worked around. As this checks for the specific username pomerium it should only interfere in such cases which probably are edge cases if people configure their apps to use the same name. So in most cases the apps should not have problems using their configured basic auth IMO. In case you don't agree we have to investigate for a different solution which then will probably not as portable as allowing basic auth.

[coveralls]

Coverage increased (+0.05%) to 66.394% when pulling 6a75cfa on Seros:allow-basic-auth into bb5c80b on pomerium:main.

[Seros]

Hey,
just wanted to ask if there is anything else you need from my side or if we can continue with this PR being merged?