I raised a similar issue on GitHub yesterday, but this is more fundamental and so merits a larger discussion.
Fundamentally, what is the intended implementation of request / response authorization in Vapor? This would include Basic and Digest auth, as well more esoteric authentication like Kerberos (I think). As far as I can tell, the current
BasicAuthenticator doesn't implement this pattern, leaving it to the route to perform the proper response. This doesn't seem correct, and in attempting to implement Digest auth I've found it's not adequate for stateful request / response authorization. All of the documentation I've seen seems to assume requests made with all the proper credentials and no necessary response -> request -> response chain. Am I missing something?