do not treat Basic authentication as a token, but just skip it

restapi/index.php

@@ -3071,7 +3071,12 @@ class RestapiAuthMiddleware implements MiddlewareInterface { /* {{{ */
     }
 
     /**
-     * Example middleware invokable class
+     * Auth middleware invokable class
+     *
+     * This methods checks for an api token in the Authorization header or
+     * a valid session in the cookie `mydms_session`.
+     * It does not support Basic authentication. It actually treats that
+     * as a wrong api token and authentication fails.
      *
      * @param  \Psr\Http\Message\ServerRequestInterface $request  PSR7 request
      * @param  \Psr\Http\Server\RequestHandlerInterface $handler
@@ -3133,6 +3138,8 @@ class RestapiAuthMiddleware implements MiddlewareInterface { /* {{{ */
             $userobj = null;
 //            $logger->log(var_export($environment, true), PEAR_LOG_DEBUG);
             if(!empty($environment['HTTP_AUTHORIZATION']) && !empty($settings->_apiKey) && !empty($settings->_apiUserId)) {
+                /* We cannot handle Basic authentication, so skip it */
+                if (substr($environment['HTTP_AUTHORIZATION'], 0, 6) != 'Basic ') {
                 $logger->log("Authorization key: ".$environment['HTTP_AUTHORIZATION'], PEAR_LOG_DEBUG);
                 if($settings->_apiKey == $environment['HTTP_AUTHORIZATION']) {
                     if(!($userobj = $dms->getUser($settings->_apiUserId))) {
@@ -3160,6 +3167,9 @@ class RestapiAuthMiddleware implements MiddlewareInterface { /* {{{ */
                     return $response;
                 }
                 $logger->log("Login with apikey as '".$userobj->getLogin()."' successful", PEAR_LOG_INFO);
+                } else {
+                  $logger->log("Login with Basic auth cannot be handled by AuthMiddleware", PEAR_LOG_INFO);
+                }
             } else {
                 $logger->log("Checking for valid session", PEAR_LOG_INFO);
                 require_once("../inc/inc.ClassSession.php");