fix(bootstrap): normalize auth header sources and harden Basic credential extraction in handleAuthHeaders

[joshtrichards]

• Resolves: #

Summary

Rewrites OC::handleAuthHeaders() to consolidate the previously two-pass auth header normalization into a single, clearly-prioritized approach, and hardens Basic credential extraction.

What changed

Before: Two separate concerns were handled sequentially:

1. Copy HTTP_XAUTHORIZATION → HTTP_AUTHORIZATION if the latter was missing (FastCGI workaround)
2. Loop over HTTP_AUTHORIZATION and REDIRECT_HTTP_AUTHORIZATION to extract PHP Basic auth credentials

After: A single pass with an explicit priority chain:

HTTP_AUTHORIZATION ?? REDIRECT_HTTP_AUTHORIZATION ?? HTTP_XAUTHORIZATION

The resolved value is normalized into HTTP_AUTHORIZATION, then Basic credentials are extracted once if present.

Additional improvements

• Use base64_decode(..., true) (strict mode) to reject malformed Base64 instead of silently mangling it
• Replace preg_match + count with stripos + str_contains for cleaner, more readable logic
• Add early returns instead of deeply nested conditions
• Add a doc block explaining the context (early bootstrap, no IRequest, web server requirements)

Behavioral notes

• REDIRECT_HTTP_AUTHORIZATION now takes priority over HTTP_XAUTHORIZATION when HTTP_AUTHORIZATION is absent. Previously HTTP_XAUTHORIZATION was copied first and thus took priority... mostly. But then REDIRECT_HTTP_AUTHORIZATION was consulting for setting the PHP_USER_* values. The new order is more semantically correct (REDIRECT_* is an Apache-native redirect; HTTP_XAUTHORIZATION is a FastCGI-specific workaround).
• The Basic scheme prefix is now matched with exactly one space (Basic ), per RFC 7617 §2. Non-conformant clients sending Basic\t or multiple spaces will no longer have credentials extracted (they were silently accepted before). Also better matches what we do elsewhere anyhow.

TODO

• ...

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

AI (if applicable)

• The content of this PR was partly or fully generated using AI