UsernamePasswordHttpBasic disabled since .htaccess strips "Basic"
The Token\UsernamePasswordHttpBasic requires the "Authentication" header to begin with "Basic". That's fine since this very token is only meant to deal with basic auth requests.
Unfortunately the .htaccess file which gets installed contains the following line:
SetEnvIfNoCase Authorization "Basic ([a-zA-Z0-9\+/=]+)" REMOTE_AUTHORIZATION=$1
This means: Whenever the "Authorization Basic" header is set, it gets passed to the REMOTE_AUTHORIZATION environment variable by stripping the "Basic" string.