Application Passwords triggers 401 on REST API requests when using Basic Auth

[rmccue]

Steps to reproduce:

1. Enable and configure the Basic Auth functionality for an environment
2. Create an Application Password (this triggers WP_Application_Passwords::is_in_use() to return true by setting the using_application_passwords network setting)
3. Send a REST API request to the environment with your Basic Auth setting set

Publicly-accessible API endpoints should be accessible; instead, they return a 401.

This is increased priority, as if sending REST API requests from the browser, the 401 returned by Application Passwords causes the browser's internal auth cache to be reset, which requires users to log in again repeatedly.

Basic Auth should take priority here as it's site-wide, but this will mean that Application Passwords can't actually be used in combination. I think that's an acceptable compromise, as regular Require Login can be used in those cases instead, but we should ensure it's documented.

Acceptance criteria:

• Sending a request with Basic Auth headers to a public REST API endpoint (e.g. /wp-json/) should return a 200 response
• Documentation should indicate Basic Auth is not compatible with Application Passwords

[roborourke]

When you say "return a 200 error" do you mean a 200 response code, with JSON output indicating an error?

[rmccue]

When you say "return a 200 error" do you mean a 200 response code, with JSON output indicating an error?

Whoops! I actually just meant that it should be successful; updated to "return a 200 response"