lfs: disable all authentication except Basic for HTTP(S) connections I ran into a problem pushing to an old Apache server- the normal outgoing traffic occurred, the Batch API request and response occurred, and then things suddenly halted. 5 minutes later, a 500 was returned, and the server log had a timeout reading 32K from `self._req.bodyfh` in hgweb.request.sendresponse(). Watching in WireShark, the Batch API got a 401, retried properly, then proceeded to PUT the blob (without authentication headers). This got a 401, but the client never retried with authentication. Worse, the blob was sent over the wire in the failed attempt. This kills digests for both the Batch API and the Transfer API. While in theory we could have the Batch API provide external URLs to a place that supports Basic Authentication, the LFS spec actually calls out using Basic Authentication[1]. It's not clear to me if they've been able to shoehorn in other methods. But let's keep it simple until somebody needs it. If we only had to support python2, we could just not add the handler for digest authentication. However in python3, AbstractBasicAuthHandler raises ValueError if it sees a scheme other than Basic. So we need to intercept all other schemes before it gets to that point. # no-check-commit because of urllib2.OpenerDirector foo_bar calling conventions [1] https://github.com/git-lfs/git-lfs/blob/master/docs/api/authentication.md

{
    // Enforcing
    "eqeqeq"        : true,     // true: Require triple equals (===) for comparison
    "forin"         : true,     // true: Require filtering for..in loops with obj.hasOwnProperty()
    "freeze"        : true,     // true: prohibits overwriting prototypes of native objects such as Array, Date etc.
    "nonbsp"        : true,     // true: Prohibit "non-breaking whitespace" characters.
    "undef"         : true,     // true: Require all non-global variables to be declared (prevents global leaks)

    // Environments
    "browser"       : true      // Web Browser (window, document, etc)
}