fix: allow Basic auth realm values without quotes

[nichtsfrei]

Some clients send the WWW-Authenticate header in the form:

< Www-Authenticate: Basic realm=Reducated

instead of the standard:

< Www-Authenticate: Basic realm="Reducated"

To ensure compatibility, loosen the parsing regex to accept realm values that are not wrapped in quotes when processing the authentication header.

[bryantbiggs]

I don't know about this change - this very clearly states that its a quoted string https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/WWW-Authenticate#realm

The string realm followed by = and a quoted string describing a protected area, for example realm="staging environment". A realm allows a server to partition the areas it protects (if supported by a scheme that allows such partitioning). Some clients show this value to the user to inform them about which particular credentials are required — though most browsers stopped doing so to counter phishing. The only reliably supported character set for this value is us-ascii. If no realm is specified, clients often display a formatted hostname instead.

as well as here https://datatracker.ietf.org/doc/html/rfc2617

The authentication parameter realm is defined for all authentication
schemes:

 realm       = "realm" "=" realm-value
 realm-value = quoted-string

[nichtsfrei]

You're absolutely right. Unfortunately, one of our customers is hosting a Docker registry that violates this specific rule, and I thought it might be a small enough change that it would be okay to loosen it up.