HTTP/HTTPS proxy authentication (Basic, RFC 7617)

[bluet]

Goal

Add HTTP Basic auth (RFC 7617) to the HTTP/HTTPS/CONNECT negotiators so the broker can find/check/use HTTP proxies that require credentials via the Proxy-Authorization header.

Why this is in scope

Many HTTP proxies (commercial residential rotation services, corporate gateways, paid lists) require HTTP Basic auth via Proxy-Authorization: Basic <base64(user:pass)>. proxybroker currently has no way to send this header in CONNECT requests or HTTP forwarding, so credentialed HTTP proxies fail at the first request. Limits the find/check/serve mission.

Scope

• _CONNECT_request(host, port, username=None, password=None, **kwargs): when credentials present, add Proxy-Authorization: Basic <b64> header.
• HttpNgtr / HttpsNgtr / Connect80Ngtr / Connect25Ngtr: accept and forward credentials.
• Proxy constructor accepts username/password, threaded through to negotiator.
• Provider parsing: support user:pass@host:port form for HTTP entries.
• Tests: CONNECT request bytes contain Proxy-Authorization when creds set; missing when not set; base64 encoding correct; URL-unsafe chars (@, : in password) escaped.

Acceptance criteria

1. Proxy('host', 8080, username='u', password='p') against an HTTP proxy requiring Basic auth succeeds.
2. Without credentials, the same proxy returns 407 Proxy Authentication Required and the negotiator surfaces it as a domain-specific error (not generic BadStatusError).
3. CONNECT byte-level test: Proxy-Authorization: Basic dTpw\r\n appears in the encoded request when username='u', password='p'.

Out of scope

• Digest auth (RFC 7616) — far rarer for proxies; separate ticket.
• NTLM/Negotiate (RFC 4559) — Windows-domain-specific; separate ticket.
• SOCKS5 username/password auth — separate ticket (different protocol, RFC 1929).

Estimated effort

~1-2 hours including tests. ~30 lines of code.