The parser for the “Basic” scheme is not RFC-compliant.

[issuefiler]

RFC 9110 defines the field value of the Authorization header as:

Authorization = credentials
credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]

which, according to RFC 5234 — ABNF, means there can be one or more spaces between the auth-scheme and token68.

3.6.  Variable Repetition:  *Rule

   The operator "*" preceding an element indicates repetition.  The full
   form is:

         <a>*<b>element

   where <a> and <b> are optional decimal values, indicating at least
   <a> and at most <b> occurrences of the element.

   Default values are 0 and infinity so that *<element> allows any
   number, including zero; 1*<element> requires at least one;
   3*3<element> allows exactly 3; and 1*2<element> allows one or two.

---

http-auth/src/auth/basic.js

Lines 64 to 70 in 05bb4d7

	// Parsing authorization header.
	parseAuthorization(header) {
	if (basicSchemeRegExp.test(header)) {
	let tokens = header.split(" ");
	return tokens[1];
	}
	}

Your parser assumes the 1*SP part to be a single space, , and fails to parse the valid credentials,

Basic              QWxhZGRpbjpvcGVuIHNlc2FtZQ==

erroneously returning "".