The parser for the “Basic” scheme is not RFC-compliant.

[issuefiler]

RFC 9110 defines the field value of the Authorization header as:

Authorization = credentials
credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]

which, according to RFC 5234 — ABNF, means there can be one or more spaces between the auth-scheme and token68.

3.6.  Variable Repetition:  *Rule

   The operator "*" preceding an element indicates repetition.  The full
   form is:

         <a>*<b>element

   where <a> and <b> are optional decimal values, indicating at least
   <a> and at most <b> occurrences of the element.

   Default values are 0 and infinity so that *<element> allows any
   number, including zero; 1*<element> requires at least one;
   3*3<element> allows exactly 3; and 1*2<element> allows one or two.

---

https://github.com/gevorg/http-auth/blob/05bb4d7612a16002ef37804be5886690251357d8/src/auth/basic.js#L64-L70

Your parser assumes the 1*SP part to be a single space, , and fails to parse the valid credentials,

Basic              QWxhZGRpbjpvcGVuIHNlc2FtZQ==

erroneously returning "".