Auth Code check falls back to server var rather than raw header

[iansltx]

Fixed this elsewhere in #604. More a note to self to come back and clean this up as well.

[alexbilbie]

What action needs to be taken here @iansltx ?

[iansltx]

Same as what I did in 604: using the header directly (base64-decoding the Authorization header, checking to see whether it's Basic, etc.) rather than relying on the server var that you get for free in standard SAPIs but not necessarily elsewhere, even if elsewhere implements PSR-7.