There should be an auth backend that enforces an initial 401 reply. This would be useful to off-load generation of those initial replies from other backends such as the URL auth backend. This works by: ``` If (!user || !password) { return failed; } else { return no match; } ```