We have a staging server set up that uses HTTP Basic authentication for access which is independent of the user functionality on the site. Once the stage is accessed, I log in with some credentials (which do not use HTTP Basic) and I can proceed to do user things.
There's a few calls on the site that use a Bearer token for accessing some API functionality so each user is assigned their token and it's used properly to access the API if necessary. This works everywhere except Safari.
When I check the Authorization header and output the token in other browsers, it's in the proper Authorization: Bearer <token> format and the call succeeds. The same code running in Safari shows that the Authorization header was passed correctly in the request, but a debug output of the header shows it receiving Authorization: Basic <basic credentials> and, when resolved, will resolve to the credentials used to access the stage.
Why? Is there a setting in Safari that's doing this or is it a bug in Safari?