Any value that is passed as xxxx to the Authorization header as:

Authorization: Basic xxxx

Authorizes the requests even if the string is an invalid base64, as long as it starts with the correct credentials, for example:

Valid request:

curl -k "https://basicauth-3scale-apicast-staging.amp210.apps-crc.testing:443/" -H "Authorization: Basic MTVjZmFlNjU6ZGZkNDMxZjEyMDhlYzllMmVmYzM4ODI2ZmJjYjk3ZjU"

This request uses "wrong" credentials but Auth succeeds:

curl -k "https://basicauth-3scale-apicast-staging.amp210.apps-crc.testing:443/" -H "Authorization: Basic MTVjZmFlNjU6ZGZkNDMxZjEyMDhlYzllMmVmYzM4ODI2ZmJjYjk3ZjU==foo"

This request uses wrong credentials but with a valid base64 and Auth fails as expected

curl -k "https://basicauth-3scale-apicast-staging.amp210.apps-crc.testing:443/" -H "Authorization: Basic MTVjZmFlNjU6ZGZkNDMxZjEyMDhlYzllMmVmYzM4ODI2ZmJjYjk3ZjUwYXNk"

I believe what is happening is that here the method decode_base64 is ignoring invalid inputs and accepting the string, parsing the valid part of the input into the password. According to this it should return nil if str is not well formed.