*     .build();
 * ```
 *
 * The proxy authenticator may implement preemptive authentication, reactive authentication, or
 * both.
 *
 * Applications may configure OkHttp with an authenticator for origin servers, or proxy servers,
 * or both.
 *
 * ## Authentication Retries
 *
 * If your authentication may be flaky and requires retries you should apply some policy

 * limitations under the License.
 */
package okhttp3.internal

import java.net.Authenticator
import java.net.PasswordAuthentication

class RecordingAuthenticator(
  private val authentication: PasswordAuthentication? =
    PasswordAuthentication(
      "username",
      "password".toCharArray(),
    ),
) : Authenticator() {
  val calls = mutableListOf<String>()

A single HTTP call may require follow-up requests to be made to handle authentication challenges, redirects, and HTTP-layer timeouts. In such cases multiple connections, requests, and responses may be attempted. Follow-ups are another reason a single call may trigger multiple events of the same type.

 *
 * ### Server Authentication
 *
 * This is the most common form of TLS authentication: clients verify that servers are trusted and
 * that they own the hostnames that they represent. Server authentication is required.
 *
 * To perform server authentication:
 *
 *  * The server's handshake certificates must have a [held certificate][HeldCertificate] (a

 *
 *  * A DNS lookup failed
 *  * The configuration is incapable of carrying the request, such as when the client is configured
 *    to use `H2_PRIOR_KNOWLEDGE` but the URL's scheme is `https:`.
 *  * Preemptive proxy authentication failed.
 *
 * Planning failures are not necessarily fatal. For example, even if we can't DNS lookup the first
 * proxy in a list, looking up a subsequent one may succeed.
 */

    }
    for (i in 0 until methodCount) {
      val candidateMethod: Int = fromSource.readByte() and 0xff
      if (candidateMethod == METHOD_NO_AUTHENTICATION_REQUIRED) {
        selectedMethod = candidateMethod
      }
    }
    when (selectedMethod) {
      METHOD_NO_AUTHENTICATION_REQUIRED -> {
        fromSink.writeByte(VERSION_5)
        fromSink.writeByte(selectedMethod)
        fromSink.emit()
      }

 *
 * As policy, implementations of this interface are responsible for selecting which cookies to
 * accept and which to reject. A reasonable policy is to reject all cookies, though that may
 * interfere with session-based authentication schemes that require cookies.
 *
 * As persistence, implementations of this interface must also provide storage of cookies. Simple
 * implementations may store cookies in memory; sophisticated ones may use the file system or

    }
    ```

 *  New: `MediaType.parameter()` gets a parameter like `boundary` from a media type like
    `multipart/mixed; boundary="abc"`.

 *  New: `Authenticator.JAVA_NET_AUTHENTICATOR` forwards authentication requests to
    `java.net.Authenticator`. This obsoletes `JavaNetAuthenticator` in the `okhttp-urlconnection`
    module.

 *  New: `CertificatePinner` now offers an API for inspecting the configured pins.

 *  **Proxy authenticators are now asked for preemptive authentication.** OkHttp will now request
    authentication credentials before creating TLS tunnels through HTTP proxies (HTTP `CONNECT`).
    Authenticators should identify preemptive authentications by the presence of a challenge whose
    scheme is "OkHttp-Preemptive".

In limited situations OkHttp will retry a route if connecting fails:

 * When making an HTTPS connection through an HTTP proxy, the proxy may issue an authentication challenge. OkHttp will call the proxy [authenticator](https://square.github.io/okhttp/4.x/okhttp/okhttp3/-authenticator/) and try again.