return
	}
	if err := m.authToken(cReq.Token); err != nil {
		writeErr(fmt.Errorf("auth token: %w", err))
		return
	}

	if debugPrint {
		fmt.Printf("handler: Got Connect Req %+v\n", cReq)
	}
	writeErr(remote.handleIncoming(ctx, conn, cReq))
}

// AuthFn should provide an authentication string for the given aud.
type AuthFn func() string

// ValidateAuthFn should check authentication for the given aud.

				CipherSuites:     fips.TLSCiphers(),
				CurvePreferences: fips.TLSCurveIDs(),
			}),
		Local:        local,
		Hosts:        hosts,
		AuthToken:    validateStorageRequestToken,
		AuthFn:       newCachedAuthToken(),
		BlockConnect: globalGridStart,
		// Record incoming and outgoing bytes.
		Incoming:  globalConnStats.incInternodeInputBytes,
		Outgoing:  globalConnStats.incInternodeOutputBytes,

	remoteHost := hosts[1]
	local, err := NewManager(context.Background(), ManagerOptions{
		Dialer: ConnectWS(dialer.DialContext,
			dummyNewToken,
			nil),
		Local:        localHost,
		Hosts:        hosts,
		AuthFn:       dummyNewToken,
		AuthToken:    dummyTokenValidate,
		BlockConnect: connReady,
	})
	errFatal(err)

	// 1: Echo
	errFatal(local.RegisterSingleHandler(handlerTest, func(payload []byte) ([]byte, *RemoteErr) {

	}
}

// ConnectWS returns a function that dials a websocket connection to the given address.
// Route and auth are added to the connection.
func ConnectWS(dial ContextDialer, auth AuthFn, tls *tls.Config) func(ctx context.Context, remote string) (net.Conn, error) {
	return ConnectWSWithRoutePath(dial, auth, tls, RoutePath)
}

// ValidateTokenFn must validate the token and return an error if it is invalid.

	// outQueue is the output queue
	outQueue chan []byte

	// Client or serverside.
	side ws.State

	// Dialer for outgoing connections.
	dial   ConnDialer
	authFn AuthFn

	handleMsgWg sync.WaitGroup

	// connChange will be signaled whenever State has been updated, or at regular intervals.
	// Holding the lock allows safe reads of State, and guarantees that changes will be detected.

	for i, host := range hosts {
		manager, err := NewManager(ctx, ManagerOptions{
			Dialer: ConnectWS(dialer.DialContext,
				dummyNewToken,
				nil),
			Local:        host,
			Hosts:        hosts,
			AuthFn:       dummyNewToken,
			AuthToken:    dummyTokenValidate,
			BlockConnect: ready,
			RoutePath:    RoutePath,
		})
		if err != nil {
			return nil, err
		}
		m := mux.NewRouter()

	Op() Op
}

type connectReq struct {
	ID    [16]byte
	Host  string
	Time  time.Time
	Token string
}

// addToken will add the token to the connect request.
func (c *connectReq) addToken(fn AuthFn) {
	c.Token = fn()
}

func (connectReq) Op() Op {
	return OpConnect
}

type connectResp struct {
	ID             [16]byte
	Accepted       bool
	RejectedReason string
}

				Body:   nopCloser,
			},
			authT: authTypePostPolicy,
		},
	}

	// .. Tests all request auth type.
	for i, testc := range testCases {
		authT := getRequestAuthType(testc.req)
		if authT != testc.authT {
			t.Errorf("Test %d: Expected %d, got %d", i+1, testc.authT, authT)
		}
	}
}

// Test all s3 supported auth types.
func TestS3SupportedAuthType(t *testing.T) {

		return authTypeAnonymous
	}
	return authTypeUnknown
}

func validateAdminSignature(ctx context.Context, r *http.Request, region string) (auth.Credentials, bool, APIErrorCode) {
	var cred auth.Credentials
	var owner bool
	s3Err := ErrAccessDenied
	if _, ok := r.Header[xhttp.AmzContentSha256]; ok &&
		getRequestAuthType(r) == authTypeSigned {

# HTTP Basic Auth

For the simplest cases, you can use HTTP Basic Auth.

In HTTP Basic Auth, the application expects a header that contains a username and a password.

If it doesn't receive it, it returns an HTTP 401 "Unauthorized" error.

And returns a header `WWW-Authenticate` with a value of `Basic`, and an optional `realm` parameter.

That tells the browser to show the integrated prompt for a username and password.