Anyways, for the api I though at first I would use Digest auth, but never having used it I had no idea of how it worked. A few minutes later I had a hello world api using Digest auth using the library flask-httpauth. What was extremely weird however was that sometimes it worked, but most of the time it just returned 401 regardless of how correct the login data was. I tried it first using postman. No luck. Then using curl. No luck. Then using chrome. Some luck. It worked one time. Then I opened the api in an incognito tab and it completely stopped working.

So I thought, hey fuck that shit, just use basic auth over HTTPS, almost or completely as secure. And then I ran into the same problem I've had at work. Despite HTTP auth being completely stateless, i.e the Authorization header must be provided for every request, Chrome thinks its a good idea to store this information and send it automatically. Which I can surely see the merit in, since you don't have to provide it for every page load. The problem however is that its impossible to clear this information. Clear the cookis. No luck. Clear the history. No luck. The only way (unreliable) is to exit chrome, and to even suggest this as a solution is definitive proof that you're a complete idiot. There is one other way which is somewhat more convenient, to use an incognito window. The problem however is that this is information that should be erasable upon demand, without jumping through hoops. And as usual the devs just flip everyone the finger and says "low priority". Since 2011 to present day.