When a request as follows, end user gets a 400 status response and message "Username mismatch":
The problem is the user was authenticated as anonymous user because credentials were only in the payload and not in Basic Auth headers. Since anonymous username != payload username, we return 400.
Problem is this is hard to diagnose without debug logging and a better understanding of what username mismatches.
For example, end user may also send basic auth header username which can authenticate, but the encoded payload values are encoded incorrectly - same problem, user is left wondering where the problem lies.
This can be improved with a simple logging adjustment.
- log at WARN the authenticated username and payload username if they do not match
- log at DEBUG the decoded usernames before the match attempt