The web API auth backend support made a couple bad assumptions that

made it hard to write additional backends.
If the Basic Auth backend was first, and it encountered something that

wasn't a Basic Auth authorization header, it would log failures, even

though it wasn't the target backend. We now perform the realm check

first before trying to parse it.
The base WebAPIAuthBackend class itself was assuming in some places that

backends would want a username and a password. Working around that

assumption meant overriding login_with_credentials(). Now, that function

no longer cares about the specific contents of credentials, and farms

out to the Django auth backends and to a new validate_credentials() for

any specifics, making it easier to override.
Along with this, we now log all credential information passed to the

API, being careful to mask any sensitive information.

Tested this with a new auth backend that didn't deal in usernames and

passwords, and also didn't replace the Basic Auth backend. No longer saw

extra log messages, and didn't have to replace login_with_credentials().