🔗 Related Issues

Follows #17619 (request handlers) and #17623 (response handlers); Phase 3 of the BiDi Protocol API Design.

💥 What does this PR do?

Adds the callback-based authentication handler API to driver.network, aligned with the Authentication Handling section of the cross-binding BiDi API design:

def handle_authentication(auth):
    auth.provide_credentials("username", "password")
    # or: auth.cancel()

handler_id = driver.network.add_authentication_handler(
    ["https://secure-api.example.com/**"], handle_authentication)
driver.network.remove_authentication_handler(handler_id)
driver.network.clear_authentication_handlers()

• Handlers receive an AuthenticationRequest (url, realm, scheme, challenges) at the authRequired phase and may call provide_credentials(username, password) or cancel(). Reconciliation issues exactly one network.continueWithAuth per challenge (cancel > provide_credentials > browser default), so purely observational handlers never stall the page
• URL patterns are the same glob strings as request/response handlers; the callable-first overload (add_authentication_handler(handler)) matches everything
• clear_request_handlers now preserves authentication handlers alongside response handlers (and resubscribes both registries after the event-handler sweep)
• The credentials-only add_auth_handler(username, password) is unchanged; its docstring cross-references the new API and warns against mixing the two on one challenge

This also fixes a latent wire-level bug the new browser tests exposed: glob_to_url_pattern emitted wildcard characters inside UrlPatternPattern properties (e.g. "pathname": "/*"), which browsers reject with invalid argument: Forbidden characters — the spec says pattern properties match literally. Wildcard-bearing components are now omitted (omitted properties match anything) and Python-side glob matching narrows the results. Phases 1–2 never hit this in practice because their browser tests only used **/... globs, which skip browser-side filtering entirely.

🔧 Implementation Notes

• Same structure as Phases 1–2: the implementation lives in py/private/_network_handlers.py (AuthenticationRequest, AuthHandlerRegistry reusing _BaseHandlerRegistry) with thin glue in py/private/bidi_enhancements_manifest.py
• Browser tests that successfully authenticate are marked needs_fresh_driver: success warms the browser's HTTP auth cache for the origin, which suppresses authRequired challenges in later tests (this also applied to the pre-existing legacy test_continue_with_auth)
• Verified locally: unit tests, plus the full Chrome and Firefox BiDi browser suites (Firefox supports continueWithAuth, so no xfail_firefox needed)

🤖 AI assistance

• AI assisted (complete below)
  • Tool(s): Claude Code
  • What was generated: implementation, tests, and this PR description, pair-programmed with the author
  • I reviewed all AI output and can explain the change

💡 Additional Considerations

• High-risk area touched: wire-level BiDi network semantics (network.continueWithAuth, network.addIntercept UrlPattern translation)
• Java/Ruby/JS/.NET parity for the cross-binding design remains follow-up work (Python is leading)
• Phase 4 (extra headers) builds on this PR's registry-preservation logic and will follow separately

🔄 Types of changes

• New feature (non-breaking change which adds functionality and tests!)
• Bug fix (backwards compatible)