grand stream bug? Lack of digest authentication fails

[IAmBecumDeath]

First, I've forwarded this to grand stream directly but I have no idea how good their support is, I want to see if anyone can confirm my diagnostics and tell me if other grand stream phones have a different authentication flow for phonebook.xml
If grand stream does not fix their firmware fairly quickly, how hard is it to enable basic http auth and how much of a security issue is it, if using https?

example log files of the 4 tests. (I have substituted IP addresses for 1.2.3.4 and username for web_auth_user in logs as well as the MAC address for macaddress)

log1 cfg provisioning.alwaysAuthenticateBeforeChallenge off (works)

1.2.3.4 - - [03/Jun/2024:21:33:09 +0000] "GET /app/provision/cfgmacaddress.xml HTTP/1.1" 401 23 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"
1.2.3.4 - - [03/Jun/2024:21:33:10 +0000] "GET /app/provision/cfgmacaddress HTTP/1.1" 200 63958 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"

log 2 cfg provisioning.alwaysAuthenticateBeforeChallenge on (does not work)

1.2.3.4 - web_auth_user [03/Jun/2024:21:39:16 +0000] "GET /app/provision/cfgmacaddress.xml HTTP/1.1" 401 23 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"
1.2.3.4 - web_auth_user [03/Jun/2024:21:39:16 +0000] "GET /app/provision/cfgmacaddress HTTP/1.1" 401 23 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"

log 3 phonebook provision test from laptop (works)

1.2.3.4 - - [03/Jun/2024:21:32:26 +0000] "GET /app/provision/macaddress/phonebook.xml HTTP/1.1" 401 23 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15"
1.2.3.4 - - [03/Jun/2024:21:32:26 +0000] "GET /app/provision/macaddress/phonebook.xml HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15"

log 4 phonebook provision from phone (does not work, always authenticate option not possible to disable)

1.2.3.4 - web_auth_user [03/Jun/2024:21:42:07 +0000] "GET /app/provision/macaddress/phonebook.xml HTTP/1.1" 401 23 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"

1.2.3.4 - web_auth_user [03/Jun/2024:21:47:07 +0000] "GET /app/provision/macaddress/phonebook.xml HTTP/1.1" 401 23 "-" "Grandstream Model HW WP825 SW 1.0.11.60 DevId macaddress"

in log 2 and log 4, you'll see two 401 unauthorized for two different config filename possibilities. You'll also see the 3rd column in both is web_auth_user. This is the username set in "phonebook.download.username" My understanding is this 3rd column is the basic http auth username.

In log 1 and 3, both requests begin with 401, get resent using digest authentication and on the second line end with successful 200 status. neither line has a username in column 3. my understanding is this indicates http digest authentication.

I don't believe I'm missing any settings available to end users. I am not sure if basic http auth is possible or advised. however, I know that it's not possible to download the phonebook.xml on fusionpbx with the wp825 using http auth enabled out of the box.