Basic auth uses UTF-8 for the encoded password when it should use ISO-8859-1. Also (or instead), implement RFC 7617 which allows a server to indicate it does support UTF-8.
The RFC that covers Basic authentication says that the authentication header contains base 64 encoded TEXT . The TEXT format needs to be read under the HTTP specification  which says:
The TEXT rule is only used for descriptive field contents and values
that are not intended to be interpreted by the message parser. Words
of *TEXT MAY contain characters from character sets other than ISO-
8859-1  only when encoded according to the rules of RFC 2047
RFC 2047 describes an encoding method that embeds the encoded string in "=?" and "?=". But it appears no implementation of HTTP is doing this. Certainly no browser is doing this.