Currently, GET requests to a bindle server with auth configured (say, basic http or oidc) appear to always be served, meaning anonymous auth is still possible for these request types.

I think it would be useful to allow configuration in the server to restrict all request types (including GETs) to requiring auth creds per the auth strategy the server is running with. Assuming we want to maintain the default of anonymous GETs, perhaps this would be an opt-in configuration/toggle.

@thomastaylor312 or is it already possible today to configure a bindle server to mandate that all requests be authenticated?

Not with how it is currently setup. We'll need to add a new Authorization implementation that checks if the user is authenticated. Should be a fairly simple code add, but then we need to add yet another branch to the match statement of doom in the server CLI code