Sorry, did not have time to make a correct post so I preferred delay it
I guess first part is to define what authentication should cover, for the general transport level, should the authentication be generic (ie one solution for all and every client) or a more refined solution.
At the moment for http you have one login / password solution, this does cover some security but since no https it's plain text so not very secure.
Second point it that you only have one combination, meaning if you have a security problem or want to revoke one client, you need to impact all clients.
If going to a new solution, a per client token solution would be the best.
Like a client generates an unique id, send an authentication request, XBMC display a dialog to accept it or not the first time, then return a token derivated from it. And until revoke no more asks on XBMC side.
One problem about client tracking, is that for me, socket to identify client is far from perfect since it needs to restart authentication scheme on every connection. And from mobile point of view this could happens a lot on most phone wifi goes off when screen off for example (and it's good for battery usage).
The per client token solution could cover this too, you can perhaps add an ip related to the currently generated token. And ask for a new challenge of the authentication, meaning the client needs to send the previously sent unique id. (But without asking on XBMC screen of course). If a client is compromised to it's source code to be able to get the generated token and the unique id then there will never be a way to secure things so this cover 99% of security.
The token thing could then be enhanced a little, with the need for the client to send a name with the first challenge so XBMC could do a proper listing , and then the use could activate / revoke some permissions on token level.
Like access to media for streaming.
Add a default set of permission and you have something not too bad I think.
As discussed in the PR, at protocol level encryption / tampering avoiding sounds more important than authentication if it's already handled at Application level.
Having dual authentication would not bring additional security (If handling the application level authentication also for file access like with a header for http)