While testing .htaccess auth on centos 7 using apache 2.4, something odd happened.
We have the following in the httpd.conf;
Require all denied
We have the .htpasswd above the root of the web site and the .htaccess in one of the sub directories.
All was working as it should, being prompted for auth when trying to connecting using curl or browser.
We removed the .htaccess and were still prompted.
Then we removed the .htpasswd file and that seemed to change the behavior.
This makes no sense since the path of the .htpasswd is above the root of the site and the path is in .htaccess.
So, then we replace the files and then things work as expected, prompted when there is an .htaccess and not when it is removed.