Basic Authentication for subset of Grav instance?

I recently took over managing a small static site for a volunteer org running on a rather limited PHP host. I would like to upgrade it to something more modern than trivial PHP and static HTML. Grav appears to run on the provided PHP, but I have a requirement to link up to an Apache Basic Authentication external provider. It currently works fine for static HTML files located in a subdirectory and protected through .htaccess. However, going to a CMS that creates a virtual directory tree through mod_rewrite doesn't trigger the default .htaccess behavior.

Is there any way to delegate authentication to the external provider such that only one section of the Grav site requires Basic Auth to reach?

(Note: Please don't suggest trying to recreate the authentication information within Grav. The host specifically forbids this. I have to delegate authentication to their provider without copying any usernames or passwords into my instance(s).)

I think it should be possible to create a 'basic auth' plugin for the login plugin. One doesn't exist currently, but i've seen them for other platforms such as WordPress, and I think they function by adding browser basic auth headers when required. So it should be possible to create :)

That might be possible. I'd need Grav to read the basic auth headers, and return 401 on the secure pages, to trigger the default basic authentication dialogs, when not present. What I'm worried about is the authorization piece, though. With static HTML, Apache handles authorization through .htaccess path (for directories) and by Files directives in those .htaccess files. It's easy enough to set an Authorization: header, but how do I actually get the Apache AuthProviderBasic to read it, and get a pass/fail reply back from it, from within PHP?

A good place to start is with this simple wordpress plugin: https://wordpress.org/plugins/wp-basic-auth/

Or this Joomla one: https://github.com/joomlatools/joomla-basicauth/blob/master/basicauth.php