Pass headers back to client from auth plugin

Fix for external auth wrapper handler. Written by introducing
a broken unit test. Whenever the auth plugin returns a request
as not authorized, we must pass back any headers set by the
plugin.

Signed-off-by: Alex Ellis <alexellis2@gmail.com>

gateway/handlers/external_auth.go

@@ -34,6 +34,7 @@ func MakeExternalAuthHandler(next http.HandlerFunc, upstreamTimeout time.Duratio
 			return
 		}
 
+		copyHeaders(w.Header(), &res.Header)
 		w.WriteHeader(res.StatusCode)
 	}
 }

gateway/handlers/external_auth_test.go

@@ -84,6 +84,45 @@ func Test_External_Auth_Wrapper_WithoutRequiredHeaderFailsAuth(t *testing.T) {
 	}
 }
 
+func Test_External_Auth_Wrapper_WithoutRequiredHeaderFailsAuth_ProxiesServerHeaders(t *testing.T) {
+	wantToken := "secret-key"
+	wantRealm := `Basic realm="Restricted"`
+	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Header.Get("X-Token") == wantToken {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+
+		w.Header().Set("Www-Authenticate", wantRealm)
+		w.WriteHeader(http.StatusUnauthorized)
+	}))
+	defer s.Close()
+
+	next := func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNotImplemented)
+	}
+
+	passBody := false
+	handler := MakeExternalAuthHandler(next, time.Second*5, s.URL, passBody)
+
+	req := httptest.NewRequest(http.MethodGet, s.URL, nil)
+
+	// use an invalid token
+	req.Header.Set("X-Token", "invalid-key")
+
+	rr := httptest.NewRecorder()
+	handler(rr, req)
+	want := http.StatusUnauthorized
+	if rr.Code != want {
+		t.Errorf("Status incorrect, want: %d, but got %d", want, rr.Code)
+	}
+
+	got := rr.Header().Get("Www-Authenticate")
+	if got != wantRealm {
+		t.Errorf("Www-Authenticate header, want: %s, but got %s, %q", wantRealm, got, rr.Header())
+	}
+}
+
 func Test_External_Auth_Wrapper_WithRequiredHeaderPassesValidAuth(t *testing.T) {
 	wantToken := "secret-key"
 	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {