basicauth: Don't remove Authorization header on good auth (fixes #1508)

caddyhttp/basicauth/basicauth.go

@@ -62,13 +62,8 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
 			// by this point, authentication was successful
 			isAuthenticated = true
 
-			// remove credentials from request to avoid leaking upstream
-			r.Header.Del("Authorization")
-
-			// let upstream middleware (e.g. fastcgi and cgi) know about authenticated
-			// user; this replaces the request with a wrapped instance
-			r = r.WithContext(context.WithValue(r.Context(),
-				caddy.CtxKey("remote_user"), username))
+			// let upstream middleware (e.g. fastcgi and cgi) know about authenticated user
+			r = r.WithContext(context.WithValue(r.Context(), caddy.CtxKey("remote_user"), username))
 		}
 	}
 

caddyhttp/basicauth/basicauth_test.go

@@ -92,8 +92,9 @@ func TestBasicAuth(t *testing.T) {
 					t.Errorf("Test %d: response should have a 'Www-Authenticate' header", i)
 				}
 			} else {
-				if got, want := req.Header.Get("Authorization"), ""; got != want {
-					t.Errorf("Test %d: Expected Authorization header to be stripped from request after successful authentication, but is: %s", i, got)
+				if req.Header.Get("Authorization") == "" {
+					// see issue #1508: https://github.com/mholt/caddy/issues/1508
+					t.Errorf("Test %d: Expected Authorization header to be retained after successful auth, but was empty", i)
 				}
 			}
 		}