Buffer API failure responses in memory

internal/api/api.go

 package api
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -187,8 +188,24 @@ func (api *API) PreAuthorizeHandler(next HandleFunc, suffix string) http.Handler
 			helper.Fail500(w, r, err)
 			return
 		}
+		if httpResponse != nil {
+			defer func() {
+				httpResponse.Body.Close()
+			}()
+		}
 
 		if httpResponse.StatusCode != http.StatusOK {
+			// NGINX response buffering is disabled on this path (with
+			// X-Accel-Buffering: no) but we still want to free up the Unicorn worker
+			// that generated httpResponse as fast as possible. To do this we buffer
+			// the entire response body in memory before sending it on.
+			responseBody := &bytes.Buffer{}
+			_, err := io.Copy(responseBody, httpResponse.Body)
+			if err != nil {
+				helper.Fail500(w, r, err)
+			}
+			httpResponse.Body.Close() // Free up the Unicorn worker
+
 			for k, v := range httpResponse.Header {
 				// Accomodate broken clients that do case-sensitive header lookup
 				if k == "Www-Authenticate" {
@@ -198,14 +215,12 @@ func (api *API) PreAuthorizeHandler(next HandleFunc, suffix string) http.Handler
 				}
 			}
 			w.WriteHeader(httpResponse.StatusCode)
-			io.Copy(w, httpResponse.Body)
-			httpResponse.Body.Close()
+			io.Copy(w, responseBody)
 
 			return
 		}
-		// Close the body immediately, rather than waiting for the next handler
-		// to complete
-		httpResponse.Body.Close()
+
+		httpResponse.Body.Close() // Free up the Unicorn worker
 
 		// Negotiate authentication (Kerberos) may need to return a WWW-Authenticate
 		// header to the client even in case of success as per RFC4559.