auth: don't send client's headers back

Create fresh http.Header object filled with the only header:
"Content-Type: application/grpc".

auth/authenticator.go

@@ -103,9 +103,12 @@ func (l *L402Authenticator) FreshChallengeHeader(r *http.Request,
 		log.Errorf("Error serializing L402: %v", err)
 	}
 
+	header := http.Header{
+		"Content-Type": []string{"application/grpc"},
+	}
+
 	str := fmt.Sprintf("macaroon=\"%s\", invoice=\"%s\"",
 		base64.StdEncoding.EncodeToString(macBytes), paymentRequest)
-	header := r.Header
 
 	// Old loop software (via ClientInterceptor code of aperture) looks
 	// for "LSAT" in the first instance of WWW-Authenticate header, so

auth/mock_authenticator.go

@@ -34,7 +34,10 @@ func (a MockAuthenticator) Accept(header *http.Header, _ string) bool {
 func (a MockAuthenticator) FreshChallengeHeader(r *http.Request,
 	_ string, _ int64) (http.Header, error) {
 
-	header := r.Header
+	header := http.Header{
+		"Content-Type": []string{"application/grpc"},
+	}
+
 	str := "macaroon=\"AGIAJEemVQUTEyNCR0exk7ek9" +
 		"0Cg==\", invoice=\"lnbc1500n1pw5kjhmpp5fu6xhthlt2vucm" +
 		"zkx6c7wtlh2r625r30cyjsfqhu8rsx4xpz5lwqdpa2fjkzep6yptk" +
@@ -44,5 +47,6 @@ func (a MockAuthenticator) FreshChallengeHeader(r *http.Request,
 		"y3ngqjcym5a\""
 	header.Set("WWW-Authenticate", lsatAuthScheme+" "+str)
 	header.Add("WWW-Authenticate", l402AuthScheme+" "+str)
+
 	return header, nil
 }

proxy/proxy.go

@@ -398,8 +398,6 @@ func addCorsHeaders(header http.Header) {
 func (p *Proxy) handlePaymentRequired(w http.ResponseWriter, r *http.Request,
 	serviceName string, servicePrice int64) {
 
-	addCorsHeaders(r.Header)
-
 	header, err := p.authenticator.FreshChallengeHeader(
 		r, serviceName, servicePrice,
 	)
@@ -412,6 +410,8 @@ func (p *Proxy) handlePaymentRequired(w http.ResponseWriter, r *http.Request,
 		return
 	}
 
+	addCorsHeaders(header)
+
 	for name, value := range header {
 		w.Header().Set(name, value[0])
 		for i := 1; i < len(value); i++ {