Fix/http proxy auth

[hugeagi]

Bugs Fixed

1. HTTP 407 challenge flow closed connection too early

• Impact: clients using challenge auth (no initial Proxy-Authorization) could receive 407 but then lose the same TCP connection before sending a second authenticated request.
• Fixed in:
  • protocol/http/inbound.go
  • protocol/mixed/inbound.go
• Behavior now:
  • Retry only when error is exactly http: authentication failed, no Proxy-Authorization header.
  • Retry only once.
  • Keep connection open for a bounded wait window, then timeout.
  • Clear read deadline after the one retry attempt.

2. Tests could hide a failure path (silent early return)

• Impact: in two auth-retry tests, a write failure could return early and skip assertions.
• Fixed in:
  • test/http_test.go
• Behavior now:
  • write errors are asserted with require.NoError, so failures are explicit.

How To Reproduce (Before Fix)

1. Challenge auth via proxy (expected to fail pre-fix due to connection closure):

curl --proxy https://<host>:443 --proxy-anyauth --proxy-user '<user>:<pass>' https://www.google.com -v

2. Preemptive auth (often succeeds even when challenge path is broken):

curl --proxy https://<host>:443 --proxy-user '<user>:<pass>' https://www.google.com -v

How To Verify Fixed

1. Run focused HTTP auth regression tests from test module:

cd test
go test -v -tags "$(cat ../release/DEFAULT_BUILD_TAGS_OTHERS)" -run 'TestHTTPProxyAuthRetryAfter407|TestHTTPProxyAuthRetryOnlyOnce|TestHTTPProxyAuthRetryTimeout' .

2. Expected:

• TestHTTPProxyAuthRetryAfter407: first CONNECT gets 407, second CONNECT on same socket with valid auth gets 200.
• TestHTTPProxyAuthRetryOnlyOnce: second unauthenticated retry still 407, third authenticated attempt after retry budget is exhausted does not proceed on same connection.
• TestHTTPProxyAuthRetryTimeout: authenticated attempt after timeout window fails as expected.

Notes

• Preemptive-only success is not sufficient proof; challenge flow behavior is the regression target.