From 047fea3c75866880e50544dfb4ebd79fb98bb894 Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Tue, 19 May 2026 13:48:13 +0100
Subject: [PATCH] refactor(oidcgate): drop unreachable lowercase prefix; add
 multi-value mirror test

---
 cmd/oidcgate/success.go      |  2 +-
 cmd/oidcgate/success_test.go | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/cmd/oidcgate/success.go b/cmd/oidcgate/success.go
index 4b78cec..a4b0859 100644
--- a/cmd/oidcgate/success.go
+++ b/cmd/oidcgate/success.go
@@ -34,7 +34,7 @@ func newSuccessHandler() http.Handler {
 }
 
 func shouldMirror(name string) bool {
-	if strings.HasPrefix(name, "X-") || strings.HasPrefix(name, "x-") {
+	if strings.HasPrefix(name, "X-") {
 		return true
 	}
 	canonical := http.CanonicalHeaderKey(name)
diff --git a/cmd/oidcgate/success_test.go b/cmd/oidcgate/success_test.go
index 30bbe43..8d67d2f 100644
--- a/cmd/oidcgate/success_test.go
+++ b/cmd/oidcgate/success_test.go
@@ -55,3 +55,16 @@ func TestSuccessHandler_EmptyBody(t *testing.T) {
 		t.Fatalf("body: want empty, got %q", body)
 	}
 }
+
+func TestSuccessHandler_MultiValueHeader(t *testing.T) {
+	h := newSuccessHandler()
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/x", nil)
+	req.Header.Add("X-Role", "admin")
+	req.Header.Add("X-Role", "editor")
+	h.ServeHTTP(rec, req)
+	got := rec.Header()["X-Role"]
+	if len(got) != 2 || got[0] != "admin" || got[1] != "editor" {
+		t.Errorf("X-Role multi-value: want [admin editor], got %v", got)
+	}
+}