integration: unauthorized response Content-Type (#4956)

Modify the request 'Accept' header to behave more like a web browser,
and add an assertion to verify that Pomerium serves an HTML response for
the unauthorized error page.

integration/authorization_test.go

@@ -15,6 +15,9 @@ func TestAuthorization(t *testing.T) {
 	ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second*30)
 	defer clearTimeout()
 
+	withBrowserAcceptHeader := flows.WithRequestHeader("Accept",
+		"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7")
+
 	accessType := []string{"direct", "api"}
 	for _, at := range accessType {
 		t.Run(at, func(t *testing.T) {
@@ -45,7 +48,7 @@ func TestAuthorization(t *testing.T) {
 				t.Run("allowed", func(t *testing.T) {
 					client := getClient(t)
 					res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
-						withAPI, flows.WithEmail("user1@dogs.test"))
+						withAPI, flows.WithEmail("user1@dogs.test"), withBrowserAcceptHeader)
 					if assert.NoError(t, err) {
 						assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for dogs.test")
 					}
@@ -53,9 +56,10 @@ func TestAuthorization(t *testing.T) {
 				t.Run("not allowed", func(t *testing.T) {
 					client := getClient(t)
 					res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
-						withAPI, flows.WithEmail("user1@cats.test"))
+						withAPI, flows.WithEmail("user1@cats.test"), withBrowserAcceptHeader)
 					if assert.NoError(t, err) {
 						assertDeniedAccess(t, res, "expected Forbidden for cats.test, but got: %d", res.StatusCode)
+						assert.Contains(t, res.Header.Get("Content-Type"), "text/html")
 					}
 				})
 			})