Honor RoundTripper contract in middleware; validate incoming X-Request-Id

BearerAuth, BasicAuth and DefaultHeaders mutated the caller's request, which
violates the RoundTripper contract and risks races on shared/retried requests;
clone before writing headers (matching RequestID). Validate the incoming
X-Request-Id (length and character set) before propagating it to logs and the
response header, preventing log forging and header splitting from a
client-controlled value.

middleware/auth.go

@@ -15,6 +15,9 @@ func BearerAuth(tokenFunc func(ctx context.Context) (string, error)) Middleware
 			if err != nil {
 				return nil, err
 			}
+			// RoundTrippers must not mutate the caller's request; clone before
+			// setting headers (req.Clone is shallow + a header copy).
+			req = req.Clone(req.Context())
 			req.Header.Set("Authorization", "Bearer "+token)
 			return next.RoundTrip(req)
 		})
@@ -26,6 +29,7 @@ func BearerAuth(tokenFunc func(ctx context.Context) (string, error)) Middleware
 func BasicAuth(username, password string) Middleware {
 	return func(next http.RoundTripper) http.RoundTripper {
 		return RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
+			req = req.Clone(req.Context())
 			req.SetBasicAuth(username, password)
 			return next.RoundTrip(req)
 		})

middleware/headers.go

@@ -7,10 +7,17 @@ import "net/http"
 func DefaultHeaders(headers http.Header) Middleware {
 	return func(next http.RoundTripper) http.RoundTripper {
 		return RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
+			// Clone lazily on the first header we actually add, so that
+			// RoundTrippers never mutate the caller's request.
+			cloned := false
 			for key, values := range headers {
 				if req.Header.Get(key) != "" {
 					continue
 				}
+				if !cloned {
+					req = req.Clone(req.Context())
+					cloned = true
+				}
 				for _, v := range values {
 					req.Header.Add(key, v)
 				}