ngx.header['WWW-Authenticate'] should allow table for multiple values

[robmueller]

In ngx_http_lua_headers_out.c the 'WWW-Authenticate' header handler is set to ngx_http_set_builtin_header:

    { ngx_string("WWW-Authenticate"),
                 offsetof(ngx_http_headers_out_t, www_authenticate),
                 ngx_http_set_builtin_header },

But from the RFC https://datatracker.ietf.org/doc/html/rfc7235#section-4.1:

User agents are advised to take special care in parsing the field value, as it might contain more than one challenge, and each challenge can contain a comma-separated list of authentication parameters. Furthermore, the header field itself can occur multiple times.

So I believe the above code should be:

    { ngx_string("WWW-Authenticate"),
                 offsetof(ngx_http_headers_out_t, www_authenticate),
                 ngx_http_set_builtin_multi_header },

In theory clients should support multiple challenges in a single header, but unfortunately we're seeing some clients that only work with multiple separate WWW-Authenticate headers.