add file: URL option to ACL onfail: syntax

Author: korc

README.md

@@ -279,6 +279,7 @@ Several options support retrieving a value from request. The syntax is as follow
     - `host:<hostname>` to apply only for particular virtual hosts (req with `Host: hostname`)
     - `GET`, `POST`, etc. to filter by HTTP methods
     - `onfail:<URL>` redirect to URL when auth fails. can use `@param@` placeholders to solve into url-escaped values from request (ex: `@req:host@`)
+      - use `file:` URL to serve file instead of redirection
   - `:` separates alternate roles (OR operation)
   - `+` makes all specified roles to be required (AND operation)
     - can be used to implement multi-factor auth

auth.go

@@ -765,9 +765,14 @@ func (ah *AuthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 		next.ServeHTTP(w, authenticatedRequest)
 	} else if errRedirect, ok := err.(ErrNeedAuthRedirected); ok {
-		w.Header().Set("Location", errRedirect.RedirectTo)
-		w.WriteHeader(http.StatusFound)
-		w.Write([]byte(err.Error()))
+		if strings.HasPrefix(errRedirect.RedirectTo, "file:") {
+			w.Header().Set("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate")
+			http.ServeFile(w, r, errRedirect.RedirectTo[5:])
+		} else {
+			w.Header().Set("Location", errRedirect.RedirectTo)
+			w.WriteHeader(http.StatusFound)
+			w.Write([]byte(err.Error()))
+		}
 	} else {
 		logf(r, logLevelInfo, "auth failed: %s", err)
 		for k := range ah.Auths {