fix: handle multiple X-Maas-Subscription header values from Authorino

When clients send x-maas-subscription header (even empty string),
Authorino appends its injected value, resulting in multiple header values.
Gin's GetHeader() returns only the first value, which could be the client's
empty/incorrect value instead of Authorino's validated subscription.

This fix iterates header values in reverse order and takes the last
non-empty value, ensuring we use Authorino's injected subscription
when available.

Fixes:
- test_empty_subscription_header_value: now correctly auto-selects subscription
- test_api_key_ignores_subscription_header: now correctly uses API key's bound subscription

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: jrhyness

maas-api/internal/handlers/models.go

@@ -187,7 +187,17 @@ func (h *ModelsHandler) ListLLMs(c *gin.Context) {
 	// Extract x-maas-subscription header.
 	// For API keys: Authorino injects this from auth.metadata.apiKeyValidation.subscription
 	// For user tokens: This header is not present (Authorino doesn't inject it)
-	requestedSubscription := strings.TrimSpace(c.GetHeader("x-maas-subscription"))
+	// Note: If client sends x-maas-subscription header, there may be multiple values.
+	// Authorino appends its value, so we take the last non-empty value.
+	requestedSubscription := ""
+	headerValues := c.Request.Header.Values("X-Maas-Subscription")
+	for i := len(headerValues) - 1; i >= 0; i-- {
+		trimmed := strings.TrimSpace(headerValues[i])
+		if trimmed != "" {
+			requestedSubscription = trimmed
+			break
+		}
+	}
 	isAPIKeyRequest := strings.HasPrefix(authHeader, "Bearer sk-oai-")
 
 	// Fail closed: API keys without a bound subscription must be rejected