URL auth: override status code and send custom headers
Currently we're hardcoded to 401, if the backend refuses authentication. 403 might also be desireable or 30x with a location header.
This needs two things:
- capability to set a custom status (including message)
- capability to send headers that will be forwarded to the client
The latter can also be used to set cookies, so is useful by itself.
To upload designs, you'll need to enable LFS. More information