Address review: reuse SendWithAuthAsync and add proxy test matrix

- Move proxy pre-auth logic into SendWithAuthAsync by handling the
  isProxyAuth case in the preAuthenticate block, instead of duplicating
  SetBasicAuthToken in SendWithProxyAuthAsync. Now SendWithProxyAuthAsync
  simply passes preAuthenticate: GlobalHttpSettings.SocketsHttpHandler.ProxyPreAuthenticate.
- Guard the PreAuthCredentials cache logic with !isProxyAuth since proxy
  pre-auth doesn't use the per-pool credential cache.
- Add parameterized test ProxyAuth_ProxyAndRequestProtocolCombinations_SentProactively
  covering 4 proxy/request protocol combinations:
  HTTP proxy + HTTP request, HTTP proxy + HTTPS request (CONNECT tunnel),
  HTTPS proxy + HTTP request, HTTPS proxy + HTTPS request (CONNECT tunnel).
- Fix existing ProxyAuth_ExplicitWebProxyCredentials_SentProactively to
  stay within RemoteExecutor's 3-arg limit by encoding credentials in the
  proxy URI.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: ptarjan

src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.cs

@@ -212,29 +212,44 @@ private static ValueTask<HttpResponseMessage> InnerSendAsync(HttpRequestMessage
 
         private static async ValueTask<HttpResponseMessage> SendWithAuthAsync(HttpRequestMessage request, Uri authUri, bool async, ICredentials credentials, bool preAuthenticate, bool isProxyAuth, bool doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
         {
-            // If preauth is enabled and this isn't proxy auth, try to get a basic credential from the
-            // preauth credentials cache, and if successful, set an auth header for it onto the request.
+            // If preauth is enabled, try to set a Basic auth header proactively on the first request.
             // Currently we only support preauth for Basic.
             NetworkCredential? preAuthCredential = null;
             Uri? preAuthCredentialUri = null;
             if (preAuthenticate)
             {
-                Debug.Assert(pool.PreAuthCredentials != null);
-                (Uri uriPrefix, NetworkCredential credential)? preAuthCredentialPair;
-                lock (pool.PreAuthCredentials)
+                if (isProxyAuth)
                 {
-                    // Just look for basic credentials.  If in the future we support preauth
-                    // for other schemes, this will need to search in order of precedence.
-                    Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, NegotiateScheme) == null);
-                    Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, NtlmScheme) == null);
-                    Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, DigestScheme) == null);
-                    preAuthCredentialPair = pool.PreAuthCredentials.GetCredential(authUri, BasicScheme);
+                    // For proxy pre-authentication, get Basic credentials directly from the
+                    // supplied proxy credentials. This is needed for proxies that don't send 407
+                    // challenges but instead drop or reject unauthenticated connections.
+                    NetworkCredential? credential = credentials.GetCredential(authUri, BasicScheme);
+                    if (credential != null && credential != CredentialCache.DefaultNetworkCredentials)
+                    {
+                        preAuthCredential = credential;
+                        SetBasicAuthToken(request, credential, isProxyAuth: true);
+                    }
                 }
-
-                if (preAuthCredentialPair != null)
+                else
                 {
-                    (preAuthCredentialUri, preAuthCredential) = preAuthCredentialPair.Value;
-                    SetBasicAuthToken(request, preAuthCredential, isProxyAuth);
+                    // For request pre-authentication, look up credentials from the preauth cache.
+                    Debug.Assert(pool.PreAuthCredentials != null);
+                    (Uri uriPrefix, NetworkCredential credential)? preAuthCredentialPair;
+                    lock (pool.PreAuthCredentials)
+                    {
+                        // Just look for basic credentials.  If in the future we support preauth
+                        // for other schemes, this will need to search in order of precedence.
+                        Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, NegotiateScheme) == null);
+                        Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, NtlmScheme) == null);
+                        Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, DigestScheme) == null);
+                        preAuthCredentialPair = pool.PreAuthCredentials.GetCredential(authUri, BasicScheme);
+                    }
+
+                    if (preAuthCredentialPair != null)
+                    {
+                        (preAuthCredentialUri, preAuthCredential) = preAuthCredentialPair.Value;
+                        SetBasicAuthToken(request, preAuthCredential, isProxyAuth);
+                    }
                 }
             }
 
@@ -299,7 +314,7 @@ await TrySetDigestAuthToken(request, challenge.Credential, digestResponse, isPro
                         SetBasicAuthToken(request, challenge.Credential, isProxyAuth);
                         response = await InnerSendAsync(request, async, isProxyAuth, doRequestAuth, pool, cancellationToken).ConfigureAwait(false);
 
-                        if (preAuthenticate)
+                        if (preAuthenticate && !isProxyAuth)
                         {
                             switch (response.StatusCode)
                             {
@@ -359,19 +374,7 @@ await TrySetDigestAuthToken(request, challenge.Credential, digestResponse, isPro
 
         public static ValueTask<HttpResponseMessage> SendWithProxyAuthAsync(HttpRequestMessage request, Uri proxyUri, bool async, ICredentials proxyCredentials, bool doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
         {
-            // When enabled via AppContext switch or environment variable, send Basic auth proactively
-            // on the first request. This is needed for proxies that don't send 407 challenges but instead
-            // drop or reject unauthenticated connections (e.g., some HTTPS CONNECT tunnel proxies).
-            if (GlobalHttpSettings.SocketsHttpHandler.ProxyPreAuthenticate)
-            {
-                NetworkCredential? credential = proxyCredentials.GetCredential(proxyUri, BasicScheme);
-                if (credential != null && credential != CredentialCache.DefaultNetworkCredentials)
-                {
-                    SetBasicAuthToken(request, credential, isProxyAuth: true);
-                }
-            }
-
-            return SendWithAuthAsync(request, proxyUri, async, proxyCredentials, preAuthenticate: false, isProxyAuth: true, doRequestAuth, pool, cancellationToken);
+            return SendWithAuthAsync(request, proxyUri, async, proxyCredentials, preAuthenticate: GlobalHttpSettings.SocketsHttpHandler.ProxyPreAuthenticate, isProxyAuth: true, doRequestAuth, pool, cancellationToken);
         }
 
         public static ValueTask<HttpResponseMessage> SendWithRequestAuthAsync(HttpRequestMessage request, bool async, ICredentials credentials, bool preAuthenticate, HttpConnectionPool pool, CancellationToken cancellationToken)

src/libraries/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.ProactiveProxyAuth.cs

@@ -278,24 +278,125 @@ await LoopbackServer.CreateServerAsync(async (proxyServer, proxyUri) =>
                     await connection.SendResponseAsync(HttpStatusCode.OK).ConfigureAwait(false);
                 });
 
-                await RemoteExecutor.Invoke(async (proxyUriString, username, password, useVersionString) =>
+                // Encode proxy URI with embedded credentials so we stay within RemoteExecutor's 3-arg limit
+                string proxyUriWithCreds = $"http://{ExpectedUsername}:{ExpectedPassword}@{proxyUri.Host}:{proxyUri.Port}";
+
+                await RemoteExecutor.Invoke(async (proxyUriString, useVersionString) =>
                 {
+                    var proxyUriParsed = new Uri(proxyUriString);
                     using HttpClientHandler handler = CreateHttpClientHandler(useVersionString);
-                    handler.Proxy = new WebProxy(new Uri(proxyUriString))
+                    handler.Proxy = new WebProxy(new Uri($"http://{proxyUriParsed.Host}:{proxyUriParsed.Port}"))
                     {
-                        Credentials = new NetworkCredential(username, password)
+                        Credentials = new NetworkCredential(
+                            proxyUriParsed.UserInfo.Split(':')[0],
+                            proxyUriParsed.UserInfo.Split(':')[1])
                     };
 
                     using HttpClient client = CreateHttpClient(handler, useVersionString);
                     using HttpResponseMessage response = await client.GetAsync("http://destination.test/");
 
                     Assert.Equal(HttpStatusCode.OK, response.StatusCode);
-                }, proxyUri.ToString(), ExpectedUsername, ExpectedPassword, UseVersion.ToString(),
+                }, proxyUriWithCreds, UseVersion.ToString(),
                    new RemoteInvokeOptions { StartInfo = psi }).DisposeAsync();
 
                 await serverTask;
             });
         }
+
+        /// <summary>
+        /// Tests proactive proxy auth across 4 proxy/request protocol combinations:
+        /// HTTP proxy + HTTP request, HTTP proxy + HTTPS request (CONNECT tunnel),
+        /// HTTPS proxy + HTTP request, HTTPS proxy + HTTPS request (CONNECT tunnel).
+        /// Verifies that the Proxy-Authorization header is present on the first request to the proxy.
+        /// </summary>
+        [ConditionalTheory(typeof(RemoteExecutor), nameof(RemoteExecutor.IsSupported))]
+        [InlineData(false, false)] // HTTP proxy + HTTP request
+        [InlineData(false, true)]  // HTTP proxy + HTTPS request (CONNECT tunnel)
+        [InlineData(true, false)]  // HTTPS proxy + HTTP request
+        [InlineData(true, true)]   // HTTPS proxy + HTTPS request (CONNECT tunnel)
+        public async Task ProxyAuth_ProxyAndRequestProtocolCombinations_SentProactively(bool proxyUseSsl, bool requestUseSsl)
+        {
+            const string ExpectedUsername = "matrixuser";
+            const string ExpectedPassword = "matrixpass";
+            string expectedToken = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{ExpectedUsername}:{ExpectedPassword}"));
+
+            var proxyOptions = new LoopbackServer.Options { UseSsl = proxyUseSsl };
+
+            await LoopbackServer.CreateServerAsync(async (proxyServer, proxyUri) =>
+            {
+                var psi = new ProcessStartInfo();
+                psi.Environment.Add(ProxyPreAuthEnvVar, "1");
+
+                Task serverTask = proxyServer.AcceptConnectionAsync(async connection =>
+                {
+                    // Read the first request sent to the proxy
+                    List<string> lines = await connection.ReadRequestHeaderAsync().ConfigureAwait(false);
+
+                    // Verify the Proxy-Authorization header is present on the first request
+                    string? authHeader = null;
+                    foreach (string line in lines)
+                    {
+                        if (line.StartsWith("Proxy-Authorization:", StringComparison.OrdinalIgnoreCase))
+                        {
+                            authHeader = line;
+                            break;
+                        }
+                    }
+
+                    Assert.NotNull(authHeader);
+                    Assert.Contains("Basic", authHeader);
+                    Assert.Contains(expectedToken, authHeader);
+
+                    if (requestUseSsl)
+                    {
+                        // For HTTPS request, the proxy received a CONNECT request.
+                        // Verify it's a CONNECT method.
+                        Assert.StartsWith("CONNECT", lines[0]);
+
+                        // Send 200 to establish the tunnel
+                        await connection.SendResponseAsync(HttpStatusCode.OK).ConfigureAwait(false);
+
+                        // Now the client will negotiate TLS through the tunnel.
+                        // Wrap the connection's stream in SSL to act as the destination server.
+                        var sslConnection = await LoopbackServer.Connection.CreateAsync(
+                            null, connection.Stream, new LoopbackServer.Options { UseSsl = true });
+                        await sslConnection.ReadRequestHeaderAndSendResponseAsync(HttpStatusCode.OK).ConfigureAwait(false);
+                    }
+                    else
+                    {
+                        // For HTTP request, the proxy received a plain GET request.
+                        Assert.StartsWith("GET", lines[0]);
+                        await connection.SendResponseAsync(HttpStatusCode.OK).ConfigureAwait(false);
+                    }
+                });
+
+                string requestScheme = requestUseSsl ? "https" : "http";
+
+                // Encode proxy URI with embedded credentials so we stay within RemoteExecutor's 3-arg limit
+                string proxyScheme = proxyUseSsl ? "https" : "http";
+                string proxyUriWithCreds = $"{proxyScheme}://{ExpectedUsername}:{ExpectedPassword}@{proxyUri.Host}:{proxyUri.Port}";
+
+                await RemoteExecutor.Invoke(async (proxyUriString, reqScheme, useVersionString) =>
+                {
+                    var proxyUriParsed = new Uri(proxyUriString);
+                    using HttpClientHandler handler = CreateHttpClientHandler(useVersionString);
+                    handler.Proxy = new WebProxy(new Uri($"{proxyUriParsed.Scheme}://{proxyUriParsed.Host}:{proxyUriParsed.Port}"))
+                    {
+                        Credentials = new NetworkCredential(
+                            proxyUriParsed.UserInfo.Split(':')[0],
+                            proxyUriParsed.UserInfo.Split(':')[1])
+                    };
+
+                    using HttpClient client = CreateHttpClient(handler, useVersionString);
+                    using HttpResponseMessage response = await client.GetAsync($"{reqScheme}://destination.test/");
+
+                    Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+                }, proxyUriWithCreds, requestScheme, UseVersion.ToString(),
+                   new RemoteInvokeOptions { StartInfo = psi }).DisposeAsync();
+
+                await serverTask;
+            }, proxyOptions);
+        }
     }
 
     public sealed class ProactiveProxyAuthTest_Http11 : ProactiveProxyAuthTest