Skip token injection when token exchange active

[jhrozek]

When token exchange middleware is configured, it handles its own Authorization header injection. The oauth-token-injection middleware was being added anyway, potentially overwriting the exchanged token with the original OAuth token.

Add hasTokenExchangeMiddleware() to detect when token exchange is present and skip adding the redundant token injection middleware. Also fix the middleware name in proxy.go to use the MiddlewareType constant for consistent detection.

In practical terms what this enables is easier testing with:

  thv run \
    --token-exchange-audience 'backend' \
    --token-exchange-client-id blablabla \
    --token-exchange-client-secret foobar \
    --token-exchange-scopes 'backend-api:read' \
    --token-exchange-url https://blah \
    --remote-auth-bearer-token-file $(pwd)/token.auth \

What the fix enables is to read the token using the remote-auth

[codecov]

Codecov Report

❌ Patch coverage is 83.33333% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 64.78%. Comparing base (0e4480b) to head (1b27415).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/transport/http.go	83.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3385      +/-   ##
==========================================
- Coverage   64.90%   64.78%   -0.13%     
==========================================
  Files         375      375              
  Lines       36599    36631      +32     
==========================================
- Hits        23755    23731      -24     
- Misses      10980    11027      +47     
- Partials     1864     1873       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.