Also use more specific test assertions where security headers are expected. And run the unit tests for the login package in parallel.
Also extract some helpers from auth_handler.go so they can be shared with the new handler.