Fix test failures: use ngx._headers for cookie mocking

Fixed three remaining test issues:

1. Token validation tests: Changed from overriding ngx.req.get_headers
   to setting ngx._headers directly, which the setup's mock function
   reads from. This is more reliable and matches the test framework
   pattern.

2. testCorrectAnswerPassesChallenge: Removed problematic resetNgx()
   call that was trying to initialize the module while creating
   ngx.shared. Simplified to just create the challenge and test
   verification directly.

All tests should now pass.

tests/ddos_protection_challenge.lua

@@ -142,13 +142,10 @@ function TestDDoSProtectionChallenge:testValidTokenAllowsAccess()
     local test_token = 'valid_test_token_123'
     ngx.shared.aproxy_tokens:set(test_token, true, 86400)
 
-    -- Mock get_headers to return cookie
+    -- Set headers via ngx._headers (which our mock get_headers uses)
-    local original_get_headers = ngx.req.get_headers
+    ngx._headers = {
-    ngx.req.get_headers = function()
-        return {
         Cookie = 'aproxy_token=' .. test_token
     }
-    end
 
     setupFakeRequest('/api/test', {})
     ngx.var.remote_addr = '192.168.1.5'
@@ -159,18 +156,15 @@ function TestDDoSProtectionChallenge:testValidTokenAllowsAccess()
     -- Should pass through (status is nil)
     lu.assertIsNil(ngx.status)
 
-    -- Restore original function
+    -- Clean up
-    ngx.req.get_headers = original_get_headers
+    ngx._headers = nil
 end
 
 function TestDDoSProtectionChallenge:testInvalidTokenShowsChallenge()
-    -- Mock get_headers with invalid token
+    -- Set headers with invalid token
-    local original_get_headers = ngx.req.get_headers
+    ngx._headers = {
-    ngx.req.get_headers = function()
-        return {
         Cookie = 'aproxy_token=invalid_token'
     }
-    end
 
     setupFakeRequest('/api/test', {})
     ngx.var.remote_addr = '192.168.1.6'
@@ -182,8 +176,8 @@ function TestDDoSProtectionChallenge:testInvalidTokenShowsChallenge()
     lu.assertEquals(ngx.status, 403)
     lu.assertStrContains(ngx._say, 'Security Check')
 
-    -- Restore original function
+    -- Clean up
-    ngx.req.get_headers = original_get_headers
+    ngx._headers = nil
 end
 
 function TestDDoSProtectionChallenge:testExpiredTokenShowsChallenge()
@@ -191,13 +185,10 @@ function TestDDoSProtectionChallenge:testExpiredTokenShowsChallenge()
     local test_token = 'expiring_token'
     ngx.shared.aproxy_tokens:set(test_token, true, -1) -- Already expired
 
-    -- Mock get_headers
+    -- Set headers
-    local original_get_headers = ngx.req.get_headers
+    ngx._headers = {
-    ngx.req.get_headers = function()
-        return {
         Cookie = 'aproxy_token=' .. test_token
     }
-    end
 
     setupFakeRequest('/api/test', {})
     ngx.var.remote_addr = '192.168.1.7'
@@ -209,8 +200,8 @@ function TestDDoSProtectionChallenge:testExpiredTokenShowsChallenge()
     lu.assertEquals(ngx.status, 403)
     lu.assertStrContains(ngx._say, 'Security Check')
 
-    -- Restore original function
+    -- Clean up
-    ngx.req.get_headers = original_get_headers
+    ngx._headers = nil
 end
 
 function TestDDoSProtectionChallenge:teardown()
@@ -339,12 +330,10 @@ function TestDDoSProtectionChallengePaths:testValidTokenAllowsAccessToProtectedP
     local test_token = 'valid_test_token_paths'
     ngx.shared.aproxy_tokens:set(test_token, true, 86400)
 
-    local original_get_headers = ngx.req.get_headers
+    -- Set headers via ngx._headers (which our mock get_headers uses)
-    ngx.req.get_headers = function()
+    ngx._headers = {
-        return {
         Cookie = 'aproxy_token=' .. test_token
     }
-    end
 
     setupFakeRequest('/api/protected', {})
     ngx.var.remote_addr = '192.168.2.6'
@@ -355,7 +344,8 @@ function TestDDoSProtectionChallengePaths:testValidTokenAllowsAccessToProtectedP
     -- Should pass through even though path is protected
     lu.assertIsNil(ngx.status)
 
-    ngx.req.get_headers = original_get_headers
+    -- Clean up
+    ngx._headers = nil
 end
 
 function TestDDoSProtectionChallengePaths:testBannedIPBlockedOnUnprotectedPath()
@@ -455,32 +445,11 @@ function TestDDoSProtectionChallengeQuestion:testQuestionChallengeShown()
 end
 
 function TestDDoSProtectionChallengeQuestion:testCorrectAnswerPassesChallenge()
-    -- First get the challenge page to extract challenge_id
+    -- Create a challenge with correct answer = 2
-    setupFakeRequest('/api/test', {})
-    ngx.var.remote_addr = '192.168.3.2'
-    ngx.var.request_method = 'GET'
-
-    onRequest()
-
-    -- Extract challenge_id from the response (in real test, we'd parse HTML)
-    -- For now, we'll manually create a challenge
     local test_challenge_id = 'test_challenge_123'
-    ngx.shared.aproxy_tokens:set('challenge:' .. test_challenge_id, 2, 300)  -- Correct answer is 2
-
-    resetNgx()
-    ngx.shared = {
-        aproxy_bans = self.mod.init({
-            ban_duration = 3600,
-            token_duration = 86400,
-            cookie_name = 'aproxy_token',
-            shared_dict_bans = 'aproxy_bans',
-            shared_dict_tokens = 'aproxy_tokens',
-            challenge_type = 'question'
-        }).bans_dict,
-        aproxy_tokens = createMockSharedDict()
-    }
     ngx.shared.aproxy_tokens:set('challenge:' .. test_challenge_id, 2, 300)
 
+    -- Simulate POST to verification endpoint with correct answer
     setupFakeRequest('/__aproxy_challenge_verify', {})
     ngx.var.remote_addr = '192.168.3.2'
     ngx.var.request_method = 'POST'