fix: Authorization Header 400 Bad Request

[melmathari]

Fixed: Wrong Error Code for Missing Authorization Header

Before, if the Authorization header was missing, the app returned a 400 Bad Request.
That just means something went wrong, but it didn’t clearly say the user wasn't logged in.

Now, the app checks if the Authorization header is missing or invalid.
If it is, it returns 401 Unauthorized, which correctly tells the user they need to log in.

Improvements

• If the Authorization header is missing, the response is now 401 Unauthorized
• If multiple headers are missing, including Authorization, the response is still 401 Unauthorized
• If the Authorization header is present but invalid (decoding error), the response is 401 Unauthorized

Compliance

This fix follows RFC 7235, which says:

The 401 (Unauthorized) status code indicates that the request has not been applied because it lackz valid authentication credentials for the resourrce.

🧪 Tests

To confirm nothing else broke, I ran:

sbt "zioHttpJVM / Test / testOnly endpoint"

All tests passed ✅

It only changes how Authorization header issues are handled. Everything else stays the same.

/claim #3235

[netlify]

❌ Deploy Preview for zio-http failed. Why did it fail? →

Name	Link
🔨 Latest commit	5952e5e
🔍 Latest deploy log	https://app.netlify.com/projects/zio-http/deploys/6835b44109d1510008136fdf

[melmathari]

[melmathari]

Netlify deploy failed?, and the docs site wasn’t touched in this PR. Can we skip Netlify deploys for PRs? @jdegoes

[melmathari]

@jdegoes No idea why we're having this test fail, i've addressed the re-ordering of http.method..

[error] --- /home/runner/work/zio-http/zio-http/zio-http/jvm/src/test/scala/zio/http/endpoint/AuthorizationHeaderSpec.scala
[error] +++
[error] @@ -3,9 +3,9 @@
[error] import zio._
[error] import zio.test._
[error]
[error] +import zio.http.Method._
[error] import zio.http._
[error] import zio.http.codec._
[error] -import zio.http.Method._
[error]
[error] object AuthorizationHeaderSpec extends ZIOSpecDefault {
[error] override def spec =
[error] (zioHttpJVM / Test / scalafix) scalafix.sbt.ScalafixFailed: TestError
[error] Total time: 34 s, completed May 26, 2025, 12:50:37 AM

Error: Process completed with exit code 1.

`package zio.http.endpoint

import zio._
import zio.test._

import zio.http.Method._
import zio.http._
import zio.http.codec._

object AuthorizationHeaderSpec extends ZIOSpecDefault {
override def spec =
suite("AuthorizationHeaderSpec")(
test("should respond with 401 Unauthorized when required authorization header is missing") {
val endpoint = Endpoint(Method.GET / "test")
.header(HeaderCodec.authorization)
.out[Unit]
val route = endpoint.implement(_ => ZIO.unit)
val request =
Request(method = Method.GET, url = url"/test")
for {
response <- route.toRoutes.runZIO(request)
} yield assertTrue(Status.Unauthorized == response.status)
},
)
}
`

[melmathari]

@kyri-petrou Appreciate if you can review this, i'm not sure I have to do anything with the failed website build?

[melmathari]

@kyri-petrou is anything needed from my end? Thanks! Looking forward to contributing more to ZIO.

[melmathari]

Hey guys, can I do anything else on this PR to avoid failing redirect rules?