Authentication breaks, if you combine `Http`s with different ways to authenticate

[987Nabil]

Describe the bug Combining two apps with different auth middlewares leads to unexpected 401 returns.

To Reproduce This happens in version 2.0.0-RC10 Let's assume we have have 3 Http instances, one without auth, one with basic auth and one with oauth. We use the zio-http defined auth middleware. Let's start a server like this

Server.start(8080, noAuthApp ++ basicAuthApp ++ oauthApp)

The endpoints of the first apps two behave correctly, but the last one always returns 401, independent of the auth headers content. If you change the order, everything after the first authenticated Http will return 401.

You can find a reproducer here

When we build the server like this

Server.make(Server.port(8080), Server.app(noAuthApp) ++ Server.app(basicAuthApp) ++ Server.app(oauthApp))

it is even worse. Now all endpoints return always 401.

Expected behaviour The routes of a Http are authenticated based on the middleware added to them, even when combined with others

[987Nabil]

I think we should just make sure, that this is not the case anymore in the next release. Since Middleware is in a heavy change process, I suggest to only test if this error is gone after the changes are done.

[jdegoes]

It looks like middleware can fail and that these failures are not adequately handled by ++.

[julioselva]

Hi @987Nabil. Did you find any workaround?

[987Nabil]

No, I didn't

[jdegoes]

Closed in favor of #1871, which describes the underlying cause.

[tusharmath]

How about changing the routing a bit?

Http.collectHttp[Request] {
  case _ -> !! / "web" => basicAuthApp
  case _ -> !! / "api" => oauthApp
  case _               => noAuthApp
}

Alternatively, we can also do something like:

basicAuthApp.prefix(!! / "web") ++ oauthApp.prefix(!! / "api") ++ noAuthApp

[987Nabil]

@tusharmath I think even if what you say works, my example still reflects unexpected behaviour and the "right way" is not easy to discover.