zio
fix: Authorization Header 400 Bad Request
Fixed: Wrong Error Code for Missing Authorization Header
Before, if the Authorization header was missing, the app returned a 400 Bad Request.
That just means something went wrong, but it didn’t clearly say the user wasn't logged in.
Now, the app checks if the Authorization header is missing or invalid.
If it is, it returns 401 Unauthorized, which correctly tells the user they need to log in.
Improvements
- [x] If the
Authorizationheader is missing, the response is now 401 Unauthorized - [x] If multiple headers are missing, including
Authorization, the response is still 401 Unauthorized - [x] If the
Authorizationheader is present but invalid (decoding error), the response is 401 Unauthorized
Compliance
This fix follows RFC 7235, which says:
The 401 (Unauthorized) status code indicates that the request has not been applied because it lackz valid authentication credentials for the resourrce.
🧪 Tests
To confirm nothing else broke, I ran:
sbt "zioHttpJVM / Test / testOnly endpoint"
All tests passed ✅
It only changes how Authorization header issues are handled. Everything else stays the same.
/claim #3235
Deploy Preview for zio-http failed. Why did it fail? →
| Name | Link |
|---|---|
| Latest commit | 5952e5e5fb54417d77fdef0f14fc7aaa46710798 |
| Latest deploy log | https://app.netlify.com/projects/zio-http/deploys/6835b44109d1510008136fdf |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Netlify deploy failed?, and the docs site wasn’t touched in this PR. Can we skip Netlify deploys for PRs? @jdegoes
@jdegoes No idea why we're having this test fail, i've addressed the re-ordering of http.method..
[error] --- /home/runner/work/zio-http/zio-http/zio-http/jvm/src/test/scala/zio/http/endpoint/AuthorizationHeaderSpec.scala
[error] +++
[error] +import zio.http.Method._
[error] import zio.http._
[error] import zio.http.codec._
[error] -import zio.http.Method._
[error]
[error] object AuthorizationHeaderSpec extends ZIOSpecDefault {
[error] override def spec =
[error] (zioHttpJVM / Test / scalafix) scalafix.sbt.ScalafixFailed: TestError
[error] Total time: 34 s, completed May 26, 2025, 12:50:37 AM
Error: Process completed with exit code 1.
`package zio.http.endpoint
import zio._ import zio.test._
import zio.http.Method._ import zio.http._ import zio.http.codec._
object AuthorizationHeaderSpec extends ZIOSpecDefault { override def spec = suite("AuthorizationHeaderSpec")( test("should respond with 401 Unauthorized when required authorization header is missing") { val endpoint = Endpoint(Method.GET / "test") .header(HeaderCodec.authorization) .out[Unit] val route = endpoint.implement(_ => ZIO.unit) val request = Request(method = Method.GET, url = url"/test") for { response <- route.toRoutes.runZIO(request) } yield assertTrue(Status.Unauthorized == response.status) }, ) } `
@kyri-petrou Appreciate if you can review this, i'm not sure I have to do anything with the failed website build?
@kyri-petrou is anything needed from my end? Thanks! Looking forward to contributing more to ZIO.
Hey guys, can I do anything else on this PR to avoid failing redirect rules?