Fixed the auth header missing error to 401 from 400

[Skyiesac]

This PR fixes a bug where missing Authorization headers in declarative endpoint syntax were incorrectly returning HTTP 400 (Bad Request) instead of the RFC-compliant HTTP 401 (Unauthorized) status code.

Closes #3235
/claim #3235

[CLAassistant]

All committers have signed the CLA.

[netlify]

✅ Deploy Preview for zio-http ready!

Name	Link
🔨 Latest commit	f31eeb1
🔍 Latest deploy log	https://app.netlify.com/projects/zio-http/deploys/68b1db78aac7c000088f6fdb
😎 Deploy Preview	https://deploy-preview-3614--zio-http.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Skyiesac]

Hey @jdegoes @987Nabil @kyri-petrou @vigoo ,
Could you review this PR when you get a chance? If everything looks good, kindly merge it.

[987Nabil]

Thanks for the contribution and for raising this issue! We've implemented a different approach for this:

Instead of hardcoding 401, the auth failure response status is now configurable via .unauthorizedStatus(Status), defaulting to 404 (Not Found) for security reasons.

The default was changed to 404 because returning 401 reveals that the resource exists — for example, GitHub returns 404 instead of 401 when you try to access a repo you're not part of. Users who want RFC-compliant 401 can opt in:

endpoint.auth(AuthType.Bearer).unauthorizedStatus(Status.Unauthorized)

The OpenAPI spec generation also reflects the configured status automatically.

This will be included in the next release. Thanks again for bringing attention to this issue!