Skip to content

Return 401 for missing/malformed Authorization header#3948

Open
buildingvibes wants to merge 2 commits intozio:mainfrom
buildingvibes:fix/auth-401
Open

Return 401 for missing/malformed Authorization header#3948
buildingvibes wants to merge 2 commits intozio:mainfrom
buildingvibes:fix/auth-401

Conversation

@buildingvibes
Copy link

@buildingvibes buildingvibes commented Feb 10, 2026

Summary

Fixes #3235. When an endpoint requires authentication via .header(HeaderCodec.authorization) or .auth(AuthType.Bearer), a request without a valid Authorization header now returns 401 Unauthorized instead of 400 Bad Request, per RFC 7235 Section 3.1.

Changes

Endpoint.scala

  • Added isAuthorizationError helper that detects when a codec error is related to the Authorization header (handles MissingHeader, MissingHeaders, MalformedHeader, and DecodingErrorHeader)
  • Added a case in the catchAllCause error handler that returns 401 with WWW-Authenticate header for auth-related errors

AuthType.scala

  • Added wwwAuthenticateHeader method that generates the appropriate WWW-Authenticate challenge value (e.g., Bearer realm="restricted")

Tests

  • Missing Authorization header → 401 Unauthorized with WWW-Authenticate header
  • Malformed Authorization header → 401 Unauthorized
  • Missing non-auth header → 400 Bad Request (regression guard)

RFC Compliance

  • RFC 7235 §3.1: "The server generating a 401 (Unauthorized) response MUST send a WWW-Authenticate header field"
  • RFC 6750 §3.1: Malformed/invalid Authorization headers should also receive 401

@buildingvibes
Return 401 Unauthorized for missing/malformed Authorization header
e554372 
When an endpoint requires authentication and the Authorization header
is missing or malformed, return 401 Unauthorized with a WWW-Authenticate
header per RFC 7235 Section 3.1, instead of the generic 400 Bad Request.

Handles MissingHeader, MissingHeaders, MalformedHeader, and
DecodingErrorHeader cases for the Authorization header specifically.

Fixes zio#3235
@netlify
Copy link

netlify bot commented Feb 10, 2026
edited
Loading

Deploy Preview for zio-http ready!

Name Link
🔨 Latest commit e775af9
🔍 Latest deploy log https://app.netlify.com/projects/zio-http/deploys/698aea388cfd160008e508f0
😎 Deploy Preview https://deploy-preview-3948--zio-http.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@CLAassistant
Copy link

CLAassistant commented Feb 10, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@buildingvibes
Copy link
Author

buildingvibes commented Feb 10, 2026

recheck

@buildingvibes
Copy link
Author

buildingvibes commented Feb 12, 2026

Hi! Just checking in - all CI checks are passing (40+ jobs across Scala 2.12/2.13/3.3 on multiple JVMs), CLA is signed, and the implementation follows the existing patterns for error handling in Endpoint.scala. This fixes #3235 where missing/malformed Authorization headers return 400 instead of the correct 401. Happy to address any feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdegoes jdegoes Awaiting requested review from jdegoes jdegoes is a code owner

@vigoo vigoo Awaiting requested review from vigoo vigoo is a code owner

@kyri-petrou kyri-petrou Awaiting requested review from kyri-petrou kyri-petrou is a code owner

@987Nabil 987Nabil Awaiting requested review from 987Nabil 987Nabil is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing Authorization header is reported as 400 instead of 401

2 participants

@buildingvibes @CLAassistant