Make Endpoint respond with a 401 status code if the Authorization header is missing

[notxcain]

/claim #3235

[notxcain]

Let me know if this should be reported the same way as any other missing header.

[987Nabil]

The specs say, that we have to return acceptable auth methods.
And we have that data from the Endpoint API

The server generating a 401 response MUST send
a WWW-Authenticate header field (Section 4.1) containing at least one
challenge applicable to the target resource.

[notxcain]

@987Nabil the AuthType has quite limited information, please see the implementation draft. Any piece of advice here?

[987Nabil]

Most things are optional and can be omitted. Digest nonce is generated anyway.
Basic Digest and OAuth need a realm. We can add this to AuthType in the same fashion like ScopedAuth.
In case there is no realm, we could return no header or a default value. I tend to a default value. Like "default" or "restricted"

[notxcain]

I suspect JSClientSpec / HTTP / Get with User Agent and AuthSpec / Auth with context and endpoint client with path parameter are flaky, or at least I can't reproduce it locally with the same JVM and Scala versions.

[notxcain]

Hi @987Nabil — could you please take a look at the PR? The suspected tests are indeed flaky, the tests were green before I merged master. And now it failed again.

[notxcain]

Hey @jdegoes — could you please take a look at this?

[Omar8345]

@notxcain @jdegoes is this still ongoing?

[notxcain]

@Omar8345 I did no get any response from the maintainers so I don't really know.

[987Nabil]

Sorry for the late review. I hope you can still work on this :)

[987Nabil]

The specs say, that we have to return acceptable auth methods.
And we have that data from the Endpoint API

The server generating a 401 response MUST send
a WWW-Authenticate header field (Section 4.1) containing at least one
challenge applicable to the target resource.

[987Nabil]

@notxcain I think errors of decoding the header should also lead to 401

[netlify]

❌ Deploy Preview for zio-http failed. Why did it fail? →

Name	Link
🔨 Latest commit	142b508
🔍 Latest deploy log	https://app.netlify.com/projects/zio-http/deploys/68551a965a24ed0008e7ea03

[notxcain]

I think errors of decoding the header should also lead to 401

@987Nabil I only have this link to support my choice, but I believe a malformed (or violating schema) value of a header falls into Bad Request and has different semantics.

[notxcain]

Hi @987Nabil — please see check my comment.

[987Nabil]

I think errors of decoding the header should also lead to 401

@987Nabil I only have this link to support my choice, but I believe a malformed (or violating schema) value of a header falls into Bad Request and has different semantics.

The link says explicitly that malformed is 401 🤔

The access token provided is expired, revoked, malformed, or
invalid for other reasons. The resource SHOULD respond with
the HTTP 401 (Unauthorized) status code. The client MAY
request a new access token and retry the protected resource
request.