Fixed: Wrong Error Code for Missing Authorization Header

Before, if the Authorization header was missing, the app returned a 400 Bad Request.
That just means something went wrong, but it didn’t clearly say the user wasn’t logged in.

Now, the app checks if the Authorization header is missing or invalid.
If it is, it returns 401 Unauthorized, which correctly tells the user they need to log in.

Improvements

• If the Authorization header is missing, the response is now 401 Unauthorized
• If multiple headers are missing, including Authorization, the response is still 401 Unauthorized
• If the Authorization header is present but invalid (decoding error), the response is 401 Unauthorized

Compliance

This fix follows RFC 7235, which says:

The 401 (Unauthorized) status code indicates that the request has not been applied because it lackz valid authentication credentials for the resourrce.

🧪 Tests

To confirm nothing else broke, I ran:

sbt "zioHttpJVM / Test / testOnly endpoint"

All tests passed ✅

It only changes how Authorization header issues are handled. Everything else stays the same.

/claim #3235