We have two custom directives responsible for authentication and authorization of users, when something is wrong the directives are rejecting the request with two custom rejections (UnauthorizedRejection and ForbiddenRejection). We do have a custom rejection handler which maps those two rejections to a StatusCode.Unauthorized and a StatusCodes.Forbidden accordingly.
In our tests, everything works perfectly, when we wrap a route with our directives and send an unauthenticated or unauthorized request we can properly assert that the status code is either Unauthorized or Forbidden.
When we wrap the routes in our main API with one of our directives, we end up having a StatusCodes.MethodNotAllowed in place of the expected Unauthorized or Forbidden status codes.
I think it’s related to how akka-http handles route evaluation using the ~ operator.
After having been rejected by a route the request will continue to flow through the routing structure and possibly find another route that can complete it. If there are more rejections all of them will be picked up and collected.
My question is, is there a way to stop the request to flow through the routing structure after some specific rejection are encountered? Or to customize the default rejection handler to send the proper status codes when the rejection list contains either a ForbiddenRejection or an UnauthorizedRejection ?