BUG - JWT auth challenge bypassed in nested enpoint routers

[artipo]

Hi, I was trying the new EndpointRouter routing and I think to have found a bug.

It occurs when you try to cover under jwt authentication a sub router.
Code speak for itself.

let sub =
    router {
        get "/" (text "not secured") // accessible without authentication
    }

let privateEndpoints =
    router {
        pipe_through (Auth.requireAuthentication JWT)
        forward "/sub" sub
        get "/" (text "secured") // NOT accessible without authentication
    }

let appEndpoints =
    router {
        forward "/api" privateEndpoints
        get "/" (text "public") // accessible without authentication
    }

let app =
    application {
        use_jwt_authentication "secret" "issuer"
        use_endpoint_router appEndpoints
        url "http://0.0.0.0:8085/"
        listen_local 8085 ignore
    }

I'm using .Net 5.0 via CLI. and Saturn 0.15.

I think it's a bug because if the old routers are used everything works correctly (route "/api/sub" becomes NOT accessible without authentication).

Here's a small project that includes the code above.
jwt_auth.zip

Feel free to ask more info, thank you in advance.