search

spiral-project / ihatemoney

A simple shared budget manager web application
https://ihatemoney.org
Other
1.18k stars 267 forks source link

Werkzeug 2.3 incompatibility: AttributeError: 'NoneType' object has no attribute 'lower' #1272

Open jomo opened 10 months ago

jomo commented 10 months ago

I set up an ihatemoney instance using the latest ihatemoney/ihatemoney Docker container as described in https://ihatemoney.readthedocs.io/en/latest/installation.html#with-docker.

After scanning the invite QR code using the MoneyBuster app, the server returned a server error.

ERROR [ihatemoney.run] Exception on /api/projects/example [GET]
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 489, in wrapper
    resp = resource(*args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/flask/views.py", line 109, in view
    return current_app.ensure_sync(self.dispatch_request)(**kwargs)
  File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 604, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/src/ihatemoney/api/common.py", line 26, in wrapper
    if auth and project_id and auth.username.lower() == project_id:

The problem is this line:

https://github.com/spiral-project/ihatemoney/blob/76e8b3baf0b52d098c1287f01ebf30cdeeb6ecc5/ihatemoney/api/common.py#L21-L26

From https://flask.palletsprojects.com/en/3.0.x/api/#flask.Request.authorization:

Changed in version 2.3: Authorization is no longer a dict.

In the current version of the application request.authorization returns the Bearer xxxxxxx value, making it truthy but leaving username undefined.

almet commented 10 months ago

What's weird is that we're specifically asking for Werkzeug version to be < 2.3 in pyproject.toml

https://github.com/spiral-project/ihatemoney/blob/76e8b3baf0b52d098c1287f01ebf30cdeeb6ecc5/pyproject.toml#L40-L43

I'm not sure why Docker doesn't follow these rules.

zorun commented 10 months ago

We ask for Werkzeug < 3, so it's consistent to end up with 2.3, this was the whole point of #1244. I guess we need more tests...

Annoying, I had included this seemingly minor update in the stable-6.1 branch. We will need to make one more bugfix release!

almet commented 10 months ago

Sorry for the noise, you're correct. I probably read whatever I wanted to read. Pfiuuu.

zorun commented 10 months ago

I have reverted the Flask/Werkzeug update in stable-6.1 and made a new backport release 6.1.3, hopefully there should be no more regression there!

It means we have more time to figure this out. But please add a test for this regression :)