aiohttp client and JWT authorization header problem

[nceresole]

I'm having problems setting the "Authorization" header in aiohttp.

I need to make a request to an authenticated API using JWT but when I add the token manually to the header, aiohttp returns the following errors:

ValueError: [TypeError("'URL' object is not iterable"), TypeError('vars() argument must have __dict__ attribute')]

The JWT token I have to send in the header is quite long so I guess there is some limitation for the size because if I modify it to use a shorter (and fake) one, the request is sent even though the "Authorization" header is omitted. I guess this has to do with the following warning in the documentation:

Note: Authorization header will be removed if you get redirected to a different host or protocol.

I couldn't find anything in the docs or the repo to backup these facts so I don't know how to proceed. The following code was used to make the request:

try:
    # Using fake URL and headers as an example
    url = "https://myapi.com/get-data"
    headers = {"Authorization": "Bearer eyJ0eXniOiJ2V1QiLCJhcGciOiJS4zI1NiJ9..."}
    async with self.session.get(url, headers=headers) as response:
        await response.read()
    return response
except aiohttp.ClientConnectionError as e:
    message = f"Connection error: {e}"
    raise RequestErrorException(url=url, detail=message)
except Exception as e:
    message = f"Data error: {e}"
    raise RequestErrorException(url=url, detail=message)

And here is the traceback:

api        | Traceback (most recent call last):
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/fastapi/encoders.py", line 137, in jsonable_encoder
api        |     data = dict(obj)
api        | TypeError: 'URL' object is not iterable
api        | 
api        | During handling of the above exception, another exception occurred:
api        | 
api        | Traceback (most recent call last):
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/fastapi/encoders.py", line 141, in jsonable_encoder
api        |     data = vars(obj)
api        | TypeError: vars() argument must have __dict__ attribute
api        | 
api        | During handling of the above exception, another exception occurred:
api        | 
api        | Traceback (most recent call last):
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/uvicorn/protocols/http/h11_impl.py", line 373, in run_asgi
api        |     result = await app(self.scope, self.receive, self.send)
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/uvicorn/middleware/proxy_headers.py", line 75, in __call__
api        |     return await self.app(scope, receive, send)
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/fastapi/applications.py", line 208, in __call__
api        |     await super().__call__(scope, receive, send)
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/starlette/applications.py", line 112, in __call__
api        |     await self.middleware_stack(scope, receive, send)
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/starlette/middleware/errors.py", line 181, in __call__
api        |     raise exc
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/starlette/middleware/errors.py", line 159, in __call__
api        |     await self.app(scope, receive, _send)
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/starlette/exceptions.py", line 82, in __call__
api        |     raise exc
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/starlette/exceptions.py", line 71, in __call__
api        |     await self.app(scope, receive, sender)
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/starlette/routing.py", line 656, in __call__
api        |     await route.handle(scope, receive, send)
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/starlette/routing.py", line 259, in handle
api        |     await self.app(scope, receive, send)
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/starlette/routing.py", line 61, in app
api        |     response = await func(request)
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/fastapi/routing.py", line 234, in app
api        |     response_data = await serialize_response(
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/fastapi/routing.py", line 148, in serialize_response
api        |     return jsonable_encoder(response_content)
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/fastapi/encoders.py", line 145, in jsonable_encoder
api        |     return jsonable_encoder(
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/fastapi/encoders.py", line 93, in jsonable_encoder
api        |     encoded_value = jsonable_encoder(
api        |   File "/opt/pysetup/.venv/lib/python3.9/site-packages/fastapi/encoders.py", line 144, in jsonable_encoder
api        |     raise ValueError(errors)
api        | ValueError: [TypeError("'URL' object is not iterable"), TypeError('vars() argument must have __dict__ attribute')]

[Dreamsorcerer]

Every line of your traceback comes from fastapi...

I doubt anybody here is likely to be able to help when the traceback doesn't seem to have anything to do with aiohttp, except that somewhere the URL object has ended up in the fastapi code.

[nceresole]

You are absolutely right but I just added it to give a little more context as I don't know how to proceed with the debugging.

Is it possible that there is a limit to the size of the headers? I didn't find any information about it in the documentation but I guess this has something to do with it because if I use a shorter token, the request works even though it omits the "Authorization" header.

Will try to do this outside of FastAPI to see if there is more information.

[nceresole]

Regarding the "silly mistake", that's the only way I found to keep the context of the response (because we're using a wrapper that we made around aiohttp) when sending it to our FastAPI endpoints (thats where we process the response and return whatever we want to return).

Something similar to this: https://stackoverflow.com/questions/68693855/aiohttp-getting-response-object-out-of-context-manager

[Dreamsorcerer]

Regarding the "silly mistake", that's the only way I found to keep the context of the response (because we're using a wrapper that we made around aiohttp) when sending it to our FastAPI endpoints (thats where we process the response and return whatever we want to return).

I was just guessing that you were returning it in an endpoint handler, as there is not enough information. Still, that looks like very bad practice, and I'd rewrite the code to not pass a Response object around.

I suspect this is related to the exception you are seeing, but it's impossible to tell. Without any kind of exception/error in the code you've shared or from aiohttp, we have nothing to look at, it's just blind guessing. You've shared a snippet of code and then an exception that comes from some other code.

To figure out if the full header is getting sent, you could just look at what is actually being received. e.g. Just run netcat with nc -l 8010 and send the request to localhost:8010 or something similar and check the output.

[nceresole]

Thank you very much for your time and help and I understand what you are trying to point out.

I suspect this is related to the exception you are seeing, but it's impossible to tell.

Indeed it was. I didn't add information regarding how we handle requests because I thought it was unrelated since most of the code works for other endpoints. Outside of FastAPI I am not getting any exceptions so I assume it is working as expected on the aiohttp side.

To figure out if the full header is getting sent, you could just look at what is actually being received. e.g. Just run netcat with nc -l 8010 and send the request to localhost:8010 or something similar and check the output.

The "Authorization" header is missing so the endpoint that I'm trying to hit always return a 401. This may be related to #4568, #5783, #5943.

Do I have to wait until v4 to bypass this behaviour? Thanks again for your help!

[Dreamsorcerer]

I think there's a solution at the end of that 2nd thread: #5783 (comment)