Add 400 response when boundary is missing

[Kludex]

• Closes Send 400 on missing boundary #1588
• Related to multipart/form-data subpart without name causes internal error #1303 (I've not included it on this PR for now...)
• Replaces Add 400 response on MultiParser exceptions #1593 (monologue about possible solutions from there is important)

Behavior of this PR:

• Custom exception in case "app" not in scope.
• HTTPException(status_code=400) in case "app" in scope.

Changes:

• Move HTTPException to http_exception.py to avoid circular import.
• Add custom exception MultiPartException on missing boundary.
• Handle MultiPartException on form() with the behavior mentioned above.

Alternatives/thoughts related to this PR:

• Check Add 400 response on MultiParser exceptions #1593 - my thoughts are listed there in a timely manner...
• The handling of MultiPartException can also be on an upper level:
  

  starlette/starlette/routing.py

  Lines 250 to 261 in 830f348

  	async def handle(self, scope: Scope, receive: Receive, send: Send) -> None:
  	if self.methods and scope["method"] not in self.methods:
  	headers = {"Allow": ", ".join(self.methods)}
  	if "app" in scope:
  	raise HTTPException(status_code=405, headers=headers)
  	else:
  	response = PlainTextResponse(
  	"Method Not Allowed", status_code=405, headers=headers
  	)
  	await response(scope, receive, send)
  	else:
  	await self.app(scope, receive, send)

  
  This alternative would avoid creating the http_exception.py... 🤔

[Kludex]

I need to add a test for this.

[tomchristie]

Didn't realise you could do this at a module level. 😎

[adriangb]

What's the plan to remove all of this deprecation code? I get why we need it, but it'd be nice to know when we're going to remove it so that:

1. We can put it in the code for our knowledge down the road.
2. We can put it in the error message.

I suppose this depends on #1623 , but I think we should make an executive decision (maybe @tomchristie ?) on when / if the deprecation shim is ever going to be removed.

Personally, I feel like 3 minor releases or 1 year, whichever comes first, sounds reasonable?

[Kludex]

I was more into 6 months and 3 minors... But any number is good for me... I'd just like to have a number 👍 But let's mention those stuff on that discussion.

For here, there's no plan yet. The plan should be defined on that discussion. If this is merged, it's just common sense i.e. in some arbitrary time we just remove it...

[adriangb]

This is an interesting change.

Overall the change (returning a proper exception to the client instead of a 500) makes absolute sense.

Unfortunately you ended up needing to do a bunch of surgery to the codebase to make it happen because raising an HTTPexception from within a Request requires that Request reference HTTPException, but ExceptionMiddleware was in the same module as HTTPException, which caused circular references. This makes the diff super ugly and huge relative to the small straightforward feature.

But I think that's okay: we are paying the price to fix an issue that already existed in our codebase that might have caused us issues down the road some other time. And personally I think moving the middleware into middlewares/ really cleans things up nicely.

I'm approving this, I do however want 1 more approver and some consensus on the deprecation policy because this is a breaking change for our downstream dependencies.

[Kludex]

[...] I do however want 1 more approver [...]

Yep 👍

Thanks for the review! 🙏

[tomchristie]

Some questions which could be addressed, but they're not blockers so will leave this in your hands at this point @Kludex.

Really nice switch around with moving the middleware. 👍

[tomchristie]

Didn't realise you could do this at a module level. 😎

[tomchristie]

👍 Yup - much better to have this here.

Have confirmed to myself that the class here and the class when it was in exceptions.py are identical.

[tomchristie]

Do we need to have the switch here? Can we just always coerce to an HTTPException here instead? Are we already using this pattern, and if so, where?

[adriangb]

https://github.com/encode/starlette/blob/master/starlette/routing.py#L253-L258

[Kludex]

Yep, we use the pattern in the code, as @adriangb pointed out.

Always coerce to an HTTPException is an option. I opted to not do it because we only use HTTPExceptions when we are in Starlette (as application) e.g. "app" in self.scope.

[adriangb]

Realistically, I think we could remove that pattern everywhere. IMO it's not worth supporting (nice) usage of Starlette's Request object outside of a Starlette app. If someone wants to do that, they can handle the HTTPException.

[Kludex]

If someone wants to do that, they can handle the HTTPException.

You have a point, but I think that's another discussion.

I really don't think it's a burden to maintain that, but I wonder if someone really uses that code outside Starlette (app)... 🤔

[tomchristie]

I'd personally probably nudge towards the simpler pytest.raises(KeyError, match="boundary") case here, just because it's more obviously readable to me.

The parameterised expectation is neat, but also more complex to understand.

Just my personal perspective tho, happy to go either way.

[Kludex]

The idea was to avoid the creation of two very similar tests. Do you think is clear if I create two tests instead?

[adriangb]

I think your way or combining an exception and non-exception test into 1 is the cleanest I've seen for that pattern, but if it's
only 2 tests and not 10 I also think making it more explicit would be nice

[Kludex]

I'm going to merge this.

Some things left unanswered:

• Deprecation policy, how do we proceed?
• Should we check if someone is using parts of Starlette without the Starlette application itself? i.e. if "app" in scope:.