400 Error when sending data to endpoint

[sjosegarcia]

So I followed the guide on setting up OAuth on my server. For some reason when I try to send data to this endpoint I get a 400 - Bad Request {"detail":"There was an error parsing the body"}. I have also tried with the swaggerUI authorize button.

The data:
{"username": email, "password": password}
When I print out the response headers:
{username: test@test.com, password: password, content-type: text/plain; charset=utf-8}

The code:

@login_router.post("/token", response_model=Token)
async def login_for_access_token(
    form_data: OAuth2PasswordRequestForm = Depends()
) -> dict:
    user = await authenticate_user(form_data.username, form_data.password)
    if not user:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect email or password",
            headers={"WWW-Authenticate": "Bearer"},
        )
    access_token_expires = timedelta(minutes=float(str(ACCESS_TOKEN_EXPIRE_MINUTES)))
    access_token = create_access_token(
        data={"sub": user.email, "scopes": form_data.scopes},
        expires_delta=access_token_expires,
    )
    return {"access_token": access_token, "token_type": "bearer"}

pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
oauth2_scheme = OAuth2PasswordBearer(
    tokenUrl=f"{config.API_V1_STR}/token",
    scopes={"me": "Read information about the current user."},
)


def verify_password(plain_text_password: str, hashed_password: str) -> bool:
    """
    This function will verify the plain text password with the stored hash
    :param plain_text_password: The plain text password
    :param hashed_password: The hash password stored in the data
    :return: bool
    """
    return bool(pwd_context.verify(plain_text_password, hashed_password))


def get_password_hash(password: str) -> str:
    """
    This function will return the hash of a plain text password
    :param password: The password in plain text
    :return: Hash string
    """
    return str(pwd_context.hash(password))


async def get_user(email: str) -> Optional[UserInDB]:
    user = await get_user_by_email(email)
    if user:
        return UserInDB(**user.dict())
    return None


async def authenticate_user(email: str, password: str) -> Optional[UserInDB]:
    user = await get_user(email)
    if not user:
        return None
    if not verify_password(password, user.password):
        return None
    return user


def create_access_token(*, data: dict, expires_delta: timedelta = None) -> bytes:
    to_encode = data.copy()
    if expires_delta:
        expire = datetime.utcnow() + expires_delta
    else:
        expire = datetime.utcnow() + timedelta(minutes=15)
    to_encode.update({"exp": expire})
    encoded_jwt = jwt.encode(
        to_encode, str(PASSWORD_SECRET_KEY), algorithm=str(PASSWORD_ALGORITHM)
    )
    return encoded_jwt


async def get_current_user(
    security_scopes: SecurityScopes, token: str = Depends(oauth2_scheme)
) -> User:
    if security_scopes.scopes:
        authenticate_value = f'Bearer scope="{security_scopes.scope_str}"'
    else:
        authenticate_value = "Bearer"
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    try:
        payload = jwt.decode(
            token, str(PASSWORD_SECRET_KEY), algorithms=[PASSWORD_ALGORITHM]
        )
        email = payload.get("sub")
        if email is None:
            raise credentials_exception
        token_scopes = payload.get("scopes", [])
        token_data = TokenData(scopes=token_scopes, email=email)
    except (PyJWTError, ValidationError):
        raise credentials_exception
    user = await get_user(email=token_data.email)
    if user is None:
        raise credentials_exception
    for scope in security_scopes.scopes:
        if scope not in token_data.scopes:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail="Not enough permissions",
                headers={"WWW-Authenticate": authenticate_value},
            )
    return user


async def get_current_active_user(
    current_user: User = Security(get_current_user, scopes=["me"])
) -> User:
    if current_user.is_active:
        raise HTTPException(status_code=400, detail="Inactive user")
    return current_user

[Kludex]

You're probably trying to send the data through the body. You should be using the form-data fields. Let me know if this solved.

[sjosegarcia]

You're probably trying to send the data through the body. You should be using the form-data fields. Let me know if this solved.

I tried sending it with the form-data flag in the header, and I still got a 400 error. It's weird because I am also getting the error in when I try to process it in /docs endpoint.

[tomarv2]

@Kludex your setup looks nearly same as mine, I have been using it for a while now and it works, if you want to do a comparison, I have attached the gists here:

security.py: https://gist.github.com/tomarv2/37d48bf2d061df2ec542bab057e25d5e

/token function: https://gist.github.com/tomarv2/215ab907d304c1834dfa6f581393cdf7

[sjosegarcia]

@tomarv2 Yeah almost the same.
So I tried with these commands:
curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d '{"username":"test@test.com","password":"something"}' http://localhost:8080/api/v1/token
curl -X POST -H 'Content-Type: application/json' -d '{"username":"test@test.com","password":"something"}' http://localhost:8080/api/v1/token
curl -X POST -H 'Content-Type: multipart/form-data' -d '{"username":"test@test.com","password":"something"}' http://localhost:8080/api/v1/token

I kept getting the same response.

[tomarv2]

@sjosegarcia so my endpoint looks like this: localhost:3000/token its not v1

[sjosegarcia]

@tomarv2 I was trying to hit my endpoint. I know my endpoint works since it sends a response back. But there is something in the request body that I am not getting correct.

[sjosegarcia]

Found the issue... so no one else goes through this headache please remember to install python-multipart = ">=0.0.5".

[Kludex]

I think there was a MR that makes this error more explicit. I don't remember if it was already merged on the recent versions or if it will be at some point. (In the day of this message we are at 0.58.1)

[rbracco]

This is still a problem, I just tripped over this today. I was handling requests on two nearly identical servers from the same frontend code. One was working and one was returning "400 Bad Request".

Thank you so much @sjosegarcia you are a hero. I never would've gotten out of this myself and you saved me hours of frustration.

[sherlocked27]

Thank you so much @sjosegarcia, I was debugging this for hours, you are a hero.

[tiangolo]

Thanks for the help here everyone! 👏 🙇

Thanks for reporting back and closing the issue 👍

[amzwrk]

@sjosegarcia Thank you! I literally spent the last 3 hours trying to solve this to no avail. I can't express how thankful I am! Sincerely Thank you!

!pip install python-multipart==0.0.5