[litestar] AnnotedValue partition error

[0asys]

How do you use Sentry?

Sentry Saas (sentry.io)

Version

2.39.0

Steps to Reproduce

1. Enable litestar sentry sdk integration
2. Throw error and is catched by the sentry sdk
3. JWT authentication breaks

Error in JWT autentication, after an exception thrown and catched by the litestar sentry sdk integration:

Traceback (most recent call last):
  File "litestar/middleware/_internal/exceptions/middleware.py", line 158, in __call__
    await self.app(scope, receive, capture_response_started)
  File "litestar/_asgi/asgi_router.py", line 100, in __call__
    await asgi_app(scope, receive, send)
  File "litestar/middleware/authentication.py", line 87, in __call__
    auth_result = await self.authenticate_request(ASGIConnection(scope))
  File "litestar/security/jwt/middleware.py", line 267, in authenticate_request
    encoded_token = auth_header.partition(" ")[-1]
AttributeError: 'AnnotatedValue' object has no attribute 'partition'

I suspect the sentry sdk replaces some values AnnotatedValue and this leads to an error in the JWT auth of the litestar framework here:

https://github.com/litestar-org/litestar/blob/a733629e86a302a957d8ebb58df30ba4cf3ecf3d/litestar/security/jwt/middleware.py#L268

        auth_header = connection.headers.get(self.auth_header) or connection.cookies.get(self.auth_cookie_key)
        if not auth_header:
            raise NotAuthorizedException("No JWT token found in request header or cookies")
        encoded_token = auth_header.partition(" ")[-1]
        return await self.authenticate_token(encoded_token=encoded_token, connection=connection)

The litestar framework suggests this is a bug that has to be fixed in sentry sdk:
litestar-org/litestar#3853

Expected Result

Sentry SDK integration does not break JWT authentication middleware.
No exception for an AnnotatedValue is thrown.

Actual Result

Sentry SDK for litestar breaks the JWT authentication middleware.

[linear]

PY-1871

[alexander-alderman-webb]

Hi @0asys,

Thank you for the report. I am able to reproduce your issue quite easily just following documentation pages from litestar. For reference, I have the setup below, and encounter the problem when running

curl -X POST http://127.0.0.1:8000/login \
-H "Content-Type: application/json" \
-d '{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "email": "user@example.com",
  "name": "Alex"
}' -i

and then using the printed token I run the following twice:

curl -X GET "http://127.0.0.1:8000/some-path" -b "password=Bearer <token>"

There is possibly some caching involved, so only the second fails for me with the error you described. In any case we should not mutate the cookies since this clearly breaks users of litestar.

import sentry_sdk
from sentry_sdk.integrations.litestar import LitestarIntegration

import logging
from os import environ
from typing import Any
from uuid import UUID

from pydantic import BaseModel, EmailStr

from litestar import Litestar, get, post, Request, Response
from litestar.connection import ASGIConnection
from litestar.openapi.config import OpenAPIConfig
from litestar.security.jwt import JWTCookieAuth, Token

import uvicorn

sentry_sdk.init(
    dsn="...",
    integrations=[LitestarIntegration()],
    send_default_pii=True,
    debug=True,
    traces_sample_rate=1.0,
)

class User(BaseModel):
    id: UUID
    name: str
    email: EmailStr

MOCK_DB: dict[str, User] = {}

async def retrieve_user_handler(token: Token, connection: "ASGIConnection[Any, Any, Any, Any]") -> User | None:
    return MOCK_DB.get(token.sub)

jwt_auth = JWTCookieAuth[User](
    retrieve_user_handler=retrieve_user_handler,
    token_secret=environ.get("JWT_SECRET", "secret"),
    exclude=["/login", "/schema"],
    key="password"
)

@post("/login")
async def login_handler(data: User) -> Response[User]:
    MOCK_DB[str(data.id)] = data
    # you can do whatever you want to update the response instance here
    # e.g. response.set_cookie(...)
    logging.error("value")
    return jwt_auth.login(identifier=str(data.id), token_extras={"email": data.email}, response_body=data)


# We also have some other routes, for example:
@get("/some-path")
async def some_route_handler(request: "Request[User, Token, Any]") -> Any:    
    logging.error("error")


openapi_config = OpenAPIConfig(
    title="My API",
    version="1.0.0",
)

app = Litestar(
    route_handlers=[login_handler, some_route_handler],
    on_app_init=[jwt_auth.on_app_init],
    openapi_config=openapi_config,
)

if __name__ == "__main__":
    uvicorn.run('sample_app:app', host="127.0.0.1", log_level="info", reload=True)