Werkzeug 2.3 incompatibility: AttributeError: 'NoneType' object has no attribute 'lower'

[jomo]

I set up an ihatemoney instance using the latest ihatemoney/ihatemoney Docker container as described in https://ihatemoney.readthedocs.io/en/latest/installation.html#with-docker.

After scanning the invite QR code using the MoneyBuster app, the server returned a server error.

ERROR [ihatemoney.run] Exception on /api/projects/example [GET]
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 489, in wrapper
    resp = resource(*args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/flask/views.py", line 109, in view
    return current_app.ensure_sync(self.dispatch_request)(**kwargs)
  File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 604, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/src/ihatemoney/api/common.py", line 26, in wrapper
    if auth and project_id and auth.username.lower() == project_id:

---

The problem is this line:

ihatemoney/ihatemoney/api/common.py

Lines 21 to 26 in 76e8b3b

	def wrapper(*args, **kwargs):
	auth = request.authorization
	project_id = kwargs.get("project_id").lower()
	# Use Basic Auth
	if auth and project_id and auth.username.lower() == project_id:

From https://flask.palletsprojects.com/en/3.0.x/api/#flask.Request.authorization:

Changed in version 2.3: Authorization is no longer a dict.

In the current version of the application request.authorization returns the Bearer xxxxxxx value, making it truthy but leaving username undefined.

[almet]

What's weird is that we're specifically asking for Werkzeug version to be < 2.3 in pyproject.toml

ihatemoney/pyproject.toml

Lines 40 to 43 in 76e8b3b

	"Flask-WTF>=0.14.3,<2",
	"WTForms>=2.3.1,<3.2",
	"Flask>=2,<3",
	"Werkzeug>=2,<3",

I'm not sure why Docker doesn't follow these rules.

[zorun]

We ask for Werkzeug < 3, so it's consistent to end up with 2.3, this was the whole point of #1244. I guess we need more tests...

Annoying, I had included this seemingly minor update in the stable-6.1 branch. We will need to make one more bugfix release!

[almet]

Sorry for the noise, you're correct. I probably read whatever I wanted to read. Pfiuuu.

[zorun]

I have reverted the Flask/Werkzeug update in stable-6.1 and made a new backport release 6.1.3, hopefully there should be no more regression there!

It means we have more time to figure this out. But please add a test for this regression :)