fix(bedrock): don't raise KeyError when signing requests lacking a connection header#1741
Open
sean-kim05 wants to merge 1 commit into
Open
Conversation
…nnection header `get_auth_headers` stripped the `connection` header before SigV4 signing via `del headers["connection"]`, which raises `KeyError` when the request has no Connection header. HTTP/2 forbids the Connection header entirely, and custom transports may omit it, so `request.headers` can legitimately lack it — signing then crashes before the request is ever sent. Filter the header out instead of deleting it, matching the sibling `aws/_auth.py` implementation so both auth paths strip `connection` the same safe way.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AnthropicBedrock's SigV4 signer raisesKeyError: 'connection'when the outgoing request has noConnectionheader.get_auth_headersinsrc/anthropic/lib/bedrock/_auth.pystrips the connection header before signing (it may be altered by proxies, so it must not be part of the signature) via:httpx.Headers.__delitem__raisesKeyErrorwhen the key is absent. A request can legitimately lack aConnectionheader:Connectionheader is not used in HTTP/2, so a client created withhttp2=Trueproduces requests without it.In those cases signing crashes before the request is ever sent.
Fix
Filter the header out instead of deleting it, so an absent header is a no-op. This mirrors the sibling
aws/_auth.pyimplementation, which already stripsconnectionthis way — now both AWS auth paths handle it identically:Testing
Added two tests in
tests/lib/test_bedrock.py:test_get_auth_headers_without_connection_header— signing succeeds when noconnectionheader is present (fails withKeyErrorbefore this fix).test_get_auth_headers_strips_connection_header— regression guard thatconnectionis still excluded fromSignedHeaders.Verified RED (
KeyError: 'connection'at_auth.py:60) → GREEN. Fulltest_bedrock.py+test_aws_auth.py+test_aws.pypass (113 tests);./scripts/lintclean (ruff + pyright + mypy).