Jump to solution
Verify

starlette Authentication middleware IndexError on instance method (Fix)

Fixed
Spec
Package
starlette
Fixed In
0.17.1
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.28
#1334 ai auth Idempotency Violation Updated: 2026-02-13
Issue #1334

The Fix

Upgrade to version 0.17.1 or later.

Based on closed Kludex/starlette issue #1334 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -40,7 +40,9 @@ def decorator(func: typing.Callable) -> typing.Callable: *args: typing.Any, **kwargs: typing.Any ) -> None: - websocket = kwargs.get("websocket", args[idx] if args else None) + websocket = kwargs.get( + "websocket", args[idx] if idx < len(args) else None
repro.py
import typing from fastapi import APIRouter, FastAPI from starlette.authentication import AuthCredentials, AuthenticationBackend, requires, SimpleUser, BaseUser from starlette.requests import HTTPConnection, Request from starlette.middleware.authentication import AuthenticationMiddleware class AuthBackend(AuthenticationBackend): async def authenticate(self, conn: HTTPConnection) -> typing.Optional[typing.Tuple["AuthCredentials", "BaseUser"]]: return AuthCredentials(["TheScope"]), SimpleUser("TheUser)") app = FastAPI() app.add_middleware(AuthenticationMiddleware, backend=AuthBackend()) class Main: @requires("TheScope") def some_route(self, request: Request): return {'hello': 'world'} main = Main() router = APIRouter() router.add_api_route('/', main.some_route, methods=['GET']) app.include_router(router) # Finally, call GET '/'
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.17.1 or later.\nWhen NOT to use: This fix is not applicable if the authentication logic does not use args and kwargs.\n\n

Why This Fix Works in Production

  • Trigger: ERROR:uvicorn.error:Exception in ASGI application
  • Mechanism: IndexError occurs due to accessing an index in args that is out of range
  • Why the fix works: Adds a length check for authentication args to prevent IndexError when both args and kwargs are specified. (first fixed release: 0.17.1).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • IndexError occurs due to accessing an index in args that is out of range
  • Surfaces as: ERROR:uvicorn.error:Exception in ASGI application

Proof / Evidence

  • GitHub issue: #1334
  • Fix PR: https://github.com/kludex/starlette/pull/1335
  • First fixed release: 0.17.1
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.85
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.28

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“> It is not easily possible to create a reproduction example due to our custom wrapper around FastAPI. Implementing this fix does fix the problem…”
@Kludex · 2021-11-15 · repro detail · source
“This example reproduces the problem we run into. It uses fastapi = "0.70.0". GET of the endpoint reproduces the problem.”
@LarsStegman · 2021-11-15 · source

Failure Signature (Search String)

  • ERROR:uvicorn.error:Exception in ASGI application

Error Message

Stack trace
error.txt
Error Message ------------- ERROR:uvicorn.error:Exception in ASGI application Traceback (most recent call last): File "C:\Users\<path-to-virtual-env>\lib\site-packages\uvicorn\protocols\http\h11_impl.py", line 394, in run_asgi result = await app(self.scope, self.receive, self.send) File "C:\Users\<path-to-virtual-env>\lib\site-packages\uvicorn\middleware\proxy_headers.py", line 45, in __call__ return await self.app(scope, receive, send) File "C:\Users\<path-to-virtual-env>\lib\site-packages\allseas_api\api.py", line 63, in __call__ await self._fast_api.__call__(scope, receive, send) File "C:\Users\<path-to-virtual-env>\lib\site-packages\fastapi\applications.py", line 179, in __call__ await super().__call__(scope, receive, send) File "C:\Users\<path-to-virtual-env>\lib\site-packages\starlette\applications.py", line 111, in __call__ await self.middleware_stack(scope, receive, send) File "C:\Users\<path-to-virtual-env>\lib\site-packages\starlette\middleware\errors.py", line 181, in __call__ raise exc from None File "C:\Users\<path-to-virtual-env>\lib\site-packages\starlette\middleware\errors.py", line 159, in __call__ await self.app(scope, receive, _send) File "C:\Users\<path-to-virtual-env>\lib\site-packages\starlette\middleware\gzip.py", line 18, in __call__ await responder(scope, receive, send) File "C:\Users\<path-to-virtual-env>\lib\site-packages\starlet ... (truncated) ...

Minimal Reproduction

repro.py
import typing from fastapi import APIRouter, FastAPI from starlette.authentication import AuthCredentials, AuthenticationBackend, requires, SimpleUser, BaseUser from starlette.requests import HTTPConnection, Request from starlette.middleware.authentication import AuthenticationMiddleware class AuthBackend(AuthenticationBackend): async def authenticate(self, conn: HTTPConnection) -> typing.Optional[typing.Tuple["AuthCredentials", "BaseUser"]]: return AuthCredentials(["TheScope"]), SimpleUser("TheUser)") app = FastAPI() app.add_middleware(AuthenticationMiddleware, backend=AuthBackend()) class Main: @requires("TheScope") def some_route(self, request: Request): return {'hello': 'world'} main = Main() router = APIRouter() router.add_api_route('/', main.some_route, methods=['GET']) app.include_router(router) # Finally, call GET '/'

What Broke

Endpoints fail with IndexError when authentication middleware is applied.

Why It Broke

IndexError occurs due to accessing an index in args that is out of range

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

Upgrade to version 0.17.1 or later.

When NOT to use: This fix is not applicable if the authentication logic does not use args and kwargs.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/kludex/starlette/pull/1335

First fixed release: 0.17.1

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix is not applicable if the authentication logic does not use args and kwargs.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
  • Pin production dependencies and upgrade only with a reproducible test that hits the failing path.

Version Compatibility Table

VersionStatus
0.17.1 Fixed

Related Issues

No related fixes found.

Cluster: starlette:configuration-error All hubs All clusters
Related clusters: Data consistency SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #1334. Not affiliated with the library maintainers. Verify before production use.