Verify 401 responses are not tagged as errors (fixes #838) (#849)

mitchh456 · claude · web-flow · commit 4591d647803a · 2026-04-06T12:26:06.000-06:00
* Use Job.id property instead of removed get_id() method rq v2.7 refactored Job.id from `id = property(get_id, set_id)` to a `@property` decorator, removing get_id() as a callable method. Job.id has been available since rq v0.5.0 so this is backwards compatible. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Support FastMCP 3.x while maintaining 2.x backwards compatibility FastMCP 3.0 replaced private _call_tool_mcp()/_list_tools_mcp() with public call_tool()/list_tools() methods, and changed get_tool() to return None instead of raising when a tool is not found. - Update instrumentation to handle get_tool() returning None - Update tests with compat helpers that use the correct API based on the installed fastmcp version - Remove the fastmcp<3 version pin from tox.ini (no longer needed) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add test verifying 401 responses are not tagged as errors Adds a test endpoint returning 401 and a corresponding test that confirms Scout's Starlette/FastAPI middleware correctly tracks 401 Unauthorized responses without tagging them as errors. Only 5xx responses trigger the error tag, so a FastAPI OAuth2 empty bearer token rejection (which returns 401) is properly categorized as a client error, not a server error. Closes #838 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/tests/integration/test_starlette.py b/tests/integration/test_starlette.py
@@ -58,6 +58,9 @@ async def crash(request):
     async def return_error(request):
         return PlainTextResponse("Something went wrong", status_code=503)
 
+    async def return_unauthorized(request):
+        return PlainTextResponse("Unauthorized", status_code=401)
+
     async def background_jobs(request):
         def sync_noop():
             pass
@@ -85,6 +88,7 @@ async def __call__(self, scope, receive, send):
         Route("/sync-hello/", endpoint=SyncHelloEndpoint),
         Route("/crash/", endpoint=crash),
         Route("/return-error/", endpoint=return_error),
+        Route("/return-unauthorized/", endpoint=return_unauthorized),
         Route("/background-jobs/", endpoint=background_jobs),
         Route("/instance-app/", endpoint=InstanceApp()),
     ]
@@ -474,3 +478,31 @@ async def test_instance_app(tracked_requests):
         "Controller/tests.integration.test_starlette."
         + "app_with_scout.<locals>.InstanceApp"
     )
+
+
+@pytest.mark.asyncio
+async def test_return_unauthorized_not_tagged_as_error(tracked_requests):
+    """
+    Verify that a 401 Unauthorized response is tracked but NOT tagged as an
+    error. Only 5xx responses should be tagged as errors. This is the correct
+    behavior when, for example, a FastAPI OAuth2 dependency rejects an empty
+    bearer token: the 401 is a normal client error, not a server error.
+
+    See: https://github.com/scoutapp/scout_apm_python/issues/838
+    """
+    with app_with_scout() as app:
+        communicator = ApplicationCommunicator(
+            app, asgi_http_scope(path="/return-unauthorized/")
+        )
+        await communicator.send_input({"type": "http.request"})
+        response_start = await communicator.receive_output()
+        await communicator.receive_output()
+
+    assert response_start["type"] == "http.response.start"
+    assert response_start["status"] == 401
+    assert len(tracked_requests) == 1
+    tracked_request = tracked_requests[0]
+    assert len(tracked_request.complete_spans) == 1
+    assert tracked_request.tags["path"] == "/return-unauthorized/"
+    # 401 must NOT be tagged as an error — only 5xx responses are errors
+    assert "error" not in tracked_request.tags
