Basic auth crash: ValueError auth_header.split() → write_error exception

[JrDuComptoirDesPharmacies]

Describe the bug
Flower crashes with ValueError: not enough values to unpack (expected 2, got 0) in get_current_user() when Authorization header is missing or empty. The crash occurs during write_error() handling, producing noisy stack traces.

To Reproduce

1. Start Flower with basic auth: flower --basic-auth=user:pass
2. Send request without Authorization: curl http://localhost:5555/
3. Check logs → crash.

Full repro

docker run -p 5555:5555 -e FLOWER_BASIC_AUTH=user:pass mher/flower:latest celery -A celery flower
curl http://localhost:5555/

Expected behavior
Return clean 401 Unauthorized without Python exceptions. Health checks (ALB, Kubernetes, Datadog) without auth should not crash the server.

Current behavior

  File "flower/views/__init__.py", line 71, in get_current_user
    basic, credentials = auth_header.split()
ValueError: not enough values to unpack (expected 2, got 0)

During handling → tornado.web.HTTPError → write_error crash
"Uncaught exception in write_error"

Root cause
auth_header = self.request.headers.get("Authorization", "") # "" basic, credentials = auth_header.split() # CRASH

Proposed fix

auth_header = self.request.headers.get("Authorization", "")
if not auth_header or not auth_header.strip():
    raise tornado.web.HTTPError(401, "Missing Authorization header")

try:
    basic, credentials = auth_header.split()
except ValueError:
    raise tornado.web.HTTPError(401, "Invalid Authorization header")

Impact

• Noisy logs (Datadog, CloudWatch).
• Health checks crash Flower server.
• Affects all basic_auth deployments (Airflow, Celery).

System information
Flower: 2.0.1 (via Airflow 2.9.0)
Tornado: 6.4.2
Python: 3.12