Skip to content

Commit ad927b6

Browse files
dawidwolski-identtdawidwolski-identt
committed
Return HTTP 400 if no token is provided
1 parent d1a5bdf commit ad927b6

File tree

2 files changed

+9
-11
lines changed

2 files changed

+9
-11
lines changed

oauth2_provider/views/introspect.py

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
import hashlib
33

44
from django.core.exceptions import ObjectDoesNotExist
5-
from django.http import JsonResponse
5+
from django.http import JsonResponse, HttpResponseBadRequest
66
from django.utils.decorators import method_decorator
77
from django.views.decorators.csrf import csrf_exempt
88

@@ -33,8 +33,12 @@ def get_token_response(token_value=None):
3333
.objects.select_related("user", "application")
3434
.get(token_checksum=token_checksum)
3535
)
36-
except (AttributeError, ObjectDoesNotExist):
36+
except ObjectDoesNotExist:
3737
return JsonResponse({"active": False}, status=200)
38+
except AttributeError:
39+
return HttpResponseBadRequest(
40+
{"error": "invalid_request", "error_description": "Token parameter is missing."}
41+
)
3842
else:
3943
if token.is_valid():
4044
data = {

tests/test_introspection_view.py

Lines changed: 3 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -281,23 +281,17 @@ def test_view_post_notexisting_token(self):
281281

282282
def test_view_post_no_token(self):
283283
"""
284-
Test that when you pass an empty token as form parameter,
285-
a json with an inactive token state is provided
284+
Test that when you pass no token HTTP 400 is returned
286285
"""
287286
auth_headers = {
288287
"HTTP_AUTHORIZATION": "Bearer " + self.resource_server_token.token,
289288
}
290289
response = self.client.post(reverse("oauth2_provider:introspect"), **auth_headers)
291290

292-
self.assertEqual(response.status_code, 200)
291+
self.assertEqual(response.status_code, 400)
293292
content = response.json()
294293
self.assertIsInstance(content, dict)
295-
self.assertDictEqual(
296-
content,
297-
{
298-
"active": False,
299-
},
300-
)
294+
self.assertEqual(content["error"], "invalid_request")
301295

302296
def test_view_post_valid_client_creds_basic_auth(self):
303297
"""Test HTTP basic auth working"""

0 commit comments

Comments
 (0)