Fix: AttributeError in IntrospectTokenView when token not provided (#1562)

dawidwolski-identt · pre-commit-ci[bot] · dopry · web-flow · commit 1c2d99673169 · 2025-08-12T12:08:38.000-04:00
When token is not provided explicitly respond  with a 400 status and properly structured JSON error. Before this a 500 was being returned for an unhandled exception. 

---------
Co-authored-by: pre-commit-ci[bot] &lt;66853113+pre-commit-ci[bot]@users.noreply.github.com&gt;
Co-authored-by: Darrel O'Pry &lt;darrel.opry@spry-group.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1512 client_secret not marked sensitive
 * #1521 Fix 0012 migration loading access token table into memory
 * #1584 Fix IDP container in docker compose environment could not find templates and static files.
+* #1562 Fix: Handle AttributeError in IntrospectTokenView
 <!--
 ### Security
 -->
diff --git a/oauth2_provider/views/introspect.py b/oauth2_provider/views/introspect.py
@@ -26,6 +26,11 @@ class IntrospectTokenView(ClientProtectedScopedResourceView):
 
     @staticmethod
     def get_token_response(token_value=None):
+        if token_value is None:
+            return JsonResponse(
+                {"error": "invalid_request", "error_description": "Token parameter is missing."},
+                status=400,
+            )
         try:
             token_checksum = hashlib.sha256(token_value.encode("utf-8")).hexdigest()
             token = (
diff --git a/tests/test_introspection_view.py b/tests/test_introspection_view.py
@@ -279,6 +279,20 @@ def test_view_post_notexisting_token(self):
             },
         )
 
+    def test_view_post_no_token(self):
+        """
+        Test that when you pass no token HTTP 400 is returned
+        """
+        auth_headers = {
+            "HTTP_AUTHORIZATION": "Bearer " + self.resource_server_token.token,
+        }
+        response = self.client.post(reverse("oauth2_provider:introspect"), **auth_headers)
+
+        self.assertEqual(response.status_code, 400)
+        content = response.json()
+        self.assertIsInstance(content, dict)
+        self.assertEqual(content["error"], "invalid_request")
+
     def test_view_post_valid_client_creds_basic_auth(self):
         """Test HTTP basic auth working"""
         auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
diff --git a/tox.ini b/tox.ini
@@ -5,10 +5,10 @@ envlist =
     docs,
     lint,
     sphinxlint,
-    py{38,39,310,311,312}-dj42,
-    py{310,311,312}-dj50,
-    py{310,311,312}-dj51,
-    py{310,311,312}-djmain,
+    py{38,39,310,311,312,313}-dj42,
+    py{310,311,312,313}-dj50,
+    py{310,311,312,313}-dj51,
+    py{310,311,312,313}-djmain,
     py39-multi-db-dj-42
 
 [gh-actions]
@@ -18,6 +18,7 @@ python =
     3.10: py310
     3.11: py311
     3.12: py312
+    3.13: py313
 
 [gh-actions:env]
 DJANGO =
@@ -54,7 +55,7 @@ deps =
 passenv =
     PYTEST_ADDOPTS
 
-[testenv:py{310,311,312}-djmain]
+[testenv:py{310,311,312,313}-djmain]
 ignore_errors = true
 ignore_outcome = true
 
