Return HTTP 400 if no token is provided

dawidwolski-identt · dopry · commit c0bc4b5c2663 · 2025-06-27T22:34:01.000-04:00
diff --git a/oauth2_provider/views/introspect.py b/oauth2_provider/views/introspect.py
@@ -2,7 +2,7 @@
 import hashlib
 
 from django.core.exceptions import ObjectDoesNotExist
-from django.http import JsonResponse
+from django.http import JsonResponse, HttpResponseBadRequest
 from django.utils.decorators import method_decorator
 from django.views.decorators.csrf import csrf_exempt
 
@@ -33,8 +33,12 @@ def get_token_response(token_value=None):
                 .objects.select_related("user", "application")
                 .get(token_checksum=token_checksum)
             )
-        except (AttributeError, ObjectDoesNotExist):
+        except ObjectDoesNotExist:
             return JsonResponse({"active": False}, status=200)
+        except AttributeError:
+            return HttpResponseBadRequest(
+                {"error": "invalid_request", "error_description": "Token parameter is missing."}
+            )
         else:
             if token.is_valid():
                 data = {
diff --git a/tests/test_introspection_view.py b/tests/test_introspection_view.py
@@ -281,23 +281,17 @@ def test_view_post_notexisting_token(self):
 
     def test_view_post_no_token(self):
         """
-        Test that when you pass an empty token as form parameter,
-        a json with an inactive token state is provided
+        Test that when you pass no token HTTP 400 is returned
         """
         auth_headers = {
             "HTTP_AUTHORIZATION": "Bearer " + self.resource_server_token.token,
         }
         response = self.client.post(reverse("oauth2_provider:introspect"), **auth_headers)
 
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, 400)
         content = response.json()
         self.assertIsInstance(content, dict)
-        self.assertDictEqual(
-            content,
-            {
-                "active": False,
-            },
-        )
+        self.assertEqual(content["error"], "invalid_request")
 
     def test_view_post_valid_client_creds_basic_auth(self):
         """Test HTTP basic auth working"""
