From c969ffc0d61b475aa9f1cb5511edf8218d1a44ca Mon Sep 17 00:00:00 2001
From: Michael Manfre <mike@manfre.net>
Date: Fri, 23 Dec 2022 23:17:13 -0500
Subject: [PATCH] Ensure OAuth views are provided expected inputs (#246)

Thanks for the report Jochen!
---
 api/views/oauth.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/api/views/oauth.py b/api/views/oauth.py
index 9101297..56caa3c 100644
--- a/api/views/oauth.py
+++ b/api/views/oauth.py
@@ -79,7 +79,13 @@ class AuthorizationView(LoginRequiredMixin, TemplateView):
 class TokenView(View):
     def post(self, request):
         post_data = FormOrJsonParser().parse_body(request)
-        grant_type = post_data["grant_type"]
+
+        grant_type = post_data.get("grant_type")
+        if grant_type not in (
+            "authorization_code",
+            "client_credentials",
+        ):
+            return JsonResponse({"error": "invalid_grant_type"}, status=400)
 
         try:
             application = Application.objects.get(client_id=post_data["client_id"])
@@ -89,7 +95,9 @@ class TokenView(View):
         if grant_type == "client_credentials":
             return JsonResponse({"error": "invalid_grant_type"}, status=400)
         elif grant_type == "authorization_code":
-            code = post_data["code"]
+            code = post_data.get("code")
+            if not code:
+                return JsonResponse({"error": "invalid_code"}, status=400)
             # Retrieve the token by code
             # TODO: Check code expiry based on created date
             try: