Better error message for /indieauth/done

simonw · simonw · commit a400b8217f1e · 2020-11-17T19:45:43.000-08:00
Closes #17
diff --git a/datasette_indieauth/__init__.py b/datasette_indieauth/__init__.py
@@ -90,13 +90,13 @@ async def indieauth_page(request, datasette, status=200, error=None):
 async def indieauth_done(request, datasette):
     from datasette.utils.asgi import Response
 
-    state = request.args.get("state")
+    state = request.args.get("state") or ""
     code = request.args.get("code")
     try:
         state_bits = datasette.unsign(state, DATASETTE_INDIEAUTH_STATE)
     except itsdangerous.BadSignature:
         return await indieauth_page(
-            request, datasette, error="Invalid state returned by authorization server"
+            request, datasette, error="Invalid state", status=400
         )
     authorization_endpoint = state_bits["a"]
 
diff --git a/tests/test_indieauth.py b/tests/test_indieauth.py
@@ -213,3 +213,13 @@ async def test_indieauth_succeeds(httpx_mock, auth_response_body, expected_profi
         assert datasette.unsign(response.cookies["ds_actor"], "actor") == {
             "a": expected_actor
         }
+
+
+@pytest.mark.asyncio
+async def test_indieauth_done_no_params_error():
+    datasette = Datasette([], memory=True)
+    app = datasette.app()
+    async with httpx.AsyncClient(app=app) as client:
+        response = await client.get("http://localhost/-/indieauth/done")
+        assert response.status_code == 400
+        assert "Invalid state" in response.text
