From a1c912b63092c8b50b9a08e153073f260889fcf3 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Fri, 12 Oct 2018 10:51:41 +1100
Subject: [PATCH] Return 400 instead of 404 for bad token

---
 app/controllers/users_controller.rb    | 2 +-
 lib/guardian.rb                        | 7 +++----
 spec/requests/users_controller_spec.rb | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 1c5ad6a7011..8570540d5c2 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1122,7 +1122,7 @@ class UsersController < ApplicationController
     if params[:token_id]
       token = UserAuthToken.find_by(id: params[:token_id], user_id: user.id)
       # The user should not be able to revoke the auth token of current session.
-      raise Discourse::NotFound if guardian.auth_token == token.auth_token
+      raise Discourse::InvalidParameters.new(:token_id) if guardian.auth_token == token.auth_token
       UserAuthToken.where(id: params[:token_id], user_id: user.id).each(&:destroy!)
     else
       UserAuthToken.where(user_id: user.id).each(&:destroy!)
diff --git a/lib/guardian.rb b/lib/guardian.rb
index ca51129055a..0f8d5689b2d 100644
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@@ -382,10 +382,9 @@ class Guardian
   end
 
   def auth_token
-    return nil if !request&.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
-
-    cookie = request.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
-    UserAuthToken.hash_token(cookie)
+    if cookie = request&.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
+      UserAuthToken.hash_token(cookie)
+    end
   end
 
   private
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index 210170ad770..e64044ac071 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -3287,7 +3287,7 @@ describe UsersController do
 
         post "/u/#{user.username}/preferences/revoke-auth-token.json", params: { token_id: token.id }
 
-        expect(response.status).to eq(404)
+        expect(response.status).to eq(400)
       end
 
       it 'logs user out from everywhere if token_id is not present' do