Add tests for /revoke validation

Author: praboud-ant

src/mcp/server/auth/handlers/revoke.py

@@ -4,6 +4,7 @@
 Corresponds to TypeScript file: src/server/auth/handlers/revoke.ts
 """
 
+from tokenize import Token
 from typing import Callable
 
 from pydantic import ValidationError
@@ -12,12 +13,15 @@
 
 from mcp.server.auth.errors import (
     InvalidRequestError,
+    stringify_pydantic_error,
 )
 from mcp.server.auth.middleware.client_auth import (
     ClientAuthenticator,
     ClientAuthRequest,
 )
 from mcp.server.auth.provider import OAuthServerProvider, OAuthTokenRevocationRequest
+from mcp.server.auth.json_response import PydanticJSONResponse
+from mcp.shared.auth import TokenErrorResponse
 
 
 class RevocationRequest(OAuthTokenRevocationRequest, ClientAuthRequest):
@@ -35,7 +39,10 @@ async def revocation_handler(request: Request) -> Response:
             form_data = await request.form()
             revocation_request = RevocationRequest.model_validate(dict(form_data))
         except ValidationError as e:
-            raise InvalidRequestError(f"Invalid request body: {e}")
+            return PydanticJSONResponse(status_code=400,content=TokenErrorResponse(
+                error="invalid_request",
+                error_description=stringify_pydantic_error(e)
+            ))
 
         # Authenticate client
         client_auth_result = await client_authenticator(revocation_request)

tests/server/fastmcp/auth/test_auth_integration.py

@@ -887,6 +887,37 @@ async def test_authorization_get(
         assert await mock_oauth_provider.load_access_token(
             new_token_response["access_token"]
         ) is None
+    @pytest.mark.anyio
+    async def test_revoke_invalid_token(self, test_client, registered_client):
+        """Test revoking an invalid token."""
+        response = await test_client.post(
+            "/revoke",
+            data={
+                "client_id": registered_client["client_id"],
+                "client_secret": registered_client["client_secret"],
+                "token": "invalid_token",
+            },
+        )
+        # per RFC, this should return 200 even if the token is invalid
+        assert response.status_code == 200
+    @pytest.mark.anyio
+    async def test_revoke_with_malformed_token(self, test_client, registered_client):
+        response = await test_client.post(
+            "/revoke",
+            data={
+                "client_id": registered_client["client_id"],
+                "client_secret": registered_client["client_secret"],
+                "token": 123,
+                "token_type_hint": "asdf"
+            },
+        )
+        assert response.status_code == 400
+        error_response = response.json()
+        assert error_response["error"] == "invalid_request"
+        assert "token_type_hint" in error_response["error_description"]
+    
+
+    
 
 
 class TestFastMCPWithAuth: