Bug: Missing required parameters returns KeyError (500) instead of InvalidRequestError (400)

[nycomp]

Bug Description

When required parameters are missing from POST requests, the API returns a 500 error with a KeyError instead of a proper 400 InvalidRequestError.

Location

• File: campus/flask_campus/utils.py:76-78
• Affected Routes: Various POST endpoints with required parameters

Error

KeyError: "Missing required parameters: ['scopes', 'expiry_seconds']"

This KeyError is raised from unpack_into() and propagates as a 500 error instead of being caught and converted to a 400 InvalidRequestError.

Root Cause

In flask_campus/utils.py, the unpack_into() function raises a bare KeyError when required parameters are missing:

if missing_params:
    raise (
        KeyError(f"Missing required parameters: {missing_params}")
    ) from None

This should raise api_errors.InvalidRequestError instead to return a proper 400 status code.

Steps to Reproduce

# POST /credentials/{provider}/{user_id} without required body
POST /auth/v1/credentials/campus/user@example.com
Content-Type: application/json
Authorization: Bearer <token>

{}  # Missing 'scopes' and 'expiry_seconds'

Expected Behavior

Should return 400 with InvalidRequestError:

{
  "error": "Missing required parameters: ['scopes', 'expiry_seconds']",
  "error_code": "INVALID_REQUEST"
}

Contract Test Blocked

• tests/contract/test_auth_credentials.py::TestAuthCredentialsContract::test_create_credentials_missing_fields_returns_400 is skipped due to this bug

Related

• Found during Phase 3 of integration test refactor
• HTTP contract test coverage expansion