Return 400 instead of 404 for bad token

app/controllers/users_controller.rb

@@ -1122,7 +1122,7 @@ class UsersController < ApplicationController
     if params[:token_id]
       token = UserAuthToken.find_by(id: params[:token_id], user_id: user.id)
       # The user should not be able to revoke the auth token of current session.
-      raise Discourse::NotFound if guardian.auth_token == token.auth_token
+      raise Discourse::InvalidParameters.new(:token_id) if guardian.auth_token == token.auth_token
       UserAuthToken.where(id: params[:token_id], user_id: user.id).each(&:destroy!)
     else
       UserAuthToken.where(user_id: user.id).each(&:destroy!)

lib/guardian.rb

@@ -382,10 +382,9 @@ class Guardian
   end
 
   def auth_token
-    return nil if !request&.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
-
-    cookie = request.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
-    UserAuthToken.hash_token(cookie)
+    if cookie = request&.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
+      UserAuthToken.hash_token(cookie)
+    end
   end
 
   private

spec/requests/users_controller_spec.rb

@@ -3287,7 +3287,7 @@ describe UsersController do
 
         post "/u/#{user.username}/preferences/revoke-auth-token.json", params: { token_id: token.id }
 
-        expect(response.status).to eq(404)
+        expect(response.status).to eq(400)
       end
 
       it 'logs user out from everywhere if token_id is not present' do