add error handler that catches invalid tokens, and returns 404

app/__init__.py

@@ -5,6 +5,7 @@ from time import monotonic
 
 import itertools
 import ago
+from itsdangerous import BadSignature
 from flask import (
     Flask,
     session,
@@ -13,7 +14,8 @@ from flask import (
     current_app,
     request,
     g,
-    url_for
+    url_for,
+    flash
 )
 from flask._compat import string_types
 from flask.globals import _lookup_req_object, _request_ctx_stack
@@ -492,6 +494,12 @@ def register_errorhandlers(application):
             raise error
         return _error_response(500)
 
+    @application.errorhandler(BadSignature)
+    def handle_bad_token(error):
+        # if someone has a malformed token
+        flash('There’s something wrong with the link you’ve used.')
+        return _error_response(404)
+
 
 def setup_event_handlers():
     from flask_login import user_logged_in

tests/app/main/test_errorhandlers.py

@@ -1,3 +1,4 @@
+import pytest
 from bs4 import BeautifulSoup
 
 
@@ -6,3 +7,19 @@ def test_bad_url_returns_page_not_found(client):
     assert response.status_code == 404
     page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
     assert page.h1.string.strip() == 'Page could not be found'
+
+
+@pytest.mark.parametrize('url', [
+    '/invitation/MALFORMED_TOKEN',
+    '/new-password/MALFORMED_TOKEN',
+    '/user-profile/email/confirm/MALFORMED_TOKEN',
+    '/verify-email/MALFORMED_TOKEN'
+])
+def test_malformed_token_returns_page_not_found(client, url):
+    response = client.get(url)
+
+    assert response.status_code == 404
+    page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
+    assert page.h1.string.strip() == 'Page could not be found'
+    flash_banner = page.find('div', class_='banner-dangerous').string.strip()
+    assert flash_banner == "There’s something wrong with the link you’ve used."