fix(submission): handle missing xml file with digest authentication DEV-1038 (#6428)

### 📣 Summary
Prevent server errors when clients using Digest authentication send
empty submission requests to the openrosa `/<username>/submission`
endpoint.

### 📖 Description
Previously, when a client (such as curl using --digest) attempted to
submit to `https://kobocat/<username>/submission` for a form that does
not allow anonymous submissions, the first unauthenticated request in
the Digest handshake was accepted by the view.

Because this initial request contained no body and no authentication
header, the view attempted to read a `None` file instance, leading to:

```
AttributeError: 'NoneType' object has no attribute 'read'
```
This caused a 500 error before the client’s second (authenticated)
request could be processed.

This PR adds a validation to check whether `xml_file` is missing or
empty. When this happens, the server now fails fast with a proper
`OpenRosaResponseBadRequest (400)` and a clear, informative error
message.

Author: rajpatel24

kobo/apps/openrosa/apps/api/tests/viewsets/test_xform_submission_api.py

@@ -921,6 +921,40 @@ def test_submission_data_collector(self):
                     f'http://testserver/collector/{dc.token}/submission',
                 )
 
+    def test_digest_auth_allows_submission_on_username_endpoint(self):
+        """
+        Test that Digest authentication works correctly on the
+        `/<username>/submission` endpoint when the xform requires auth
+        """
+        username = self.user.username
+
+        # Ensure that POST to `/<username>/submission` fails without auth
+        request = self.factory.post(f'/{username}/submission')
+        response = self.view(request, username=username)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+        # Ensure that POST to `/<username>/submission` with Digest auth
+        s = self.surveys[0]
+        submission_path = os.path.join(
+            self.main_directory, 'fixtures',
+            'transportation', 'instances', s, s + '.xml'
+        )
+        with open(submission_path) as sf:
+            request = self.factory.post(f'/{username}/submission', data={})
+            response = self.view(request, username=username)
+            self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+            data = {'xml_submission_file': sf}
+
+            request = self.factory.post(f'/{username}/submission', data)
+            auth = DigestAuth('bob', 'bobbob')
+            request.META.update(auth(request.META, response))
+
+            response = self.view(request, username=username)
+            self.assertContains(
+                response, 'Successful submission', status_code=status.HTTP_201_CREATED
+            )
+
 
 class ConcurrentSubmissionTestCase(RequestMixin, LiveServerTestCase):
     """

kobo/apps/openrosa/apps/api/viewsets/xform_submission_api.py

@@ -5,6 +5,7 @@
 from django.utils.translation import gettext as t
 from drf_spectacular.utils import extend_schema, extend_schema_view
 from rest_framework import mixins, permissions, status
+from rest_framework.authentication import get_authorization_header
 from rest_framework.decorators import action
 from rest_framework.exceptions import NotAuthenticated
 from rest_framework.parsers import FormParser, JSONParser
@@ -249,6 +250,12 @@ def create(self, request, *args, **kwargs):
             user = get_database_user(request.user)
             username = user.username
 
+        # Return 401 if no authentication provided and there are no files,
+        # for digest authentication to work properly
+        has_auth = bool(get_authorization_header(request))
+        if not has_auth and not (bool(request.FILES) or bool(request.data)):
+            raise NotAuthenticated
+
         if request.method.upper() == 'HEAD':
             return Response(
                 status=status.HTTP_204_NO_CONTENT,