500 on badly formed POST to token endpoint

[snarfed]

While testing @capjamesg's https://artemis.jamesg.blog/ , it made a bad request to the token endpoint on my site, with params in query params intead of body, and got a 500. Obviously that was a bad request, but the plugin should still probably 400 instead of crashing. Chat log here. Pruned server logs:

POST /wp-json/indieauth/1.0/token?grant_type=authorization_code&code=...

PHP Warning:  Undefined variable $tokens in /srv/htdocs/wp-content/plugins/indieauth/includes/class-indieauth-token-endpoint.php on line 338
...
PHP Fatal error:  Uncaught Error: Call to a member function destroy() on null in /srv/htdocs/wp-content/plugins/indieauth/includes/class-indieauth-token-endpoint.php:338
Stack trace:
#0 /srv/htdocs/wp-content/plugins/indieauth/includes/class-indieauth-token-endpoint.php(234): IndieAuth_Token_Endpoint->verify_local_authorization_code(Array)
#1 /srv/htdocs/wp-content/plugins/indieauth/includes/class-indieauth-token-endpoint.php(187): IndieAuth_Token_Endpoint->authorization_code(Array)
#2 /wordpress/core/6.7.1/wp-includes/rest-api/class-wp-rest-server.php(1292): IndieAuth_Token_Endpoint->post(Object(WP_REST_Request))
...
#14 {main}
  thrown in /srv/htdocs/wp-content/plugins/indieauth/includes/class-indieauth-token-endpoint.php on line 338

[dshanske]

I see the problem.

[dshanske]

Ironically, the improvements I was making on all my plugins to test for things would have caught this