🗒️ Checklist

1. run linter locally
2. update developer docs (API, README, inline, etc.), if any
3. for user-facing doc changes create a Zulip thread at #Support Docs Updates, if any
4. draft PR with a title <type>(<scope>)<!>: <title> DEV-1234
5. assign yourself, tag PR: at least Front end and/or Back end or workflow
6. fill in the template below and delete template comments
7. review thyself: read the diff and repro the preview as written
8. open PR & confirm that CI passes & request reviewers, if needed
9. delete this section before merging

📣 Summary

Prevent server errors when clients using Digest authentication send empty submission requests to the openrosa /<username>/submission endpoint.

📖 Description

Previously, when a client (such as curl using --digest) attempted to submit to https://kobocat/<username>/submission for a form that does not allow anonymous submissions, the first unauthenticated request in the Digest handshake was accepted by the view.

Because this initial request contained no body and no authentication header, the view attempted to read a None file instance, leading to:

AttributeError: 'NoneType' object has no attribute 'read'

This caused a 500 error before the client’s second (authenticated) request could be processed.

This PR adds a validation to check whether xml_file is missing or empty. When this happens, the server now fails fast with a proper OpenRosaResponseBadRequest (400) and a clear, informative error message.

👀 Preview steps

1. ℹ️ have an account and a form that requires authentication.
2. Try submitting using Digest auth to the username endpoint:

curl -v --digest --http1.1 \
  --user username:password \
  -X POST \
  -F "xml_submission_file=@/<path>/<file_name>.xml" \
  http://kc.kobo.local/<username>/submission

3. 🔴 [on release] Server responds with 500
4. 🟢 [on PR] Server responds with HTTP 400