Do not remove the state token to early
we should check the stateToken before we remove it. Else the check will always fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
05e1092c44
commit
bb5e5efa6d
1 changed files with 3 additions and 1 deletions
|
@ -192,11 +192,13 @@ class ClientFlowLoginController extends Controller {
|
|||
* @return Http\RedirectResponse|Response
|
||||
*/
|
||||
public function generateAppPassword($stateToken) {
|
||||
$this->session->remove(self::stateName);
|
||||
if(!$this->isValidToken($stateToken)) {
|
||||
$this->session->remove(self::stateName);
|
||||
return $this->stateTokenForbiddenResponse();
|
||||
}
|
||||
|
||||
$this->session->remove(self::stateName);
|
||||
|
||||
try {
|
||||
$sessionId = $this->session->getId();
|
||||
} catch (SessionNotAvailableException $ex) {
|
||||
|
|
Loading…
Reference in a new issue