Do not remove the state token to early

we should check the stateToken before we remove it. Else the check will
always fail.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2017-04-25 09:51:00 +02:00
parent 05e1092c44
commit bb5e5efa6d
No known key found for this signature in database
GPG key ID: F941078878347C0C

View file

@ -192,11 +192,13 @@ class ClientFlowLoginController extends Controller {
* @return Http\RedirectResponse|Response
*/
public function generateAppPassword($stateToken) {
$this->session->remove(self::stateName);
if(!$this->isValidToken($stateToken)) {
$this->session->remove(self::stateName);
return $this->stateTokenForbiddenResponse();
}
$this->session->remove(self::stateName);
try {
$sessionId = $this->session->getId();
} catch (SessionNotAvailableException $ex) {