Do not remove the state token to early

we should check the stateToken before we remove it. Else the check will always fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
author: Roeland Jago Douma <roeland@famdouma.nl> 2017-04-25 09:51:00 +0200
committer: Roeland Jago Douma <roeland@famdouma.nl> 2017-04-25 20:18:49 +0200
commit: bb5e5efa6d76d577d6657326f60daab7544054f4 (patch)
tree: 12cfee15f44f1eb0dc06a29ca0049979b684db4c /core
parent: 05e1092c44196d840d02657f54c15e91bf3b0622 (diff)
download: nextcloud-server-bb5e5efa6d76d577d6657326f60daab7544054f4.tar.gz
nextcloud-server-bb5e5efa6d76d577d6657326f60daab7544054f4.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index 891910b8d09..f18af83a9c7 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -192,11 +192,13 @@ class ClientFlowLoginController extends Controller {
 	 * @return Http\RedirectResponse|Response
 	 */
 	public function generateAppPassword($stateToken) {
-		$this->session->remove(self::stateName);
 		if(!$this->isValidToken($stateToken)) {
+			$this->session->remove(self::stateName);
 			return $this->stateTokenForbiddenResponse();
 		}
 
+		$this->session->remove(self::stateName);
+
 		try {
 			$sessionId = $this->session->getId();
 		} catch (SessionNotAvailableException $ex) {
author	Roeland Jago Douma <roeland@famdouma.nl>	2017-04-25 09:51:00 +0200
committer	Roeland Jago Douma <roeland@famdouma.nl>	2017-04-25 20:18:49 +0200
commit	bb5e5efa6d76d577d6657326f60daab7544054f4 (patch)
tree	12cfee15f44f1eb0dc06a29ca0049979b684db4c /core
parent	05e1092c44196d840d02657f54c15e91bf3b0622 (diff)
download	nextcloud-server-bb5e5efa6d76d577d6657326f60daab7544054f4.tar.gz nextcloud-server-bb5e5efa6d76d577d6657326f60daab7544054f4.zip