From bb5e5efa6d76d577d6657326f60daab7544054f4 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Tue, 25 Apr 2017 09:51:00 +0200
Subject: Do not remove the state token to early

we should check the stateToken before we remove it. Else the check will
always fail.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 core/Controller/ClientFlowLoginController.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index 891910b8d09..f18af83a9c7 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -192,11 +192,13 @@ class ClientFlowLoginController extends Controller {
 	 * @return Http\RedirectResponse|Response
 	 */
 	public function generateAppPassword($stateToken) {
-		$this->session->remove(self::stateName);
 		if(!$this->isValidToken($stateToken)) {
+			$this->session->remove(self::stateName);
 			return $this->stateTokenForbiddenResponse();
 		}
 
+		$this->session->remove(self::stateName);
+
 		try {
 			$sessionId = $this->session->getId();
 		} catch (SessionNotAvailableException $ex) {
-- 
cgit v1.2.3