fix: revoke code before validating redirect uri

jankapunkt · web-flow · commit 48baa8b04ec6 · 2023-08-26T14:28:06.000+02:00
Merge pull request #231 from jorenvandeweyer/bugfix/revoke-authorization-code-earlier thanks to @jorenvandeweyer
diff --git a/lib/grant-types/authorization-code-grant-type.js b/lib/grant-types/authorization-code-grant-type.js
@@ -53,8 +53,8 @@ class AuthorizationCodeGrantType extends AbstractGrantType {
     }
 
     const code = await this.getAuthorizationCode(request, client);
-    await this.validateRedirectUri(request, code);
     await this.revokeAuthorizationCode(code);
+    await this.validateRedirectUri(request, code);
 
     return this.saveToken(code.user, client, code.authorizationCode, code.scope);
   }

Original file line number	Diff line number	Diff line change
`@@ -53,8 +53,8 @@ class AuthorizationCodeGrantType extends AbstractGrantType {`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`const code = await this.getAuthorizationCode(request, client);`
`56`		`- await this.validateRedirectUri(request, code);`
`57`	`56`	`await this.revokeAuthorizationCode(code);`
	`57`	`+ await this.validateRedirectUri(request, code);`
`58`	`58`
`59`	`59`	`return this.saveToken(code.user, client, code.authorizationCode, code.scope);`
`60`	`60`	`}`