fix: revoke code before validating redirect uri

Merge pull request #232 from jorenvandeweyer/bugfix/revoke-authorization-code-earlier-4.x thanks to @jorenvandeweyer
node-oauth · Aug 26, 2023 · c533607 · c533607
2 parents 25c3661 + 20696ba
commit c533607
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/grant-types/authorization-code-grant-type.js b/lib/grant-types/authorization-code-grant-type.js
@@ -67,10 +67,10 @@ AuthorizationCodeGrantType.prototype.handle = function(request, client) {
       return this.getAuthorizationCode(request, client);
     })
     .tap(function(code) {
-      return this.validateRedirectUri(request, code);
+      return this.revokeAuthorizationCode(code);
     })
     .tap(function(code) {
-      return this.revokeAuthorizationCode(code);
+      return this.validateRedirectUri(request, code);
     })
     .then(function(code) {
       return this.saveToken(code.user, client, code.authorizationCode, code.scope);