Merge pull request #106 from thewilkybarkid/remove-state

Remove state from the session
knpuniversity · Jun 27, 2018 · 71642a3 · 71642a3
2 parents e86cc71 + fca54e6
commit 71642a3
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/src/Client/OAuth2Client.php b/src/Client/OAuth2Client.php
@@ -90,7 +90,7 @@ public function redirect(array $scopes = [], array $options = [])
     public function getAccessToken()
     {
         if (!$this->isStateless) {
-            $expectedState = $this->getSession()->get(self::OAUTH2_SESSION_STATE_KEY);
+            $expectedState = $this->getSession()->remove(self::OAUTH2_SESSION_STATE_KEY);
             $actualState = $this->getCurrentRequest()->query->get('state');
             if (!$actualState || ($actualState !== $expectedState)) {
                 throw new InvalidStateException('Invalid state');

diff --git a/tests/Client/OAuth2ClientTest.php b/tests/Client/OAuth2ClientTest.php
@@ -119,7 +119,7 @@ public function testGetAccessToken()
         $this->request->query->set('state', 'THE_STATE');
         $this->request->query->set('code', 'CODE_ABC');
 
-        $this->session->get(OAuth2Client::OAUTH2_SESSION_STATE_KEY)
+        $this->session->remove(OAuth2Client::OAUTH2_SESSION_STATE_KEY)
             ->willReturn('THE_STATE');
 
         $expectedToken = $this->prophesize('League\OAuth2\Client\Token\AccessToken');
@@ -157,7 +157,7 @@ public function testGetAccessTokenFromPOST()
     public function testGetAccessTokenThrowsInvalidStateException()
     {
         $this->request->query->set('state', 'ACTUAL_STATE');
-        $this->session->get(OAuth2Client::OAUTH2_SESSION_STATE_KEY)
+        $this->session->remove(OAuth2Client::OAUTH2_SESSION_STATE_KEY)
             ->willReturn('OTHER_STATE');
 
         $client = new OAuth2Client(
@@ -173,7 +173,7 @@ public function testGetAccessTokenThrowsInvalidStateException()
     public function testGetAccessTokenThrowsMissingAuthCodeException()
     {
         $this->request->query->set('state', 'ACTUAL_STATE');
-        $this->session->get(OAuth2Client::OAUTH2_SESSION_STATE_KEY)
+        $this->session->remove(OAuth2Client::OAUTH2_SESSION_STATE_KEY)
            ->willReturn('ACTUAL_STATE');
 
         // don't set a code query parameter