Pierre-Olivier Mercier
d4970a109d
Previously the CSRF state, PKCE verifier, nonce, and next-path were deleted and the session saved before the token exchange. A failure during exchange or verification left the user with no way to retry without restarting the whole flow. Remove the intermediate session.Save(): the in-memory deletions are discarded on any error so the session keys remain available for a retry. On success, SessionLoginOK calls session.Clear() + Save() which atomically consumes all keys. PKCE ensures the authorization code cannot be replayed independently of the session. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| adapters | ||
| api | ||
| api-admin | ||
| app | ||
| avatar | ||
| captcha | ||
| config | ||
| forms | ||
| helpers | ||
| mailer | ||
| newsletter | ||
| session | ||
| storage | ||
| usecase | ||