From 23a8148afddd172c34d5ee02581752f68045a35d Mon Sep 17 00:00:00 2001
From: patrick brisbin <pbrisbin@gmail.com>
Date: Fri, 26 Feb 2021 14:44:10 -0500
Subject: [PATCH] Check for ErrorResponse before CSRF

It's possible there's an error that explains why the state token isn't
as expected. It should be fine to report those details before verifying
CSRF.
---
 src/Yesod/Auth/OAuth2/Dispatch.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Yesod/Auth/OAuth2/Dispatch.hs b/src/Yesod/Auth/OAuth2/Dispatch.hs
index 162e9ff..49c32c6 100644
--- a/src/Yesod/Auth/OAuth2/Dispatch.hs
+++ b/src/Yesod/Auth/OAuth2/Dispatch.hs
@@ -81,8 +81,8 @@ dispatchCallback
     -> FetchCreds site
     -> m TypedContent
 dispatchCallback name oauth2 getToken getCreds = do
-    csrf <- verifySessionCSRF $ tokenSessionKey name
     onErrorResponse $ throwError . OAuth2HandshakeError
+    csrf <- verifySessionCSRF $ tokenSessionKey name
     code <- requireGetParam "code"
     manager <- authHttpManager
     oauth2' <- withCallbackAndState name oauth2 csrf