Make sure csrf_time is deleted after use.

If an out-of-date token was passed to check_csrf_token, then no new
token would be output on the error page because csrf_time was still
present.

1 files changed, 3 insertions, 2 deletions

diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm
index c448f8749..6e8057723 100644
--- a/perllib/FixMyStreet/App/Controller/Auth.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth.pm
@@ -516,11 +516,12 @@ sub check_csrf_token : Private {
     $token =~ s/ /+/g;
     my ($time) = $token =~ /^(\d+)-[0-9a-zA-Z+\/]+$/;
     $c->stash->{csrf_time} = $time;
+    my $gen_token = $c->forward('get_csrf_token');
+    delete $c->stash->{csrf_time};
     $c->detach('no_csrf_token')
         unless $time
             && $time > time() - 3600
-            && $token eq $c->forward('get_csrf_token');
-    delete $c->stash->{csrf_time};
+            && $token eq $gen_token;
 }
 
 sub no_csrf_token : Private {