From 7014b5cb26e8e36317392242366d37943678e0b3 Mon Sep 17 00:00:00 2001
From: Prateek Madhikar <prateek@kanjoya.com>
Date: Tue, 19 Jul 2016 12:52:10 -0700
Subject: [PATCH] Actually validate grant code

---
 flask_oauthlib/provider/oauth2.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/flask_oauthlib/provider/oauth2.py b/flask_oauthlib/provider/oauth2.py
index 27f8f821..551518ce 100644
--- a/flask_oauthlib/provider/oauth2.py
+++ b/flask_oauthlib/provider/oauth2.py
@@ -833,6 +833,9 @@ def validate_code(self, client_id, code, client, request, *args, **kwargs):
            datetime.datetime.utcnow() > grant.expires:
             log.debug('Grant is expired.')
             return False
+        if grant.code != code:
+            log.debug('Grant is invalid.')
+            return False
 
         request.state = kwargs.get('state')
         request.user = grant.user
@@ -859,7 +862,7 @@ def validate_grant_type(self, client_id, grant_type, client, request,
             'authorization_code', 'password',
             'client_credentials', 'refresh_token',
         )
-        
+
         # Grant type is allowed if it is part of the 'allowed_grant_types'
         # of the selected client or if it is one of the default grant types
         if hasattr(client, 'allowed_grant_types'):