squash! Mitigation possible change password during fediauth

join.lua

@@ -152,9 +152,10 @@ end
 minetest.after(120, attempts_cleanup)
 
 -- clear fediauth session on leave
-minetest.register_on_leaveplayer(function(player)
+minetest.register_on_leaveplayer(function(player, timed_out)
     local playername = player:get_player_name()
     fediauth_sessions[playername] = nil
+    fediauth.discard_passw(playername)
 end)
 
 -- check sessions periodically and kick if timed out
@@ -237,9 +238,9 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
 		fediauth.remove_lock_cube(playername)
 	end
     else
+	fediauth.discard_passw(playername)
         minetest.kick_player(playername, "fediauth code validation failed")
         fediauth.regrant_privs(playername)
-	fediauth.discard_passw(playername)
 	if minetest.settings:get_bool("fediauth.create_lock_jail_cube") then
 		fediauth.remove_lock_cube(playername)
 	end