fix: revoke code before validating redirect uri

Merge pull request #232 from jorenvandeweyer/bugfix/revoke-authorization-code-earlier-4.x thanks to @jorenvandeweyer

Author: jankapunkt

lib/grant-types/authorization-code-grant-type.js

@@ -67,10 +67,10 @@ AuthorizationCodeGrantType.prototype.handle = function(request, client) {
       return this.getAuthorizationCode(request, client);
     })
     .tap(function(code) {
-      return this.validateRedirectUri(request, code);
+      return this.revokeAuthorizationCode(code);
     })
     .tap(function(code) {
-      return this.revokeAuthorizationCode(code);
+      return this.validateRedirectUri(request, code);
     })
     .then(function(code) {
       return this.saveToken(code.user, client, code.authorizationCode, code.scope);