fix issue with user activation token being sent upon incorrect token value entry.

server/src/main/java/password/pwm/bean/TokenDestinationItem.java

@@ -36,11 +36,13 @@ import password.pwm.util.secure.SecureService;
 
 import java.io.Serializable;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 
 @Value
 @Builder
@@ -145,4 +147,25 @@ public class TokenDestinationItem implements Serializable
 
         return Collections.unmodifiableList( new ArrayList<>( results.values() ) );
     }
+
+    public static Optional<TokenDestinationItem> tokenDestinationItemForID(
+            final Collection<TokenDestinationItem> tokenDestinationItems,
+            final String requestedID
+    )
+    {
+        if ( tokenDestinationItems == null || requestedID == null )
+        {
+            return Optional.empty();
+        }
+
+        for ( final TokenDestinationItem item : tokenDestinationItems )
+        {
+            if ( requestedID.equals( item.getId() ) )
+            {
+                return Optional.of( item );
+            }
+        }
+
+        return Optional.empty();
+    }
 }

server/src/main/java/password/pwm/http/servlet/activation/ActivateUserServlet.java

@@ -77,6 +77,7 @@ import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 
 /**
  * User interaction servlet for creating new users (self registration).
@@ -290,7 +291,6 @@ public class ActivateUserServlet extends ControlledPwmServlet
     private ProcessStatus processTokenChoice( final PwmRequest pwmRequest )
             throws PwmUnrecoverableException
     {
-        final ActivateUserBean activateUserBean = activateUserBean( pwmRequest );
         final UserInfo userInfo = userInfo( pwmRequest );
         final MessageSendMethod tokenSendMethod = pwmRequest.getConfig().readSettingAsEnum( PwmSetting.ACTIVATE_TOKEN_SEND_METHOD, MessageSendMethod.class );
 
@@ -304,15 +304,11 @@ public class ActivateUserServlet extends ControlledPwmServlet
 
         final String requestedID = pwmRequest.readParameterAsString( "choice", PwmHttpRequestWrapper.Flag.BypassValidation );
 
-        if ( !StringUtil.isEmpty( requestedID ) )
+        final Optional<TokenDestinationItem> tokenDestinationItem = TokenDestinationItem.tokenDestinationItemForID( tokenDestinationItems, requestedID );
+        if ( tokenDestinationItem.isPresent() )
         {
-            for ( final TokenDestinationItem item : tokenDestinationItems )
-            {
-                if ( requestedID.equals( item.getId() ) )
-                {
-                    activateUserBean.setTokenDestination( item );
-                }
-            }
+            final ActivateUserBean activateUserBean = activateUserBean( pwmRequest );
+            activateUserBean.setTokenDestination( tokenDestinationItem.get() );
         }
 
         return ProcessStatus.Continue;
@@ -323,7 +319,7 @@ public class ActivateUserServlet extends ControlledPwmServlet
     public ProcessStatus handleEnterCode(
             final PwmRequest pwmRequest
     )
-            throws ChaiUnavailableException, PwmUnrecoverableException, IOException, ServletException
+            throws PwmUnrecoverableException, IOException, ServletException
     {
         final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
         final PwmSession pwmSession = pwmRequest.getPwmSession();
@@ -346,6 +342,7 @@ public class ActivateUserServlet extends ControlledPwmServlet
             activateUserBean.setTokenPassed( true );
             activateUserBean.setFormValidated( true );
             activateUserBean.setTokenDestination( tokenPayload.getDestination() );
+            activateUserBean.setTokenSent( true );
 
             if ( pwmRequest.getConfig().readSettingAsBoolean( PwmSetting.DISPLAY_TOKEN_SUCCESS_BUTTON ) )
             {
@@ -442,7 +439,6 @@ public class ActivateUserServlet extends ControlledPwmServlet
 
             if ( !activateUserBean.isTokenSent() && activateUserBean.getTokenDestination() != null )
             {
-
                 TokenUtil.initializeAndSendToken(
                         pwmRequest,
                         TokenUtil.TokenInitAndSendRequest.builder()
@@ -453,6 +449,7 @@ public class ActivateUserServlet extends ControlledPwmServlet
                                 .smsToSend( PwmSetting.SMS_ACTIVATION_VERIFICATION_TEXT )
                                 .build()
                 );
+                activateUserBean.setTokenSent( true );
             }
 
             if ( !activateUserBean.isTokenPassed() )

server/src/main/java/password/pwm/http/servlet/forgottenpw/ForgottenPasswordServlet.java

@@ -84,7 +84,6 @@ import password.pwm.util.PostChangePasswordAction;
 import password.pwm.util.form.FormUtility;
 import password.pwm.util.java.JavaHelper;
 import password.pwm.util.java.JsonUtil;
-import password.pwm.util.java.StringUtil;
 import password.pwm.util.logging.PwmLogger;
 import password.pwm.util.operations.ActionExecutor;
 import password.pwm.util.operations.PasswordUtility;
@@ -107,6 +106,7 @@ import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 
 /**
@@ -332,15 +332,10 @@ public class ForgottenPasswordServlet extends ControlledPwmServlet
 
         final String requestedID = pwmRequest.readParameterAsString( "choice", PwmHttpRequestWrapper.Flag.BypassValidation );
 
-        if ( !StringUtil.isEmpty( requestedID ) )
+        final Optional<TokenDestinationItem> tokenDestinationItem = TokenDestinationItem.tokenDestinationItemForID( items, requestedID );
+        if ( tokenDestinationItem.isPresent() )
         {
-            for ( final TokenDestinationItem item : items )
-            {
-                if ( requestedID.equals( item.getId() ) )
-                {
-                    forgottenPasswordBean.getProgress().setTokenDestination( item );
-                }
-            }
+            forgottenPasswordBean.getProgress().setTokenDestination( tokenDestinationItem.get() );
         }
 
         return ProcessStatus.Continue;