The code in the Grant Flow doesn't invalidate the Authorization Code after it's used to successfully issue an access token, so you can reuse the authorization code to issue another access token. It's recommended to have authorization codes expire after some short window and to mark them as used once you've issued a token. The OAuth site goes into more detail about Authorization Codes here.
I'd be happy to make a pull request to expire tokens and remove them after they've been used (or at least invalidate them. Or at a minimum I can make a PR to add some comments to note how it should be done if implemented in a live application.
The code in the Grant Flow doesn't invalidate the Authorization Code after it's used to successfully issue an access token, so you can reuse the authorization code to issue another access token. It's recommended to have authorization codes expire after some short window and to mark them as used once you've issued a token. The OAuth site goes into more detail about Authorization Codes here.
I'd be happy to make a pull request to expire tokens and remove them after they've been used (or at least invalidate them. Or at a minimum I can make a PR to add some comments to note how it should be done if implemented in a live application.