Shouldn't be accessing this method but get UnboundLocalError: local variable 'response' referenced before assignment

Question

I am getting an error on this line

File "/Users/j/udacity/item_catalog/item-catalog-1490/application.py", line 171, in fbconnect
    response.headers['Content-Type'] = 'application/json'
UnboundLocalError: local variable 'response' referenced before assignment

But I don't understand why it's even going to that method because the two states seem to be equal

***************state C155X84FWY0WLD2V5VS2UZDDWXN72F1O
************* login  C155X84FWY0WLD2V5VS2UZDDWXN72F1O

But inside that method I have a print for state not equal and it doesn't print that out. In the browser I am getting a 500 error.

    @app.route('/fbconnect', methods=['POST'])
def fbconnect():

    print "***************state" ,request.args.get('state')
    print "*************login session state", login_session['state']
    if request.args.get('state') != login_session['state']:
        print "*********************state not equal"
        response = make_response(json.dumps('Invalid state parameter.'), 401)
        response.headers['Content-Type'] = 'application/json'
        return response

I'm posting the full content below

@app.route('/fbconnect', methods=['POST'])
def fbconnect():
    #state = ''.join(random.choice(string.ascii_uppercase + string.digits) for x in xrange(32))
    #login_session['state'] = state
    print "***************state" ,request.args.get('state')
    print "*************login session state", login_session['state']
    if request.args.get('state') != login_session['state']:
        print "*********************state not equal"
        response = make_response(json.dumps('Invalid state parameter.'), 401)
        response.headers['Content-Type'] = 'application/json'
        return response
    access_token = request.data
    app_id = json.loads(open('fb_client_secrets.json', 'r').read())['web']['app_id']
    app_secret = json.loads(open('fb_client_secrets.json', 'r').read())['web']['app_secret']
    url = 'https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id=%s&client_secret=%s&fb_exchange_token=%s' % (app_id, app_secret, access_token)
    h = httplib2.Http()
    result = h.request(url, 'GET')[1]
    # Use token to get user info from API
    userinfo_url = "https://graph.facebook.com/v2.4/me"
    token = result.split("&")[0]
    url = 'https://graph.facebook.com/v2.4/me?%s&fields=name,id,email' % token
    h = httplib2.Http()
    result = h.request(url, 'GET')[1]
    data = json.loads(result)
    login_session['provider'] = 'facebook'
    login_session['username'] = data["name"]
    login_session['email'] = data["email"]
    login_session['facebook_id'] = data["id"]

    # The token must be stored in the login_session in order to properly logout, let's strip out the information before the equals sign in our token
    stored_token = token.split("=")[1]
    login_session['access_token'] = stored_token

    # Get user picture
    url = 'https://graph.facebook.com/v2.4/me/picture?%s&redirect=0&height=200&width=200' % token
    h = httplib2.Http()
    result = h.request(url, 'GET')[1]
    data = json.loads(result)

    login_session['picture'] = data["data"]["url"]

    # see if user exists
    user_id = getUserID(login_session['email'])
    print "user_id", user_id
    if not user_id:
        user_id = createUser(login_session)
    login_session['user_id'] = user_id

    output = ''
    output += '<h1>Welcome, '
    output += login_session['username']

    output += '!</h1>'
    output += '<img src="'
    output += login_session['picture']
    output += ' " style = "width: 300px; height: 300px;border-radius: 150px;-webkit-border-radius: 150px;-moz-border-radius: 150px;"> '

    flash("Now logged in as %s" % login_session['username'])

    #session['name']=login_session['username']
    #print session['']

    return output