You do have to assume that a malicious user can call your server functions out of order. The code for the client is available to them to examine.
So there does need to be some level of security checking on that second call. The form could cache the information they enter in the first server call, and send it along with the second server call. Or, in the first server call you could set a server side session variable, and check that in the second call.