Merge pull request #311 from SammyK/add-state-to-rerequest

gfosco · gfosco · commit 263df5748147 · 2014-12-29T14:41:25.000-08:00
Added CSRF protection for rerequest links
diff --git a/src/Facebook/FacebookRedirectLoginHelper.php b/src/Facebook/FacebookRedirectLoginHelper.php
@@ -121,9 +121,12 @@ public function getLoginUrl($scope = array(), $version = null, $displayAsPopup =
   public function getReRequestUrl($scope = array(), $version = null)
   {
     $version = ($version ?: FacebookRequest::GRAPH_API_VERSION);
+    $this->state = $this->random(16);
+    $this->storeState($this->state);
     $params = array(
       'client_id' => $this->appId,
       'redirect_uri' => $this->redirectUrl,
+      'state' => $this->state,
       'sdk' => 'php-sdk-' . FacebookRequest::VERSION,
       'auth_type' => 'rerequest',
       'scope' => implode(',', $scope)
diff --git a/tests/FacebookRedirectLoginHelperTest.php b/tests/FacebookRedirectLoginHelperTest.php
@@ -32,6 +32,21 @@ public function testLoginURL()
     }
   }
 
+  public function testReRequestUrlContainsState()
+  {
+    $helper = new FacebookRedirectLoginHelper(
+      self::REDIRECT_URL,
+      FacebookTestCredentials::$appId,
+      FacebookTestCredentials::$appSecret
+    );
+    $helper->disableSessionStatusCheck();
+
+    $reRequestUrl = $helper->getReRequestUrl();
+    $state = $_SESSION['FBRLH_state'];
+
+    $this->assertContains('state=' . urlencode($state), $reRequestUrl);
+  }
+
   public function testLogoutURL()
   {
     $helper = new FacebookRedirectLoginHelper(
