Merge pull request #316 from facebook/gFosco.40-logout-url

gfosco · gfosco · commit 88af90d80923 · 2015-01-06T13:28:23.000-08:00
Prevent generation of logout url with app session.
diff --git a/src/Facebook/Entities/AccessToken.php b/src/Facebook/Entities/AccessToken.php
@@ -367,4 +367,14 @@ public function __toString()
     return $this->accessToken;
   }
 
+  /**
+   * Returns true if the access token is an app session token.
+   *
+   * @return bool
+   */
+  public function isAppSession()
+  {
+    return strpos($this->accessToken, "|") !== false;
+  }
+
 }
diff --git a/src/Facebook/FacebookRedirectLoginHelper.php b/src/Facebook/FacebookRedirectLoginHelper.php
@@ -143,9 +143,16 @@ public function getReRequestUrl($scope = array(), $version = null)
    *   a successful logout
    *
    * @return string
+   *
+   * @throws FacebookSDKException
    */
   public function getLogoutUrl(FacebookSession $session, $next)
   {
+    if ($session->getAccessToken()->isAppSession()) {
+      throw new FacebookSDKException(
+        'Cannot generate a Logout URL with an App Session.', 722
+      );
+    }
     $params = array(
       'next' => $next,
       'access_token' => $session->getToken()
diff --git a/tests/FacebookRedirectLoginHelperTest.php b/tests/FacebookRedirectLoginHelperTest.php
@@ -2,6 +2,7 @@
 
 use Facebook\FacebookRedirectLoginHelper;
 use Facebook\FacebookRequest;
+use Facebook\FacebookSession;
 
 class FacebookRedirectLoginHelperTest extends PHPUnit_Framework_TestCase
 {
@@ -70,6 +71,23 @@ public function testLogoutURL()
       );
     }
   }
+
+  public function testLogoutURLFailsWithAppSession()
+  {
+    $helper = new FacebookRedirectLoginHelper(
+      self::REDIRECT_URL,
+      FacebookTestCredentials::$appId,
+      FacebookTestCredentials::$appSecret
+    );
+    $helper->disableSessionStatusCheck();
+    $session = FacebookTestHelper::getAppSession();
+    $this->setExpectedException(
+      'Facebook\\FacebookSDKException', 'Cannot generate a Logout URL with an App Session.'
+    );
+    $helper->getLogoutUrl(
+      $session, self::REDIRECT_URL
+    );
+  }
   
   public function testCSPRNG()
   {

Original file line number	Diff line number	Diff line change
`@@ -367,4 +367,14 @@ public function __toString()`
`367`	`367`	`return $this->accessToken;`
`368`	`368`	`}`
`369`	`369`
	`370`	`+ /**`
	`371`	`+ * Returns true if the access token is an app session token.`
	`372`	`+ *`
	`373`	`+ * @return bool`
	`374`	`+ */`
	`375`	`+ public function isAppSession()`
	`376`	`+ {`
	`377`	`+ return strpos($this->accessToken, "\|") !== false;`
	`378`	`+ }`
	`379`	`+`
`370`	`380`	`}`