Remove 'code' param

martinstuecklschwaiger · martinstuecklschwaiger · commit b4c3f7c05531 · 2018-01-09T13:32:18.000+01:00
It gets set by Facebook.
If it stays in the redirect URL, strict mode won't work.
diff --git a/src/Facebook/Helpers/FacebookRedirectLoginHelper.php b/src/Facebook/Helpers/FacebookRedirectLoginHelper.php
@@ -222,8 +222,9 @@ public function getAccessToken($redirectUrl = null)
         $this->resetCsrf();
 
         $redirectUrl = $redirectUrl ?: $this->urlDetectionHandler->getCurrentUrl();
-        // At minimum we need to remove the state param
-        $redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['state']);
+
+        // At minimum we need to remove the 'state' and 'code' params
+        $redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['code', 'state']);
 
         return $this->oAuth2Client->getAccessTokenFromCode($code, $redirectUrl);
     }
