Skip to content
This repository was archived by the owner on Jan 13, 2022. It is now read-only.

Commit e278500

Browse files
yguedidiyguedidi
authored
Merge pull request #913 from martinstuecklschwaiger/5.x
Strip 'code' param
2 parents 6eb970d + 711fe77 commit e278500

File tree

3 files changed

+17
-7
lines changed

3 files changed

+17
-7
lines changed

src/Facebook/Helpers/FacebookRedirectLoginHelper.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -222,8 +222,8 @@ public function getAccessToken($redirectUrl = null)
222222
$this->resetCsrf();
223223

224224
$redirectUrl = $redirectUrl ?: $this->urlDetectionHandler->getCurrentUrl();
225-
// At minimum we need to remove the state param
226-
$redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['state']);
225+
// At minimum we need to remove the 'state' and 'code' params
226+
$redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['code', 'state']);
227227

228228
return $this->oAuth2Client->getAccessTokenFromCode($code, $redirectUrl);
229229
}

tests/Fixtures/FooRedirectLoginOAuth2Client.php

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,12 +23,13 @@
2323
*/
2424
namespace Facebook\Tests\Fixtures;
2525

26+
use Facebook\Authentication\AccessToken;
2627
use Facebook\Authentication\OAuth2Client;
2728

2829
class FooRedirectLoginOAuth2Client extends OAuth2Client
2930
{
3031
public function getAccessTokenFromCode($code, $redirectUri = '', $machineId = null)
3132
{
32-
return 'foo_token_from_code|' . $code . '|' . $redirectUri;
33+
return new AccessToken('foo_token_from_code|' . $code . '|' . $redirectUri);
3334
}
3435
}

tests/Helpers/FacebookRedirectLoginHelperTest.php

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,9 @@ class FacebookRedirectLoginHelperTest extends \PHPUnit_Framework_TestCase
4444
protected $redirectLoginHelper;
4545

4646
const REDIRECT_URL = 'http://invalid.zzz';
47+
const FOO_CODE = "foo_code";
48+
const FOO_STATE = "foo_state";
49+
const FOO_PARAM = "some_param=blah";
4750

4851
protected function setUp()
4952
{
@@ -94,12 +97,18 @@ public function testLogoutURL()
9497
public function testAnAccessTokenCanBeObtainedFromRedirect()
9598
{
9699
$this->persistentDataHandler->set('state', 'foo_state');
97-
$_GET['state'] = 'foo_state';
98-
$_GET['code'] = 'foo_code';
100+
$_GET['state'] = static::FOO_STATE;
101+
$_GET['code'] = static::FOO_CODE;
99102

100-
$accessToken = $this->redirectLoginHelper->getAccessToken(self::REDIRECT_URL);
103+
$fullUrl = self::REDIRECT_URL . '?state=' . static::FOO_STATE . '&code=' . static::FOO_CODE . '&' . static::FOO_PARAM;
101104

102-
$this->assertEquals('foo_token_from_code|foo_code|' . self::REDIRECT_URL, (string)$accessToken);
105+
$accessToken = $this->redirectLoginHelper->getAccessToken($fullUrl);
106+
107+
// code and state should be stripped from the URL
108+
$expectedUrl = self::REDIRECT_URL . '?' . static::FOO_PARAM;
109+
$expectedString = 'foo_token_from_code|' . static::FOO_CODE . '|' . $expectedUrl;
110+
111+
$this->assertEquals($expectedString, $accessToken->getValue());
103112
}
104113

105114
public function testACustomCsprsgCanBeInjected()

0 commit comments

Comments
 (0)