Prevent generation of logout url with app session.

Author: Fosco Marotto

src/Facebook/Entities/AccessToken.php

@@ -367,4 +367,17 @@ public function __toString()
     return $this->accessToken;
   }
 
+  /**
+   * Returns true if the access token is an app session token.
+   *
+   * @return bool
+   */
+  public function isAppSession()
+  {
+    if (strpos($this->accessToken, "|") !== FALSE) {
+      return true;
+    }
+    return false;
+  }
+
 }

src/Facebook/FacebookRedirectLoginHelper.php

@@ -143,9 +143,16 @@ public function getReRequestUrl($scope = array(), $version = null)
    *   a successful logout
    *
    * @return string
+   *
+   * @throws FacebookSDKException
    */
   public function getLogoutUrl(FacebookSession $session, $next)
   {
+    if ($session->getAccessToken()->isAppSession()) {
+      throw new FacebookSDKException(
+        'Cannot generate a Logout URL with an App Session.', 722
+      );
+    }
     $params = array(
       'next' => $next,
       'access_token' => $session->getToken()

tests/FacebookRedirectLoginHelperTest.php

@@ -2,6 +2,7 @@
 
 use Facebook\FacebookRedirectLoginHelper;
 use Facebook\FacebookRequest;
+use Facebook\FacebookSession;
 
 class FacebookRedirectLoginHelperTest extends PHPUnit_Framework_TestCase
 {
@@ -70,6 +71,26 @@ public function testLogoutURL()
       );
     }
   }
+
+  public function testLogoutURLFailsWithAppSession()
+  {
+    $helper = new FacebookRedirectLoginHelper(
+      self::REDIRECT_URL,
+      FacebookTestCredentials::$appId,
+      FacebookTestCredentials::$appSecret
+    );
+    $helper->disableSessionStatusCheck();
+    $session = FacebookSession::newAppSession(
+      FacebookTestCredentials::$appId,
+      FacebookTestCredentials::$appSecret
+    );
+    $this->setExpectedException(
+      'Facebook\\FacebookSDKException', 'Cannot generate a Logout URL with an App Session.'
+    );
+    $logoutUrl = $helper->getLogoutUrl(
+      $session, self::REDIRECT_URL
+    );
+  }
 
   public function testCSPRNG()
   {