Strip 'enforce_https' param

facebookarchive · Nov 14, 2018 · 8ecf2d6 · 8ecf2d6
1 parent 674b2b5
commit 8ecf2d6
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ Version 5 of the Facebook PHP SDK is a complete refactor of version 4. It comes
 - 5.7.0 (2018-00-00)
   - Add `joined` to list of fields to be cast to `\DateTime` (#950)
   - Add `GraphPage::getFanCount()` to get the number of people who like the page (#815)
+  - Strip 'enforce_https' param (#1084)
 - 5.6.3 (2018-07-01)
   - Add fix for countable error in PHP 7.2 (originally #969 by @andreybolonin)
 - 5.6.2 (2018-02-15)

diff --git a/src/Facebook/Helpers/FacebookRedirectLoginHelper.php b/src/Facebook/Helpers/FacebookRedirectLoginHelper.php
@@ -222,8 +222,8 @@ public function getAccessToken($redirectUrl = null)
         $this->resetCsrf();
 
         $redirectUrl = $redirectUrl ?: $this->urlDetectionHandler->getCurrentUrl();
-        // At minimum we need to remove the 'state' and 'code' params
-        $redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['code', 'state']);
+        // At minimum we need to remove the 'code', 'enforce_https' and 'state' params
+        $redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['code', 'enforce_https', 'state']);
 
         return $this->oAuth2Client->getAccessTokenFromCode($code, $redirectUrl);
     }

diff --git a/tests/Helpers/FacebookRedirectLoginHelperTest.php b/tests/Helpers/FacebookRedirectLoginHelperTest.php
@@ -45,6 +45,7 @@ class FacebookRedirectLoginHelperTest extends \PHPUnit_Framework_TestCase
 
     const REDIRECT_URL = 'http://invalid.zzz';
     const FOO_CODE = "foo_code";
+    const FOO_ENFORCE_HTTPS = "foo_enforce_https";
     const FOO_STATE = "foo_state";
     const FOO_PARAM = "some_param=blah";
 
@@ -96,15 +97,17 @@ public function testLogoutURL()
 
     public function testAnAccessTokenCanBeObtainedFromRedirect()
     {
-        $this->persistentDataHandler->set('state', 'foo_state');
-        $_GET['state'] = static::FOO_STATE;
+        $this->persistentDataHandler->set('state', static::FOO_STATE);
+
         $_GET['code'] = static::FOO_CODE;
+        $_GET['enforce_https'] = static::FOO_ENFORCE_HTTPS;
+        $_GET['state'] = static::FOO_STATE;
 
-        $fullUrl = self::REDIRECT_URL . '?state=' . static::FOO_STATE . '&code=' . static::FOO_CODE . '&' . static::FOO_PARAM;
+        $fullUrl = self::REDIRECT_URL . '?state=' . static::FOO_STATE . '&enforce_https=' . static::FOO_ENFORCE_HTTPS . '&code=' . static::FOO_CODE . '&' . static::FOO_PARAM;
 
         $accessToken = $this->redirectLoginHelper->getAccessToken($fullUrl);
 
-        // code and state should be stripped from the URL
+        // 'code', 'enforce_https' and 'state' should be stripped from the URL
         $expectedUrl = self::REDIRECT_URL . '?' . static::FOO_PARAM;
         $expectedString = 'foo_token_from_code|' . static::FOO_CODE . '|' . $expectedUrl;