Merge pull request #1084 from yguedidi/enforce_https

yguedidi · web-flow · commit 2d0b785aaabf · 2018-11-21T13:43:39.000+01:00
Strip 'enforce_https' param
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ Version 5 of the Facebook PHP SDK is a complete refactor of version 4. It comes
   - Add `GraphPage::getFanCount()` to get the number of people who like the page (#815)
   - Fixed HTTP/2 support (#1079)
   - Fixed resumable upload error (#1001)
+  - Strip 'enforce_https' param (#1084)
 - 5.6.3 (2018-07-01)
   - Add fix for countable error in PHP 7.2 (originally #969 by @andreybolonin)
 - 5.6.2 (2018-02-15)
diff --git a/src/Facebook/Helpers/FacebookRedirectLoginHelper.php b/src/Facebook/Helpers/FacebookRedirectLoginHelper.php
@@ -222,8 +222,8 @@ public function getAccessToken($redirectUrl = null)
         $this->resetCsrf();
 
         $redirectUrl = $redirectUrl ?: $this->urlDetectionHandler->getCurrentUrl();
-        // At minimum we need to remove the 'state' and 'code' params
-        $redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['code', 'state']);
+        // At minimum we need to remove the 'code', 'enforce_https' and 'state' params
+        $redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['code', 'enforce_https', 'state']);
 
         return $this->oAuth2Client->getAccessTokenFromCode($code, $redirectUrl);
     }
diff --git a/tests/Helpers/FacebookRedirectLoginHelperTest.php b/tests/Helpers/FacebookRedirectLoginHelperTest.php
@@ -45,6 +45,7 @@ class FacebookRedirectLoginHelperTest extends \PHPUnit_Framework_TestCase
 
     const REDIRECT_URL = 'http://invalid.zzz';
     const FOO_CODE = "foo_code";
+    const FOO_ENFORCE_HTTPS = "foo_enforce_https";
     const FOO_STATE = "foo_state";
     const FOO_PARAM = "some_param=blah";
 
@@ -96,15 +97,17 @@ public function testLogoutURL()
 
     public function testAnAccessTokenCanBeObtainedFromRedirect()
     {
-        $this->persistentDataHandler->set('state', 'foo_state');
-        $_GET['state'] = static::FOO_STATE;
+        $this->persistentDataHandler->set('state', static::FOO_STATE);
+
         $_GET['code'] = static::FOO_CODE;
+        $_GET['enforce_https'] = static::FOO_ENFORCE_HTTPS;
+        $_GET['state'] = static::FOO_STATE;
 
-        $fullUrl = self::REDIRECT_URL . '?state=' . static::FOO_STATE . '&code=' . static::FOO_CODE . '&' . static::FOO_PARAM;
+        $fullUrl = self::REDIRECT_URL . '?state=' . static::FOO_STATE . '&enforce_https=' . static::FOO_ENFORCE_HTTPS . '&code=' . static::FOO_CODE . '&' . static::FOO_PARAM;
 
         $accessToken = $this->redirectLoginHelper->getAccessToken($fullUrl);
 
-        // code and state should be stripped from the URL
+        // 'code', 'enforce_https' and 'state' should be stripped from the URL
         $expectedUrl = self::REDIRECT_URL . '?' . static::FOO_PARAM;
         $expectedString = 'foo_token_from_code|' . static::FOO_CODE . '|' . $expectedUrl;
 

Original file line number	Diff line number	Diff line change
`@@ -222,8 +222,8 @@ public function getAccessToken($redirectUrl = null)`
`222`	`222`	`$this->resetCsrf();`
`223`	`223`
`224`	`224`	`$redirectUrl = $redirectUrl ?: $this->urlDetectionHandler->getCurrentUrl();`
`225`		`- // At minimum we need to remove the 'state' and 'code' params`
`226`		`- $redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['code', 'state']);`
	`225`	`+ // At minimum we need to remove the 'code', 'enforce_https' and 'state' params`
	`226`	`+ $redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['code', 'enforce_https', 'state']);`
`227`	`227`
`228`	`228`	`return $this->oAuth2Client->getAccessTokenFromCode($code, $redirectUrl);`
`229`	`229`	`}`