Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove FB.setAccessToken and warn when accessToken option is set on global FB #151

Open
dantman opened this issue Apr 1, 2018 · 0 comments
Open

Remove FB.setAccessToken and warn when accessToken option is set on global FB #151

dantman opened this issue Apr 1, 2018 · 0 comments
Milestone
3.0.0

Comments

@dantman
Copy link

dantman commented Apr 1, 2018

FB.setAccessToken is very dangerous. Someone who doesn't understand the async nature of Node may use FB.setAccessToken in a web request not knowing that this will leak the access token to other requests.

The only valid use for FB.setAccessToken is for things like command line scripts where you know that there is only one access token/user. However for these scripts it's fairly easy to just const FB = new Facebook({accessToken: ...});.

As such I think it would be a good idea to remove setAccessToken and emit a warning when accessToken is set through FB.options on the global instance.
@dantman dantman added this to the 3.0.0 milestone Apr 1, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
1 participant
@dantman