Koala::Facebook::API methods add 'access_token' key to parameter hash

MSex commented 10 years ago

When you pass a hash to some of the Koala::Facebook::API methods a key is added to this hash with the access token.

The core problem

token = '====MY TOKEN===='

PARAMETERS = {fields: ['id', 'name']}

graph = Koala::Facebook::API.new(token)
graph.get_object("me", PARAMETERS)

pp PARAMETERS

The PARAMETERS hash in the end will be


{:fields=>["id", "name"],
 "access_token"=>
  "====MY TOKEN===="}

Why it is a pratical problem (and not just a philosophical one)

token_user1 = '====TOKEN 1===='
token_user2 = '====TOKEN 2===='

PARAMETERS = {fields: ['id', 'name']}

graph_user1 = Koala::Facebook::API.new(token_user1)
data_user_1 = graph_user1.get_object("me", PARAMETERS)

#PARAMETERS now have access_token

graph_user2 = Koala::Facebook::API.new(token_user2)
data_user_2 = graph_user2.get_object("me", PARAMETERS)

In the end data_user_2 contains data about user 1 because PARAMETERS have the user 1 token.

In our web application, with each request we get an access token. But PARAMETERS is a constant and, as so, is shared between requests.

Workaround

With every call use a new hash instance

#we just use a .dup
data_user_1 = graph_user1.get_object("me", PARAMETERS.dup)

How to fix it

I think the problem is in the Koala::Facebook::API.api method.

MSex commented 10 years ago

I'll try to submit a pull request later

MSex commented 10 years ago

I just sent a pull request (#366)

arsduo commented 10 years ago

Thanks, that's a really good observation and summary of the problem. I should've realized this would come up when I modified the hash in place. I'm merging in the PR now and will release a 1.10 RC today.

arsduo / koala