11

I would like to test the code path where a Facebook user's access token has expired and I need to renew the token. I noticed that the access token expires 2 months after it has been created. I don't want to wait 2 months to test that code path, so I would like a way to simulate this expiration. I am scared that my code will crash if I never test this situation for the following mysteries:

  1. Currently upon app launch, I call [FBSession openActiveSessionWithReadPermissions:permArray allowLoginUI:NO completionHandler:someFunction] to silently reconnect a Facebook user that has already connected in the past. Notice how allowLoginUI is NO. Does it have to be YES to allow the user to re-login and renew the token or can the token be silently renewed?
  2. The completion handler of any openActiveSession* call is triggered every time the session state changes. Two notable states are FBSessionStateOpen and FBSessionStateOpenTokenExtended. When the token becomes extended, does the state machine remain in the token extended state, or will it go to the extended state and then immediately go to the open state? I need to know the state transition, so I don't run my handlers twice.
  3. Does [FBSession activeSession].accessToken become nil or does it remain as the old expired token?
  4. Similarly for [FBSession activeSession].expirationDate: is it nil, the old expiration date, or automatically becomes new expiration date?
Pwner
  • 3,714
  • 6
  • 41
  • 67
  • It's such a convoluted process unless you use their FBLoginView... Definitely the mark of bad API design on Facebook's part. – iwasrobbed Sep 17 '13 at 21:49

1 Answers1

5

To make a token expired, the easiest way is to log into FB on your computer, go to App Center, click "My Apps", and remove your app by clicking the small X next to your app. This will cause the token to become "expired". Once this happens, you cannot automatically renew the token without interaction from the user. You must re-open the authentication UI and the user must click "Allow"

In regards to your questions:

  1. allowLoginUI must be YES. If the token expires, the user must interact with the UI before you can get a new token and setting it to NO will have it fail silently.

  2. I believe the TokenExtended state would only happen when extending a currently active token. If a user uses your app before the 2 month period is over, the FB SDK will automatically extend the token for your periodically. This is not the same as renewing an expired token though. Not 100% sure of this though, as I haven't tested this state.

  3. If your token expires, when you next launch the app you should call openActiveSession in one of your AppDelegate methods (didFinishLaunching) and this will trigger the completion handler with a state of either Closed or LoginFailed. At this point, you should be calling [FBSession.activeSession closeAndClearTokenInformation]; to nil out your access token, per their tutorial.
  4. Same as #3
stipe108
  • 1,640
  • 1
  • 16
  • 20
  • 3
    Is deleting the app from your account settings really the same as an expired token? Deleting the app would revoke the permissions you already gave to the app. Renewing a token happens when the app still has permissions but it's been 2 months since the token was created. – Pwner Sep 28 '12 at 18:25
  • 3
    I did some testing on deleting the app from your Facebook account settings. 1) the access token is still there (not nil). 2) The expiration date is still 2 months in the future. 3) `FBSession::isOpen` still returns YES. It seems like something is screwed up with FB's SDK. The only way to find out if your app got deleted from the user's account is to do a Graph API call and have it fail. Even if you set `allowLoginUI` to YES, it won't pop up the login prompt because FB's state machine thinks you're still authorized. – Pwner Sep 29 '12 at 00:33
  • Are you calling openSession every time your app starts? This call should be making a call to FB and if the access token is has is invald (expired or whatever) then the completion handler should return with the disconnected state and you clear the access token. – stipe108 Sep 30 '12 at 04:37
  • 1
    Ah ok, so the openSession call does not return an error status. I was mistaken. In that case, you are correct that you need to make another openGraph call to FB before you can determine that the token is invalid. – stipe108 Sep 30 '12 at 04:56