public function testGetCodeWithMissingCSRFState() { $facebook = new FBCode(array('appId' => self::APP_ID, 'secret' => self::SECRET)); $code = $_REQUEST['code'] = $this->generateMD5HashOfRandomValue(); // intentionally don't set CSRF token at all $this->assertFalse($facebook->publicGetCode(), 'Expect getCode to fail, CSRF state not sent back.'); }