From e5c0f296164c48baa8c34e69c41f129b52ac9a63 Mon Sep 17 00:00:00 2001
From: Stephane Bellity <sbellity@gmail.com>
Date: Mon, 27 Feb 2023 11:50:09 +0100
Subject: [PATCH] Add option to pass access_token in Authorization header
 instead of query parameter

---
 session.go | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/session.go b/session.go
index 73b1a0b..1efd6db 100644
--- a/session.go
+++ b/session.go
@@ -59,8 +59,9 @@ type Session struct {
 	app         *App
 	id          string
 
-	enableAppsecretProof bool   // add "appsecret_proof" parameter in every facebook API call.
-	appsecretProof       string // pre-calculated "appsecret_proof" value.
+	enableAppsecretProof   bool   // add "appsecret_proof" parameter in every facebook API call.
+	appsecretProof         string // pre-calculated "appsecret_proof" value.
+	useAuthorizationHeader bool   // pass accessToken in headers instead of query params
 
 	debug DebugMode // using facebook debugging api in every request.
 
@@ -268,6 +269,11 @@ func (session *Session) SetAccessToken(token string) {
 	}
 }
 
+// UseAuthorizationHeader pass accessToken in authorization header instead of query params.
+func (session *Session) UseAuthorizationHeader() {
+	session.useAuthorizationHeader = true
+}
+
 // AppsecretProof checks appsecret proof is enabled or not.
 func (session *Session) AppsecretProof() string {
 	if !session.enableAppsecretProof {
@@ -429,8 +435,11 @@ func (session *Session) graphBatch(batchParams Params, params ...Params) ([]Resu
 }
 
 func (session *Session) prepareParams(params Params) {
-	if _, ok := params["access_token"]; !ok && session.accessToken != "" {
-		params["access_token"] = session.accessToken
+
+	if !session.useAuthorizationHeader {
+		if _, ok := params["access_token"]; !ok && session.accessToken != "" {
+			params["access_token"] = session.accessToken
+		}
 	}
 
 	if session.enableAppsecretProof && session.accessToken != "" && session.app != nil {
@@ -541,6 +550,10 @@ func (session *Session) sendRequest(request *http.Request) (response *http.Respo
 		request = request.WithContext(session.context)
 	}
 
+	if session.useAuthorizationHeader {
+		request.Header.Set("Authorization", "Bearer "+session.accessToken)
+	}
+
 	if session.HttpClient == nil {
 		response, err = http.DefaultClient.Do(request)
 	} else {