add option: skipAppSecretProof

package.json

@@ -64,7 +64,9 @@
     "transformIgnorePatterns": [
       "/node_modules/"
     ],
-    "testEnvironment": "node"
+    "testEnvironment": "node",
+    "timers": "fake",
+    "resetMocks": true
   },
   "lint-staged": {
     "*.js": [

packages/messaging-api-messenger/README.md

@@ -90,6 +90,16 @@ const client = MessengerClient.connect({
 });
 ```
 
+To skip it, set `skipAppSecretProof` to `true`:
+
+```js
+const client = MessengerClient.connect({
+  accessToken: ACCESS_TOKEN,
+  appSecret: APP_SECRET,
+  skipAppSecretProof: true,
+});
+```
+
 ### Error Handling
 
 `messaging-api-messenger` uses [axios](https://github.com/axios/axios) as HTTP client. We use [axios-error](https://github.com/Yoctol/messaging-apis/tree/master/packages/axios-error) package to wrap API error instances for better formatting error messages. Directly `console.log` on the error instance will return formatted message. If you'd like to get the axios `request`, `response`, or `config`, you can still get them via those keys on the error instance.

packages/messaging-api-messenger/src/MessengerClient.js

@@ -71,6 +71,7 @@ type ClientConfig = {
   version?: string,
   origin?: string,
   onRequest?: Function,
+  skipAppSecretProof?: ?boolean,
 };
 
 function extractVersion(version) {
@@ -120,6 +121,7 @@ export default class MessengerClient {
     version?: string = '3.0'
   ) {
     let origin;
+    let skipAppSecretProof;
     if (accessTokenOrConfig && typeof accessTokenOrConfig === 'object') {
       const config = accessTokenOrConfig;
 
@@ -132,6 +134,12 @@ export default class MessengerClient {
       this._version = extractVersion(config.version || '3.0');
       this._onRequest = config.onRequest || onRequest;
       origin = config.origin;
+
+      if (typeof config.skipAppSecretProof === 'boolean') {
+        skipAppSecretProof = config.skipAppSecretProof;
+      } else {
+        skipAppSecretProof = this._appSecret == null;
+      }
     } else {
       this._accessToken = accessTokenOrConfig;
       invariant(
@@ -140,16 +148,23 @@ export default class MessengerClient {
       );
       this._version = extractVersion(version);
       this._onRequest = onRequest;
+
+      skipAppSecretProof = true;
     }
 
     this._axios = axios.create({
       baseURL: `${origin || 'https://graph.facebook.com'}/v${this._version}/`,
       headers: { 'Content-Type': 'application/json' },
     });
 
-    // add appsecret_proof to request if appSecret exists
-    if (this._appSecret != null) {
-      const appSecret = this._appSecret;
+    // add appsecret_proof to request
+    if (!skipAppSecretProof) {
+      invariant(
+        this._appSecret,
+        'Must provide appSecret when skipAppSecretProof is false'
+      );
+      const appSecret = ((this._appSecret: any): string);
+
       this._axios.interceptors.request.use(config => {
         const urlParts = url.parse(config.url, true);
         const accessToken = get(

packages/messaging-api-messenger/src/__tests__/MessengerClient-constructor.spec.js

@@ -316,4 +316,30 @@ describe('appsecret proof', () => {
 
     await client.sendText(USER_ID, 'Hello!');
   });
+
+  it('should not add appsecret proof to requests if skipAppSecretProof: true', async () => {
+    expect.assertions(1);
+
+    const client = new MessengerClient({
+      accessToken: ACCESS_TOKEN,
+      appSecret: APP_SECRET,
+      skipAppSecretProof: true,
+    });
+
+    const mock = new MockAdapter(client.axios);
+
+    const USER_ID = 'USER_ID';
+
+    const reply = {
+      recipient_id: USER_ID,
+      message_id: 'mid.1489394984387:3dd22de509',
+    };
+
+    mock.onPost().reply(config => {
+      expect(config.url).toBe('me/messages?access_token=foo_token');
+      return [200, reply];
+    });
+
+    await client.sendText(USER_ID, 'Hello!');
+  });
 });