UserInfo.getSessionId() makes this unusable in packaged code #290
Comments
|
I understand that getSessionId() is OK for read access. I'm trying to remember the situation for very limited write access (to data that the package is considered to own like its own SObjects, Fields, Pages....). It would be something to work out with Security Review. This thread on Stack Exchange is interesting. https://salesforce.stackexchange.com/questions/389121/call-salesforce-api-from-apex-and-not-fail-security-review |
|
Looking through the sample code, it seems easy to adapt this to work with a Connected App solution. For example shows calling code specifying a session ID.Salesforce have published a JWT Signed Token solution for Connected Apps. Not my favourite solution. Certinia have published a proof of concept for a Web Flow solution (https://github.com/certinia/mdapi-oauth-demo). There's a variation of the JWT solution there too. These correspond to the solutions mentioned in the Stack Exchange thread I linked to earlier. |
Salesforce recently decided that any usage of
UserInfo.getSessionId();will be an automatic failure of security review for managed packages. This wrapper uses this function inMetadataDeployController.cls, so this wrapper is no longer usable by managed packages.The text was updated successfully, but these errors were encountered: