UserInfo.getSessionId() makes this unusable in packaged code

[mfrenchlitify]

Salesforce recently decided that any usage of UserInfo.getSessionId(); will be an automatic failure of security review for managed packages. This wrapper uses this function in MetadataDeployController.cls, so this wrapper is no longer usable by managed packages.

[m0rjc]

I understand that getSessionId() is OK for read access. I'm trying to remember the situation for very limited write access (to data that the package is considered to own like its own SObjects, Fields, Pages....).

It would be something to work out with Security Review.

This thread on Stack Exchange is interesting. https://salesforce.stackexchange.com/questions/389121/call-salesforce-api-from-apex-and-not-fail-security-review

[m0rjc]

Looking through the sample code, it seems easy to adapt this to work with a Connected App solution. For example

apex-mdapi/apex-mdapi/src/classes/MetadataServiceExamples.cls

Line 1520 in 3125fc2

service.SessionHeader.sessionId = UserInfo.getSessionId();

shows calling code specifying a session ID.

Salesforce have published a JWT Signed Token solution for Connected Apps. Not my favourite solution. Certinia have published a proof of concept for a Web Flow solution (https://github.com/certinia/mdapi-oauth-demo). There's a variation of the JWT solution there too. These correspond to the solutions mentioned in the Stack Exchange thread I linked to earlier.