Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set special redirection headers on 401s #1450

Merged
merged 1 commit into from
Jun 15, 2022
Merged

Set special redirection headers on 401s #1450

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ Unreleased
----------

* Add the `login_callback_url` config to allow overwriting that route as well, and mount the engine routes based on the configurations. [#1445](https://github.com/Shopify/shopify_app/pull/1445)
* Add special headers when returning 401s from LoginProtection. [#1450](https://github.com/Shopify/shopify_app/pull/1450)

19.0.2 (April 27, 2022)
----------
Expand Down
1 change: 1 addition & 0 deletions app/controllers/concerns/shopify_app/authenticated.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ module Authenticated
include ShopifyApp::EmbeddedApp
before_action :login_again_if_different_user_or_shop
around_action :activate_shopify_session
after_action :add_top_level_redirection_headers
end
end
end
18 changes: 18 additions & 0 deletions lib/shopify_app/controller_concerns/login_protection.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,23 @@ def jwt_expire_at
expire_at - 5.seconds # 5s gap to start fetching new token in advance
end

def add_top_level_redirection_headers(ignore_response_code: false)
if request.xhr? && (ignore_response_code || response.code.to_i == 401)
# Make sure the shop is set in the redirection URL
unless params[:shop]
params[:shop] = if current_shopify_session
current_shopify_session.shop
elsif (matches = request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/))
jwt_payload = ShopifyAPI::Auth::JwtPayload.new(T.must(matches[1]))
jwt_payload.shop
end
end

response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", login_url_with_optional_shop)
end
end

protected

def jwt_shopify_domain
Expand All @@ -86,6 +103,7 @@ def host

def redirect_to_login
if request.xhr?
add_top_level_redirection_headers(ignore_response_code: true)
head(:unauthorized)
else
if request.get?
Expand Down
2 changes: 2 additions & 0 deletions test/shopify_app/controller_concerns/login_protection_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,8 @@ class LoginProtectionControllerTest < ActionController::TestCase
with_application_test_routes do
get :index, params: { shop: "foobar" }, xhr: true
assert_equal 401, response.status
assert_match "1", response.headers["X-Shopify-API-Request-Failure-Reauthorize"]
assert_match "/login?shop=foobar", response.headers["X-Shopify-API-Request-Failure-Reauthorize-Url"]
end
end

Expand Down