Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redirect embedded apps to the provided return_to if it's a fully-formed URL #1746

Merged
merged 6 commits into from
Nov 13, 2023
Merged

Redirect embedded apps to the provided return_to if it's a fully-formed URL #1746

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
118b29e
Redirect embedded apps to the provided return_to if it's a fully-form…
laynekoftinowmikan Nov 9, 2023
7f5cbf0
Fix rubocop issues
laynekoftinowmikan Nov 9, 2023
3cf53d5
Update changelog
laynekoftinowmikan Nov 9, 2023
286da23
Refactor logic a bit
laynekoftinowmikan Nov 9, 2023
333b1c1
Run rubocop
laynekoftinowmikan Nov 9, 2023
f961bab
Revert changes to test
laynekoftinowmikan Nov 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
Unreleased
----------
* Fixes bug with `WebhooksManager#recreate_webhooks!` where we failed to register topics in the registry[#1743](https://github.com/Shopify/shopify_app/pull/1704)
* Allow embedded apps to provide a full URL to get redirected to, rather than defaulting to Shopify Admin [#1746](https://github.com/Shopify/shopify_app/pull/1746)

21.7.0 (Oct 12, 2023)
----------
Expand Down
17 changes: 14 additions & 3 deletions app/controllers/shopify_app/callback_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,14 +70,25 @@ def update_rails_cookie(api_session, cookie)

def redirect_to_app
if ShopifyAPI::Context.embedded?
return_to = "#{decoded_host}#{session.delete(:return_to)}"
return_to = ShopifyApp.configuration.root_url if deduced_phishing_attack?
redirect_to(return_to, allow_other_host: true)
return_to = session.delete(:return_to)
redirect_to = if fully_formed_url?(return_to)
return_to
else
"#{decoded_host}#{return_to}"
end

redirect_to = ShopifyApp.configuration.root_url if deduced_phishing_attack?
redirect_to(redirect_to, allow_other_host: true)
else
redirect_to(return_address)
end
end

def fully_formed_url?(return_to)
uri = Addressable::URI.parse(return_to)
uri.present? && uri.scheme.present? && uri.host.present?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Outlined here what the scheme and host refer to: https://github.com/sporkmonger/addressable#example-usage

end

def decoded_host
@decoded_host ||= ShopifyAPI::Auth.embedded_app_url(params[:host])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other thing this this embedded_app_url does is append the Context's API key to the path. I'm doing some research of the context of what this is needed for. It sounds like your app is fine without it but I'm curious if others would

end
Expand Down
20 changes: 19 additions & 1 deletion test/controllers/callback_controller_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,14 +263,32 @@ class CallbackControllerTest < ActionController::TestCase
assert_redirected_to non_embedded_host
end

test "#callback redirects to the embedded app url for embedded" do
test "callback redirects to the return_to for embedded app when return_to is a fully-formed URL" do
mock_oauth
session[:return_to] = "https://example.com/return_to?foo=bar"

get :callback, params: @callback_params # host is required for App Bridge 2.0

assert_redirected_to "https://example.com/return_to?foo=bar"
end

test "#callback redirects to the embedded app url when app is embedded and return_to is not provided" do
mock_oauth

get :callback, params: @callback_params # host is required for App Bridge 2.0

assert_redirected_to "https://#{@host}/admin/apps/key"
end

test "#callback redirects to the embedded app url when app is embedded and return_to is a path" do
mock_oauth
session[:return_to] = "/return_to/path"

get :callback, params: @callback_params # host is required for App Bridge 2.0

assert_redirected_to "https://#{@host}/admin/apps/key/return_to/path"
end

test "#callback performs install_webhook job after authentication" do
mock_oauth

Expand Down