Avoid preloading ActionController::Base

CHANGELOG.md

@@ -1,3 +1,7 @@
+11.7.0
+-----
+* Move ExtensionVerificationController from engine to app controllers, as being in the engine makes ActionController::Base get loaded before app initiates [#855](https://github.com/Shopify/shopify_app/pull/855)
+
 11.6.0
 -----
 * Enable SameSite=None; Secure by default on all cookies for embedded apps [#851](https://github.com/Shopify/shopify_app/pull/851)

app/controllers/shopify_app/extension_verification_controller.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  class ExtensionVerificationController < ActionController::Base
+    protect_from_forgery with: :null_session
+    before_action :verify_request
+
+    private
+
+    def verify_request
+      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+      request_body = request.body.read
+      secret = ShopifyApp.configuration.secret
+      digest = OpenSSL::Digest.new('sha256')
+
+      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
+      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+    end
+  end
+end

lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class MarketingActivitiesController < ExtensionVerificationController
+class MarketingActivitiesController < ShopifyApp::ExtensionVerificationController
   def preload_form_data
     preload_data = {
       "form_data": {

lib/shopify_app.rb

@@ -24,9 +24,6 @@ def self.use_webpacker?
   # utils
   require 'shopify_app/utils'
 
-  # controllers
-  require 'shopify_app/controllers/extension_verification_controller'
-
   # controller concerns
   require 'shopify_app/controller_concerns/localization'
   require 'shopify_app/controller_concerns/itp'

lib/shopify_app/version.rb

@@ -1,3 +1,3 @@
 module ShopifyApp
-  VERSION = '11.6.0'.freeze
+  VERSION = '11.7.0'.freeze
 end

test/shopify_app/controllers/extension_verification_controller_test.rb → test/controllers/extension_verification_controller_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class ExtensionController < ExtensionVerificationController
+class ExtensionController < ShopifyApp::ExtensionVerificationController
   def extension_action
     head :ok
   end

test/generators/add_marketing_activity_extension_generator_test.rb

@@ -11,7 +11,7 @@ class AddMarketingActivityExtensionGeneratorTest < Rails::Generators::TestCase
     run_generator
 
     assert_file "app/controllers/marketing_activities_controller.rb" do |controller|
-      assert_match 'class MarketingActivitiesController < ExtensionVerificationController', controller
+      assert_match 'class MarketingActivitiesController < ShopifyApp::ExtensionVerificationController', controller
     end
   end