Redirect to embed app before bounce page

Shopify · Apr 25, 2024 · 7eddd95 · 7eddd95
1 parent 841857f
commit 7eddd95
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 15 deletions.
diff --git a/lib/shopify_app/controller_concerns/token_exchange.rb b/lib/shopify_app/controller_concerns/token_exchange.rb
@@ -58,12 +58,18 @@ def retrieve_session_from_token_exchange
     end
 
     def respond_to_invalid_shopify_id_token
-      return redirect_to_bounce_page if request.headers["HTTP_AUTHORIZATION"].blank?
-
-      ShopifyApp::Logger.debug("Responding to invalid Shopify ID token with unauthorized response")
-      response.set_header("X-Shopify-Retry-Invalid-Session-Request", 1)
-      unauthorized_response = { message: :unauthorized }
-      render(json: { errors: [unauthorized_response] }, status: :unauthorized)
+      if request.headers["HTTP_AUTHORIZATION"].blank?
+        if missing_embedded_param?
+          redirect_to_embed_app
+        else
+          redirect_to_bounce_page
+        end
+      else
+        ShopifyApp::Logger.debug("Responding to invalid Shopify ID token with unauthorized response")
+        response.set_header("X-Shopify-Retry-Invalid-Session-Request", 1)
+        unauthorized_response = { message: :unauthorized }
+        render(json: { errors: [unauthorized_response] }, status: :unauthorized)
+      end
     end
 
     def redirect_to_bounce_page
@@ -83,6 +89,15 @@ def redirect_to_bounce_page
       )
     end
 
+    def missing_embedded_param?
+      !params[:embedded].present? || params[:embedded] != "1"
+    end
+
+    def redirect_to_embed_app
+      ShopifyApp::Logger.debug("Redirecting to embed app")
+      redirect_to(ShopifyAPI::Auth.embedded_app_url(params[:host]), allow_other_host: true)
+    end
+
     def online_token_configured?
       ShopifyApp.configuration.online_token_configured?
     end

diff --git a/test/shopify_app/controller_concerns/token_exchange_test.rb b/test/shopify_app/controller_concerns/token_exchange_test.rb
@@ -208,10 +208,10 @@ class TokenExchangeControllerTest < ActionController::TestCase
       ShopifyAPI::Utils::SessionUtils.stubs(:session_id_from_shopify_id_token).raises(invalid_shopify_id_token_error)
       request.headers["HTTP_AUTHORIZATION"] = nil
 
-      params = { shop: @shop, my_param: "for-keeps", id_token: "dont-include-this-id-token" }
-      reload_url = CGI.escape("/reloaded_path?my_param=for-keeps&shop=#{@shop}")
+      params = { shop: @shop, my_param: "for-keeps", id_token: "dont-include-this-id-token", embedded: "1" }
+      reload_url = CGI.escape("/reloaded_path?embedded=1&my_param=for-keeps&shop=#{@shop}")
       expected_redirect_url = "https://test.host/my-root/patch_shopify_id_token"\
-        "?my_param=for-keeps&shop=#{@shop}"\
+        "?embedded=1&my_param=for-keeps&shop=#{@shop}"\
         "&shopify-reload=#{reload_url}"
 
       with_application_test_routes do
@@ -220,6 +220,21 @@ class TokenExchangeControllerTest < ActionController::TestCase
       end
     end
 
+    test "Redirects to embed app if Shopify ID token is invalid with #{invalid_shopify_id_token_error} and embedded param is missing" do
+      ShopifyAPI::Utils::SessionUtils.stubs(:session_id_from_shopify_id_token).raises(invalid_shopify_id_token_error)
+      request.headers["HTTP_AUTHORIZATION"] = nil
+
+      host = Base64.encode64("#{@shop}/admin")
+      params = { shop: @shop, my_param: "for-keeps", host: host }
+
+      expected_redirect_url = "https://my-shop.myshopify.com/admin/apps/key"
+
+      with_application_test_routes do
+        get :index, params: params
+        assert_redirected_to expected_redirect_url
+      end
+    end
+
     test "Responds with unauthorized if Shopify Id token is invalid with #{invalid_shopify_id_token_error} and authorization header exists" do
       ShopifyAPI::Utils::SessionUtils.stubs(:session_id_from_shopify_id_token).raises(invalid_shopify_id_token_error)
       request.headers["HTTP_AUTHORIZATION"] = @id_token_in_header
@@ -240,10 +255,10 @@ class TokenExchangeControllerTest < ActionController::TestCase
       ShopifyApp::Auth::TokenExchange.expects(:perform).raises(invalid_shopify_id_token_error)
       request.headers["HTTP_AUTHORIZATION"] = nil
 
-      params = { shop: @shop, my_param: "for-keeps", id_token: "dont-include-this-id-token" }
-      reload_url = CGI.escape("/reloaded_path?my_param=for-keeps&shop=#{@shop}")
+      params = { shop: @shop, my_param: "for-keeps", id_token: "dont-include-this-id-token", embedded: "1" }
+      reload_url = CGI.escape("/reloaded_path?embedded=1&my_param=for-keeps&shop=#{@shop}")
       expected_redirect_url = "https://test.host/my-root/patch_shopify_id_token"\
-        "?my_param=for-keeps&shop=#{@shop}"\
+        "?embedded=1&my_param=for-keeps&shop=#{@shop}"\
         "&shopify-reload=#{reload_url}"
 
       with_application_test_routes do
@@ -275,10 +290,10 @@ class TokenExchangeControllerTest < ActionController::TestCase
 
       @controller.expects(:with_token_refetch).raises(invalid_shopify_id_token_error)
 
-      params = { shop: @shop, my_param: "for-keeps", id_token: "dont-include-this-id-token" }
-      reload_url = CGI.escape("/reloaded_path?my_param=for-keeps&shop=#{@shop}")
+      params = { shop: @shop, my_param: "for-keeps", id_token: "dont-include-this-id-token", embedded: "1" }
+      reload_url = CGI.escape("/reloaded_path?embedded=1&my_param=for-keeps&shop=#{@shop}")
       expected_redirect_url = "https://test.host/my-root/patch_shopify_id_token"\
-        "?my_param=for-keeps&shop=#{@shop}"\
+        "?embedded=1&my_param=for-keeps&shop=#{@shop}"\
         "&shopify-reload=#{reload_url}"
 
       with_application_test_routes do