Merge branch 'main' into remove-jwt-middleware

Author: lizkenyon

CHANGELOG.md

@@ -4,6 +4,7 @@ Unreleased
 - ⚠️ [Breaking] Removed deprecated `CallbackController` methods. `perform_after_authenticate_job`, `install_webhooks`, and `perform_post_authenticate_jobs` have been removed. [#1961](https://github.com/Shopify/shopify_app/pull/1961)
 - ⚠️ [Breaking] Bumps minimum supported Ruby version to 3.1 [#1959](https://github.com/Shopify/shopify_app/pull/1959)
 - Adds a `script_tag_manager` that will automatically create script tags when the app is installed. [1948](https://github.com/Shopify/shopify_app/pull/1948)
+- Handle invalid token when adding redirection headers [#1945](https://github.com/Shopify/shopify_app/pull/1945)
 
 22.5.2 (March 14, 2025)
 ----------

Gemfile.lock

@@ -2,12 +2,10 @@ PATH
   remote: .
   specs:
     shopify_app (22.5.2)
-      activeresource
       addressable (~> 2.7)
       rails (> 5.2.1)
       redirect_safely (~> 1.0)
       shopify_api (>= 14.7.0, < 15.0)
-      sprockets-rails (>= 2.0.0)
 
 GEM
   remote: https://rubygems.org/
@@ -55,17 +53,9 @@ GEM
       globalid (>= 0.3.6)
     activemodel (6.1.7.9)
       activesupport (= 6.1.7.9)
-    activemodel-serializers-xml (1.0.2)
-      activemodel (> 5.x)
-      activesupport (> 5.x)
-      builder (~> 3.1)
     activerecord (6.1.7.9)
       activemodel (= 6.1.7.9)
       activesupport (= 6.1.7.9)
-    activeresource (6.1.3)
-      activemodel (>= 6.0)
-      activemodel-serializers-xml (~> 1.0)
-      activesupport (>= 6.0)
     activestorage (6.1.7.9)
       actionpack (= 6.1.7.9)
       activejob (= 6.1.7.9)

lib/shopify_app/controller_concerns/login_protection.rb

@@ -85,13 +85,7 @@ def add_top_level_redirection_headers(url: nil, ignore_response_code: false)
         # Make sure the shop is set in the redirection URL
         unless params[:shop]
           ShopifyApp::Logger.debug("Setting current shop session")
-          params[:shop] = if current_shopify_session
-            current_shopify_session.shop
-
-          elsif shopify_id_token
-            jwt_payload = ShopifyAPI::Auth::JwtPayload.new(shopify_id_token)
-            jwt_payload.shop
-          end
+          params[:shop] = current_shopify_session&.shop || parse_shop_from_jwt
         end
 
         url ||= login_url_with_optional_shop
@@ -279,5 +273,15 @@ def requested_by_javascript?
         request.media_type == "text/javascript" ||
         request.media_type == "application/javascript"
     end
+
+    def parse_shop_from_jwt
+      return nil unless shopify_id_token
+
+      jwt_payload = ShopifyAPI::Auth::JwtPayload.new(shopify_id_token)
+      jwt_payload.shop
+    rescue ShopifyAPI::Errors::InvalidJwtTokenError
+      ShopifyApp::Logger.warn("Invalid JWT token for current Shopify session")
+      nil
+    end
   end
 end

shopify_app.gemspec

@@ -14,13 +14,10 @@ Gem::Specification.new do |s|
 
   s.metadata["allowed_push_host"] = "https://rubygems.org"
 
-  s.add_runtime_dependency("activeresource") # TODO: Remove this once all active resource dependencies are removed
   s.add_runtime_dependency("addressable", "~> 2.7")
   s.add_runtime_dependency("rails", "> 5.2.1")
   s.add_runtime_dependency("redirect_safely", "~> 1.0")
   s.add_runtime_dependency("shopify_api", ">= 14.7.0", "< 15.0")
-  s.add_runtime_dependency("sprockets-rails", ">= 2.0.0")
-
   s.add_development_dependency("byebug")
   s.add_development_dependency("jwt", ">= 2.2.3")
   s.add_development_dependency("minitest")

test/dummy/config/application.rb

@@ -3,7 +3,6 @@
 require File.expand_path("../boot", __FILE__)
 
 require "rails/all"
-require "sprockets/railtie"
 
 Bundler.require(*Rails.groups)
 require "shopify_app"

test/shopify_app/controller_concerns/login_protection_test.rb

@@ -446,6 +446,16 @@ class LoginProtectionControllerTest < ActionController::TestCase
     end
   end
 
+  test "#activate_shopify_session when rescuing from invalid JWT token, breaks out of iframe in XHR requests" do
+    ShopifyAPI::Utils::SessionUtils.stubs(:current_session_id).returns(nil)
+    request.headers["HTTP_AUTHORIZATION"] = "Bearer token"
+    with_application_test_routes do
+      get :index, xhr: true
+
+      assert_equal "/login", response.headers["X-Shopify-API-Request-Failure-Reauthorize-Url"]
+    end
+  end
+
   test "#activate_shopify_session when rescuing from non 401 errors, does not close session" do
     with_application_test_routes do
       cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME] = "cookie"