Skip to content

Commit ff81907

Browse files
authored
Merge branch 'main' into remove-jwt-middleware
2 parents 1d14ebf + 6c8cec1 commit ff81907

File tree

6 files changed

+22
-21
lines changed

6 files changed

+22
-21
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ Unreleased
44
- ⚠️ [Breaking] Removed deprecated `CallbackController` methods. `perform_after_authenticate_job`, `install_webhooks`, and `perform_post_authenticate_jobs` have been removed. [#1961](https://github.com/Shopify/shopify_app/pull/1961)
55
- ⚠️ [Breaking] Bumps minimum supported Ruby version to 3.1 [#1959](https://github.com/Shopify/shopify_app/pull/1959)
66
- Adds a `script_tag_manager` that will automatically create script tags when the app is installed. [1948](https://github.com/Shopify/shopify_app/pull/1948)
7+
- Handle invalid token when adding redirection headers [#1945](https://github.com/Shopify/shopify_app/pull/1945)
78

89
22.5.2 (March 14, 2025)
910
----------

Gemfile.lock

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,10 @@ PATH
22
remote: .
33
specs:
44
shopify_app (22.5.2)
5-
activeresource
65
addressable (~> 2.7)
76
rails (> 5.2.1)
87
redirect_safely (~> 1.0)
98
shopify_api (>= 14.7.0, < 15.0)
10-
sprockets-rails (>= 2.0.0)
119

1210
GEM
1311
remote: https://rubygems.org/
@@ -55,17 +53,9 @@ GEM
5553
globalid (>= 0.3.6)
5654
activemodel (6.1.7.9)
5755
activesupport (= 6.1.7.9)
58-
activemodel-serializers-xml (1.0.2)
59-
activemodel (> 5.x)
60-
activesupport (> 5.x)
61-
builder (~> 3.1)
6256
activerecord (6.1.7.9)
6357
activemodel (= 6.1.7.9)
6458
activesupport (= 6.1.7.9)
65-
activeresource (6.1.3)
66-
activemodel (>= 6.0)
67-
activemodel-serializers-xml (~> 1.0)
68-
activesupport (>= 6.0)
6959
activestorage (6.1.7.9)
7060
actionpack (= 6.1.7.9)
7161
activejob (= 6.1.7.9)

lib/shopify_app/controller_concerns/login_protection.rb

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -85,13 +85,7 @@ def add_top_level_redirection_headers(url: nil, ignore_response_code: false)
8585
# Make sure the shop is set in the redirection URL
8686
unless params[:shop]
8787
ShopifyApp::Logger.debug("Setting current shop session")
88-
params[:shop] = if current_shopify_session
89-
current_shopify_session.shop
90-
91-
elsif shopify_id_token
92-
jwt_payload = ShopifyAPI::Auth::JwtPayload.new(shopify_id_token)
93-
jwt_payload.shop
94-
end
88+
params[:shop] = current_shopify_session&.shop || parse_shop_from_jwt
9589
end
9690

9791
url ||= login_url_with_optional_shop
@@ -279,5 +273,15 @@ def requested_by_javascript?
279273
request.media_type == "text/javascript" ||
280274
request.media_type == "application/javascript"
281275
end
276+
277+
def parse_shop_from_jwt
278+
return nil unless shopify_id_token
279+
280+
jwt_payload = ShopifyAPI::Auth::JwtPayload.new(shopify_id_token)
281+
jwt_payload.shop
282+
rescue ShopifyAPI::Errors::InvalidJwtTokenError
283+
ShopifyApp::Logger.warn("Invalid JWT token for current Shopify session")
284+
nil
285+
end
282286
end
283287
end

shopify_app.gemspec

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,13 +14,10 @@ Gem::Specification.new do |s|
1414

1515
s.metadata["allowed_push_host"] = "https://rubygems.org"
1616

17-
s.add_runtime_dependency("activeresource") # TODO: Remove this once all active resource dependencies are removed
1817
s.add_runtime_dependency("addressable", "~> 2.7")
1918
s.add_runtime_dependency("rails", "> 5.2.1")
2019
s.add_runtime_dependency("redirect_safely", "~> 1.0")
2120
s.add_runtime_dependency("shopify_api", ">= 14.7.0", "< 15.0")
22-
s.add_runtime_dependency("sprockets-rails", ">= 2.0.0")
23-
2421
s.add_development_dependency("byebug")
2522
s.add_development_dependency("jwt", ">= 2.2.3")
2623
s.add_development_dependency("minitest")

test/dummy/config/application.rb

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@
33
require File.expand_path("../boot", __FILE__)
44

55
require "rails/all"
6-
require "sprockets/railtie"
76

87
Bundler.require(*Rails.groups)
98
require "shopify_app"

test/shopify_app/controller_concerns/login_protection_test.rb

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -446,6 +446,16 @@ class LoginProtectionControllerTest < ActionController::TestCase
446446
end
447447
end
448448

449+
test "#activate_shopify_session when rescuing from invalid JWT token, breaks out of iframe in XHR requests" do
450+
ShopifyAPI::Utils::SessionUtils.stubs(:current_session_id).returns(nil)
451+
request.headers["HTTP_AUTHORIZATION"] = "Bearer token"
452+
with_application_test_routes do
453+
get :index, xhr: true
454+
455+
assert_equal "/login", response.headers["X-Shopify-API-Request-Failure-Reauthorize-Url"]
456+
end
457+
end
458+
449459
test "#activate_shopify_session when rescuing from non 401 errors, does not close session" do
450460
with_application_test_routes do
451461
cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME] = "cookie"

0 commit comments

Comments
 (0)