Merge pull request #751 from Shopify/clear_basic_auth_values_on_temp_…

…sessions Clean up Base user / password on temp sessions
Shopify · Jul 14, 2020 · bfae1e7 · bfae1e7
2 parents ea20606 + 2d4f9fc
commit bfae1e7
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/lib/shopify_api/session.rb b/lib/shopify_api/session.rb
@@ -28,12 +28,17 @@ def temp(domain:, token:, api_version: ShopifyAPI::Base.api_version, &block)
 
       def with_session(session, &_block)
         original_session = extract_current_session
+        original_user = ShopifyAPI::Base.user
+        original_password = ShopifyAPI::Base.password
 
         begin
+          ShopifyAPI::Base.clear_session
           ShopifyAPI::Base.activate_session(session)
           yield
         ensure
           ShopifyAPI::Base.activate_session(original_session)
+          ShopifyAPI::Base.user = original_user
+          ShopifyAPI::Base.password = original_password
         end
       end
 

diff --git a/test/session_test.rb b/test/session_test.rb
@@ -91,20 +91,49 @@ def setup
     assert_equal "My test secret", ShopifyAPI::Session.secret
   end
 
-  test "#temp reset ShopifyAPI::Base.site to original value" do
+  test "#temp reset ShopifyAPI::Base values to original value" do
     session1 = ShopifyAPI::Session.new(domain: 'fakeshop.myshopify.com', token: 'token1', api_version: '2019-01')
+    ShopifyAPI::Base.user = 'foo'
+    ShopifyAPI::Base.password = 'bar'
     ShopifyAPI::Base.activate_session(session1)
 
     ShopifyAPI::Session.temp(domain: "testshop.myshopify.com", token: "any-token", api_version: :unstable) do
       @assigned_site = ShopifyAPI::Base.site
       @assigned_version = ShopifyAPI::Base.api_version
+      @assigned_user = ShopifyAPI::Base.user
+      @assigned_password = ShopifyAPI::Base.password
     end
 
     assert_equal('https://testshop.myshopify.com', @assigned_site.to_s)
     assert_equal('https://fakeshop.myshopify.com', ShopifyAPI::Base.site.to_s)
 
     assert_equal(ShopifyAPI::ApiVersion.new(handle: :unstable), @assigned_version)
     assert_equal(ShopifyAPI::ApiVersion.new(handle: '2019-01'), ShopifyAPI::Base.api_version)
+
+    assert_nil(@assigned_user)
+    assert_equal('foo', ShopifyAPI::Base.user)
+
+    assert_nil(@assigned_password)
+    assert_equal('bar', ShopifyAPI::Base.password)
+  end
+
+  test "#temp does not use basic auth values from Base.site" do
+    ShopifyAPI::Base.site = 'https://user:pass@fakeshop.myshopify.com'
+
+    ShopifyAPI::Session.temp(domain: "testshop.myshopify.com", token: "any-token", api_version: :unstable) do
+      @assigned_site = ShopifyAPI::Base.site
+      @assigned_user = ShopifyAPI::Base.user
+      @assigned_password = ShopifyAPI::Base.password
+    end
+
+    assert_equal('https://testshop.myshopify.com', @assigned_site.to_s)
+    assert_equal('https://fakeshop.myshopify.com', ShopifyAPI::Base.site.to_s)
+
+    assert_nil(@assigned_user)
+    assert_equal('user', ShopifyAPI::Base.user)
+
+    assert_nil(@assigned_password)
+    assert_equal('pass', ShopifyAPI::Base.password)
   end
 
   test "#with_session activates the session for the duration of the block" do