Check session expiry to trigger a re-auth

Shopify · Nov 24, 2023 · 000ab74 · 000ab74
1 parent 2957c9a
commit 000ab74
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/lib/shopify_app/controller_concerns/login_protection.rb b/lib/shopify_app/controller_concerns/login_protection.rb
@@ -30,6 +30,12 @@ def activate_shopify_session
         return redirect_to_login
       end
 
+      if current_shopify_session.expires && current_shopify_session.expires < Time.now
+        ShopifyApp::Logger.debug("Session expired, redirecting to login")
+        clear_shopify_session
+        return redirect_to_login
+      end
+
       if ShopifyApp.configuration.reauth_on_access_scope_changes &&
           !ShopifyApp.configuration.user_access_scopes_strategy.covers_scopes?(current_shopify_session)
         clear_shopify_session

diff --git a/test/shopify_app/controller_concerns/login_protection_test.rb b/test/shopify_app/controller_concerns/login_protection_test.rb
@@ -426,6 +426,34 @@ class LoginProtectionControllerTest < ActionController::TestCase
     end
   end
 
+  test "#activate_shopify_session with an expired Shopify session, redirects to the login url" do
+    with_application_test_routes do
+      cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME] = "cookie"
+      ShopifyApp::SessionRepository.expects(:load_session)
+        .returns(ShopifyAPI::Auth::Session.new(shop: "shop.myshopify.com", expires: 1.minute.ago))
+
+      get :index, params: { shop: "foobar" }
+
+      assert_redirected_to "/login?shop=foobar.myshopify.com"
+      assert_nil cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME]
+    end
+  end
+
+  test "#activate_shopify_session with an expired Shopify session, when the request is an XHR, returns an HTTP 401" do
+    with_application_test_routes do
+      cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME] = "cookie"
+      ShopifyApp::SessionRepository.expects(:load_session)
+        .returns(ShopifyAPI::Auth::Session.new(shop: "shop.myshopify.com", expires: 1.minute.ago))
+
+      get :index, params: { shop: "foobar" }, xhr: true
+
+      assert_equal 401, response.status
+      assert_match "1", response.headers["X-Shopify-API-Request-Failure-Reauthorize"]
+      assert_match "/login?shop=foobar", response.headers["X-Shopify-API-Request-Failure-Reauthorize-Url"]
+      assert_nil cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME]
+    end
+  end
+
   test "#fullpage_redirect_to sends a post message to that shop in the shop param" do
     with_application_test_routes do
       example_shop = "shop.myshopify.com"