Skip CSRF check if a valid JWT is passed in

Shopify · May 25, 2020 · 141a5b5 · 141a5b5
1 parent f623184
commit 141a5b5
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/app/controllers/shopify_app/authenticated_controller.rb b/app/controllers/shopify_app/authenticated_controller.rb
@@ -3,6 +3,12 @@ module ShopifyApp
   class AuthenticatedController < ActionController::Base
     include ShopifyApp::Authenticated
 
-    protect_from_forgery with: :exception
+    protect_from_forgery with: :exception, unless: :valid_jwt_header?
+
+    private
+
+    def valid_jwt_header?
+      jwt_shopify_domain.present?
+    end
   end
 end