From 141a5b56ac5d82c64974c7016e0b6a2f35d0b85c Mon Sep 17 00:00:00 2001
From: Aditya Mattos <aditya.mattos@shopify.com>
Date: Fri, 22 May 2020 12:45:58 +0530
Subject: [PATCH] Skip CSRF check if a valid JWT is passed in

---
 app/controllers/shopify_app/authenticated_controller.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/app/controllers/shopify_app/authenticated_controller.rb b/app/controllers/shopify_app/authenticated_controller.rb
index 7ba0cd8dc..94b510cdc 100644
--- a/app/controllers/shopify_app/authenticated_controller.rb
+++ b/app/controllers/shopify_app/authenticated_controller.rb
@@ -3,6 +3,12 @@ module ShopifyApp
   class AuthenticatedController < ActionController::Base
     include ShopifyApp::Authenticated
 
-    protect_from_forgery with: :exception
+    protect_from_forgery with: :exception, unless: :valid_jwt_header?
+
+    private
+
+    def valid_jwt_header?
+      jwt_shopify_domain.present?
+    end
   end
 end