Merge pull request #153 from Shopify/limit_session_return_to

Return an HTTP 401 for XHRs that aren't logged in

CHANGELOG

@@ -1,3 +1,8 @@
+6.2.0
+-----
+
+* Return an HTTP 401 for XHRs that aren't logged in
+
 6.1.3
 -----
 * add redirect_uri which is now required

lib/shopify_app/login_protection.rb

@@ -35,8 +35,12 @@ def login_again_if_different_shop
     protected
 
     def redirect_to_login
-      session[:return_to] = request.fullpath if request.get?
-      redirect_to login_path(shop: params[:shop])
+      if request.xhr?
+        head :unauthorized
+      else
+        session[:return_to] = request.fullpath if request.get?
+        redirect_to login_path(shop: params[:shop])
+      end
     end
 
     def close_session

lib/shopify_app/version.rb

@@ -1,3 +1,3 @@
 module ShopifyApp
-  VERSION = "6.1.3"
+  VERSION = '6.2.0'
 end

test/shopify_app/login_protection_test.rb

@@ -6,6 +6,7 @@ class LoginProtectionController < ActionController::Base
   include ShopifyApp::LoginProtection
   helper_method :shop_session
 
+  around_action :shopify_session, only: [:index]
   before_action :login_again_if_different_shop, only: [:second_login]
 
   def index
@@ -64,6 +65,27 @@ class LoginProtectionTest < ActionController::TestCase
     end
   end
 
+  test '#shopify_session with no Shopify session, redirects to the login path' do
+    with_application_test_routes do
+      get :index, shop: 'foobar'
+      assert_redirected_to @controller.send(:login_path, shop: 'foobar')
+    end
+  end
+
+  test '#shopify_session with no Shopify session, sets session[:return_to]' do
+    with_application_test_routes do
+      get :index, shop: 'foobar'
+      assert_equal '/?shop=foobar', session[:return_to]
+    end
+  end
+
+  test '#shopify_session with no Shopify session, when the request is an XHR, returns an HTTP 401' do
+    with_application_test_routes do
+      xhr :get, :index, shop: 'foobar'
+      assert_equal 401, response.status
+    end
+  end
+
   private
 
   def with_application_test_routes