Merge pull request #1873 from kirillplatonov/better-embedded-detectio…

…n-with-token Improve embedded requests detection with `Sec-Fetch-Dest` header
Shopify · Jul 11, 2024 · 430c05f · 430c05f
2 parents e2ba23d + e6397ad
commit 430c05f
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ Unreleased
 - Keep original path and params when redirecting deep links to embed [#1869](https://github.com/Shopify/shopify_app/pull/1869)
 - Fix managed install path for SPIN environments [#1877](https://github.com/Shopify/shopify_app/pull/1877)
 - Migrate fullpage redirect to App Bridge CDN [#1870](https://github.com/Shopify/shopify_app/pull/1870)
+- Improve embedded requests detection with `Sec-Fetch-Dest` header [#1873](https://github.com/Shopify/shopify_app/pull/1873)
 
 22.2.1 (May 6,2024)
 ----------

diff --git a/lib/shopify_app/controller_concerns/token_exchange.rb b/lib/shopify_app/controller_concerns/token_exchange.rb
@@ -64,10 +64,10 @@ def respond_to_invalid_shopify_id_token(error)
       return if performed?
 
       if request.headers["HTTP_AUTHORIZATION"].blank?
-        if missing_embedded_param?
-          redirect_to_embed_app_in_admin
-        else
+        if embedded?
           redirect_to_bounce_page
+        else
+          redirect_to_embed_app_in_admin
         end
       else
         ShopifyApp::Logger.debug("Responding to invalid Shopify ID token with unauthorized response")
@@ -94,8 +94,8 @@ def redirect_to_bounce_page
       )
     end
 
-    def missing_embedded_param?
-      !params[:embedded].present? || params[:embedded] != "1"
+    def embedded?
+      params[:embedded] == "1" || request.env["HTTP_SEC_FETCH_DEST"] == "iframe"
     end
 
     def online_token_configured?