Move covered scopes check into strategy (#1600)

* Move covered scopes check into strategy * Rename method * Update CHANGELOG Co-authored-by: Andy Waite <andyw8@users.noreply.github.com>
Shopify · Dec 1, 2022 · 43c2cea · 43c2cea
1 parent 2f8d75d
commit 43c2cea
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 Unreleased
 ----------
+* Move covered scopes check into user access strategy [#1600](https://github.com/Shopify/shopify_app/pull/1600)
 * Add configuration option for user access strategy [#1599](https://github.com/Shopify/shopify_app/pull/1599)
 * Fixes a bug with `EnsureAuthenticatedLinks` causing deep links to not work [#1549](https://github.com/Shopify/shopify_app/pull/1549)
 * Ensure online token is properly used when using `current_shopify_session` [#1566](https://github.com/Shopify/shopify_app/pull/1566)

diff --git a/lib/shopify_app/access_scopes/noop_strategy.rb b/lib/shopify_app/access_scopes/noop_strategy.rb
@@ -7,6 +7,10 @@ class << self
         def update_access_scopes?(*_args)
           false
         end
+
+        def covers_scopes?(*_args)
+          true
+        end
       end
     end
   end

diff --git a/lib/shopify_app/access_scopes/user_strategy.rb b/lib/shopify_app/access_scopes/user_strategy.rb
@@ -12,6 +12,11 @@ def update_access_scopes?(user_id: nil, shopify_user_id: nil)
             "#update_access_scopes? requires user_id or shopify_user_id parameter inputs")
         end
 
+        def covers_scopes?(current_shopify_session)
+          # NOTE: this not Ruby's `covers?` method, it is defined in ShopifyAPI::Auth::AuthScopes
+          current_shopify_session.scope.to_a.empty? || current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)
+        end
+
         private
 
         def update_access_scopes_for_user_id?(user_id)

diff --git a/lib/shopify_app/controller_concerns/login_protection.rb b/lib/shopify_app/controller_concerns/login_protection.rb
@@ -29,9 +29,7 @@ def activate_shopify_session
         return redirect_to_login
       end
 
-      unless current_shopify_session.scope.to_a.empty? ||
-          current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)
-
+      unless ShopifyApp.configuration.user_access_scopes_strategy.covers_scopes?(current_shopify_session)
         clear_shopify_session
         return redirect_to_login
       end