From 89b904848c6103bec2354bd98d70a633339a166f Mon Sep 17 00:00:00 2001 From: Aditya Mattos Date: Thu, 14 May 2020 00:05:52 +0530 Subject: [PATCH] Add a rails concern to check for valid domains in the unauthenticated controller --- .../concerns/shopify_app/domain_protection.rb | 39 ++++++++++++ .../concerns/domain_protection_test.rb | 63 +++++++++++++++++++ 2 files changed, 102 insertions(+) create mode 100644 app/controllers/concerns/shopify_app/domain_protection.rb create mode 100644 test/controllers/concerns/domain_protection_test.rb diff --git a/app/controllers/concerns/shopify_app/domain_protection.rb b/app/controllers/concerns/shopify_app/domain_protection.rb new file mode 100644 index 000000000..625c84578 --- /dev/null +++ b/app/controllers/concerns/shopify_app/domain_protection.rb @@ -0,0 +1,39 @@ +# frozen_string_literal: true + +module ShopifyApp + module DomainProtection + extend ActiveSupport::Concern + + included do + before_action :check_shop_domain + before_action :check_shop_known + end + + def current_shopify_domain + return if params[:shop].blank? + @shopify_domain ||= ShopifyApp::Utils.sanitize_shop_domain(params[:shop]) + end + + private + + def check_shop_domain + redirect_to(ShopifyApp.configuration.login_url) unless current_shopify_domain + end + + def check_shop_known + @shop = SessionRepository.retrieve_shop_session_by_domain(current_shopify_domain) + redirect_to(shop_login) unless @shop + end + + def shop_login + url = URI(ShopifyApp.configuration.login_url) + + url.query = URI.encode_www_form( + shop: params[:shop], + return_to: request.fullpath, + ) + + url.to_s + end + end +end diff --git a/test/controllers/concerns/domain_protection_test.rb b/test/controllers/concerns/domain_protection_test.rb new file mode 100644 index 000000000..75d628c97 --- /dev/null +++ b/test/controllers/concerns/domain_protection_test.rb @@ -0,0 +1,63 @@ +# frozen_string_literal: true + +class DomainProtectionTest < ActionController::TestCase + class UnauthenticatedTestController < ActionController::Base + include ShopifyApp::DomainProtection + + def index + render html: '

Success' + end + end + + tests UnauthenticatedTestController + + setup do + Rails.application.routes.draw do + get '/unauthenticated_test', to: 'domain_protection_test/unauthenticated_test#index' + end + end + + teardown do + Rails.application.reload_routes! + end + + test 'redirects to login if no shop param is present' do + get :index + + assert_redirected_to ShopifyApp.configuration.login_url + end + + test 'redirects to login if no shop is not a valid shopify domain' do + invalid_shop = 'https://shop1.example.com' + + get :index, params: { shop: invalid_shop } + + assert_redirected_to ShopifyApp.configuration.login_url + end + + test 'redirects to login if the shop is not installed' do + ShopifyApp::SessionRepository.expects(:retrieve_shop_session_by_domain).returns(false) + + shopify_domain = 'shop1.myshopify.com' + + get :index, params: { shop: shopify_domain } + + redirect_url = URI('/login') + redirect_url.query = URI.encode_www_form( + shop: shopify_domain, + return_to: request.fullpath, + ) + + assert_redirected_to redirect_url.to_s + end + + test 'returns :ok if the shop is installed' do + ShopifyApp::SessionRepository.expects(:retrieve_shop_session_by_domain).returns(true) + + shopify_domain = 'shop1.myshopify.com' + + get :index, params: { shop: shopify_domain } + + assert_response :ok + end +end