Avoid preloading ActionController::Base (#855)

* moved extension verification controller from engine to app * nest in module * add changelog * remove loading controller from engine * minor version change, not a patch
Shopify · Jan 15, 2020 · b3ba6fa · b3ba6fa
1 parent 7a07288
commit b3ba6fa
Show file tree

Hide file tree

Showing 8 changed files with 28 additions and 25 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+11.7.0
+-----
+* Move ExtensionVerificationController from engine to app controllers, as being in the engine makes ActionController::Base get loaded before app initiates [#855](https://github.com/Shopify/shopify_app/pull/855)
+
 11.6.0
 -----
 * Enable SameSite=None; Secure by default on all cookies for embedded apps [#851](https://github.com/Shopify/shopify_app/pull/851)

diff --git a/app/controllers/shopify_app/extension_verification_controller.rb b/app/controllers/shopify_app/extension_verification_controller.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  class ExtensionVerificationController < ActionController::Base
+    protect_from_forgery with: :null_session
+    before_action :verify_request
+
+    private
+
+    def verify_request
+      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+      request_body = request.body.read
+      secret = ShopifyApp.configuration.secret
+      digest = OpenSSL::Digest.new('sha256')
+
+      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
+      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+    end
+  end
+end
diff --git a/...shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb b/...shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class MarketingActivitiesController < ExtensionVerificationController
+class MarketingActivitiesController < ShopifyApp::ExtensionVerificationController
   def preload_form_data
     preload_data = {
       "form_data": {

diff --git a/lib/shopify_app.rb b/lib/shopify_app.rb
@@ -24,9 +24,6 @@ def self.use_webpacker?
   # utils
   require 'shopify_app/utils'
 
-  # controllers
-  require 'shopify_app/controllers/extension_verification_controller'
-
   # controller concerns
   require 'shopify_app/controller_concerns/localization'
   require 'shopify_app/controller_concerns/itp'

diff --git a/lib/shopify_app/controllers/extension_verification_controller.rb b/lib/shopify_app/controllers/extension_verification_controller.rb
diff --git a/lib/shopify_app/version.rb b/lib/shopify_app/version.rb
@@ -1,3 +1,3 @@
 module ShopifyApp
-  VERSION = '11.6.0'.freeze
+  VERSION = '11.7.0'.freeze
 end
diff --git a/...extension_verification_controller_test.rb → ...extension_verification_controller_test.rb b/...extension_verification_controller_test.rb → ...extension_verification_controller_test.rb
@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class ExtensionController < ExtensionVerificationController
+class ExtensionController < ShopifyApp::ExtensionVerificationController
   def extension_action
     head :ok
   end

diff --git a/test/generators/add_marketing_activity_extension_generator_test.rb b/test/generators/add_marketing_activity_extension_generator_test.rb
@@ -11,7 +11,7 @@ class AddMarketingActivityExtensionGeneratorTest < Rails::Generators::TestCase
     run_generator
 
     assert_file "app/controllers/marketing_activities_controller.rb" do |controller|
-      assert_match 'class MarketingActivitiesController < ExtensionVerificationController', controller
+      assert_match 'class MarketingActivitiesController < ShopifyApp::ExtensionVerificationController', controller
     end
   end