Merge pull request #617 from Shopify/top-level-partitioning-for-safar…

…i-12 Top level partitioning for safari 12
Shopify · Sep 10, 2018 · bf6b92d · bf6b92d
2 parents 48faaf9 + 27c76e3
commit bf6b92d
Show file tree

Hide file tree

Showing 11 changed files with 642 additions and 44 deletions.
diff --git a/app/assets/javascripts/shopify_app/itp_polyfill.js b/app/assets/javascripts/shopify_app/itp_polyfill.js
@@ -0,0 +1,30 @@
+(function() {
+  function setCookieAndRedirect() {
+    document.cookie = "shopify.cookies_persist=true";
+    window.location.href = window.shopOrigin + "/admin/apps/" + window.apiKey;
+  }
+
+  function shouldDisplayPrompt() {
+    if (navigator.userAgent.indexOf('com.jadedpixel.pos') !== -1) {
+      return false;
+    }
+
+    if (navigator.userAgent.indexOf('Shopify Mobile/iOS') !== -1) {
+      return false;
+    }
+
+    return Boolean(document.hasStorageAccess);
+  }
+
+  document.addEventListener("DOMContentLoaded", function() {
+    if (shouldDisplayPrompt()) {
+      var itpContent = document.querySelector('#CookiePartitionPrompt');
+      itpContent.style.display = 'block';
+
+      var button = document.querySelector('#AcceptCookies');
+      button.addEventListener('click', setCookieAndRedirect);
+    } else {
+      setCookieAndRedirect();
+    }
+  });
+})();
diff --git a/app/assets/javascripts/shopify_app/redirect.js b/app/assets/javascripts/shopify_app/redirect.js
@@ -1,19 +1,33 @@
-document.addEventListener("DOMContentLoaded", function() {
-  var redirectTargetElement = document.getElementById("redirection-target");
-  var targetInfo = JSON.parse(redirectTargetElement.dataset.target)
+(function() {
+  function redirect() {
+    var redirectTargetElement = document.getElementById("redirection-target");
 
-  if (window.top == window.self) {
-    // If the current window is the 'parent', change the URL by setting location.href
-    window.top.location.href = targetInfo.url;
-  } else {
-    // If the current window is the 'child', change the parent's URL with postMessage
-    normalizedLink = document.createElement('a');
-    normalizedLink.href = targetInfo.url;
+    if (!redirectTargetElement) {
+      return;
+    }
 
-    data = JSON.stringify({
-      message: 'Shopify.API.remoteRedirect',
-      data: { location: normalizedLink.href }
-    });
-    window.parent.postMessage(data, targetInfo.myshopifyUrl);
+    var targetInfo = JSON.parse(redirectTargetElement.dataset.target)
+
+    if (window.top == window.self) {
+      // If the current window is the 'parent', change the URL by setting location.href
+      window.top.location.href = targetInfo.url;
+    } else {
+      // If the current window is the 'child', change the parent's URL with postMessage
+      normalizedLink = document.createElement('a');
+      normalizedLink.href = targetInfo.url;
+
+      data = JSON.stringify({
+        message: 'Shopify.API.remoteRedirect',
+        data: {location: normalizedLink.href}
+      });
+      window.parent.postMessage(data, targetInfo.myshopifyUrl);
+    }
   }
-});
+
+  document.addEventListener("DOMContentLoaded", redirect);
+
+  // In the turbolinks context, neither DOMContentLoaded nor turbolinks:load
+  // consistently fires. This ensures that we at least attempt to fire in the
+  // turbolinks situation as well.
+  redirect();
+})();
diff --git a/app/controllers/shopify_app/sessions_controller.rb b/app/controllers/shopify_app/sessions_controller.rb
@@ -14,6 +14,11 @@ def create
       authenticate
     end
 
+    def enable_cookies
+      @shop = sanitized_shop_name
+      render_invalid_shop_error unless @shop
+    end
+
     def callback
       if auth_hash
         login_shop
@@ -37,15 +42,47 @@ def destroy
     private
 
     def authenticate
-      if sanitized_shop_name.present?
-        session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
-        fullpage_redirect_to "#{main_app.root_path}auth/shopify"
+      return render_invalid_shop_error unless sanitized_shop_name.present?
+      session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
+
+      if redirect_for_cookie_access?
+        fullpage_redirect_to enable_cookies_path(shop: sanitized_shop_name)
+      elsif authenticate_in_context?
+        authenticate_in_context
       else
-        flash[:error] = I18n.t('invalid_shop_url')
-        redirect_to return_address
+        authenticate_at_top_level
       end
     end
 
+    def render_invalid_shop_error
+      flash[:error] = I18n.t('invalid_shop_url')
+      redirect_to return_address
+    end
+
+    def authenticate_in_context
+      clear_top_level_oauth_cookie
+      redirect_to "#{main_app.root_path}auth/shopify"
+    end
+
+    def authenticate_at_top_level
+      set_top_level_oauth_cookie
+      fullpage_redirect_to login_url(top_level: true)
+    end
+
+    def authenticate_in_context?
+      return true unless ShopifyApp.configuration.embedded_app?
+      return true if params[:top_level]
+      session['shopify.top_level_oauth']
+    end
+
+    def redirect_for_cookie_access?
+      return false unless ShopifyApp.configuration.embedded_app?
+      return false if params[:top_level]
+      return false if session['shopify.cookies_persist']
+
+      true
+    end
+
     def login_shop
       sess = ShopifyAPI::Session.new(shop_name, token)