Skip CSRF protection if a valid session token is present

app/controllers/concerns/shopify_app/authenticated.rb

@@ -7,6 +7,7 @@ module Authenticated
     included do
       include ShopifyApp::Localization
       include ShopifyApp::LoginProtection
+      include ShopifyApp::CsrfProtection
       include ShopifyApp::EmbeddedApp
       before_action :login_again_if_different_user_or_shop
       around_action :activate_shopify_session

lib/shopify_app.rb

@@ -27,6 +27,7 @@ def self.use_webpacker?
   require 'shopify_app/utils'
 
   # controller concerns
+  require 'shopify_app/controller_concerns/csrf_protection'
   require 'shopify_app/controller_concerns/localization'
   require 'shopify_app/controller_concerns/itp'
   require 'shopify_app/controller_concerns/login_protection'

lib/shopify_app/controller_concerns/csrf_protection.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module CsrfProtection
+    extend ActiveSupport::Concern
+
+    MissingIncludeError = Class.new(StandardError)
+
+    included do
+      unless ancestors.include?(ShopifyApp::LoginProtection)
+        raise(MissingIncludeError, 'You must include ShopifyApp::LoginProtection before including this module.')
+      end
+
+      protect_from_forgery with: :exception, unless: :valid_session_token?
+    end
+
+    private
+
+    def valid_session_token?
+      jwt_shopify_domain.present?
+    end
+  end
+end

test/controllers/concerns/authenticated_test.rb

@@ -13,6 +13,7 @@ def index
   test "includes all the needed concerns" do
     AuthenticatedTestController.include?(ShopifyApp::Localization)
     AuthenticatedTestController.include?(ShopifyApp::LoginProtection)
+    AuthenticatedTestController.include?(ShopifyApp::CsrfProtection)
     AuthenticatedTestController.include?(ShopifyApp::EmbeddedApp)
   end
 end

test/shopify_app/controller_concerns/csrf_protection_test.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+class CsrfProtectionController < ActionController::Base
+  include ShopifyApp::LoginProtection
+  include ShopifyApp::CsrfProtection
+
+  def authenticity_token
+  render(json: { authenticity_token: form_authenticity_token })
+  end
+
+  def csrf_test
+    head(:ok)
+  end
+end
+
+class CsrfProtectionTest < ActionDispatch::IntegrationTest
+  setup do
+    @authenticity_protection = ActionController::Base.allow_forgery_protection
+    ActionController::Base.allow_forgery_protection = true
+    Rails.application.routes.draw do
+      get '/authenticity_token', to: 'csrf_protection#authenticity_token'
+      post '/csrf_protection_test', to: 'csrf_protection#csrf_test'
+    end
+  end
+
+  teardown do
+    ActionController::Base.allow_forgery_protection = @authenticity_protection
+    Rails.application.reload_routes!
+  end
+
+  test 'it raises an error if module is included without including ShopifyApp::LoginProtection first' do
+    error = assert_raises ShopifyApp::CsrfProtection::MissingIncludeError do
+      class Test
+        include ShopifyApp::CsrfProtection
+      end
+    end
+
+    assert_equal 'You must include ShopifyApp::LoginProtection before including this module.', error.message
+  end
+
+  test 'it raises an invalid authenticity token error if a valid session token or csrf token is not provided' do
+    assert_raises ActionController::InvalidAuthenticityToken do
+      post '/csrf_protection_test'
+    end
+  end
+
+  test 'it does not raise if a valid CSRF token was provided' do
+    get '/authenticity_token'
+
+    csrf_token = JSON.parse(response.body)['authenticity_token']
+
+    post '/csrf_protection_test', headers: { 'X-CSRF-Token': csrf_token }
+
+    assert_response :ok
+  end
+
+  test 'it does not raise if a valid session token was provided' do
+    post '/csrf_protection_test', env: { 'jwt.shopify_domain': "exampleshop.myshopify.com" }
+
+    assert_response :ok
+  end
+end