-
Notifications
You must be signed in to change notification settings - Fork 683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for current_shopify_domain
to be nil with authenticated requests
#1580
Conversation
end | ||
|
||
def return_address | ||
raise ::ShopifyApp::ShopifyDomainNotFound if current_shopify_domain.nil? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels a bit odd to raise this then immediately rescue it, maybe we could use a guard?
return base_return_address if current_shopify_domain.nil?
Hey guys, I'm working on upgrading shopify_app for our app and running into the similar issue. More context here https://github.com/Shopify/script-editor/pull/3145#issuecomment-1319053421 . After some debugging, I realized that the error comes from frame_ancestors.rb content_security_policy do |policy|
policy.frame_ancestors(-> do
domain_host = current_shopify_domain || "*.#{::ShopifyApp.configuration.myshopify_domain}"
"#{ShopifyAPI::Context.host_scheme}://#{domain_host} https://admin.shopify.com"
end) that By searching in the shopify_app repo, I noticed this PR happens to be the right fix. FYI, I pulled the PR and tested. It works as expected. Thank you for the fix 👍 |
…sts (Shopify#1580) * allow current_shopify_domain to be nil in LoginProtection * better helper to determine if JS requested action * add content-type header to fetch * cleaner return_address refactor * use text/javascript per MDN * changelog + upgrading docs
What this PR does
There is a bug with expired tokens that causes our CSP header to throw an error because
current_shopify_domain
isn't able to be retrieved because there is no current active session (it's expired).Because
LoginProtection#current_shopify_domain
previously has been throwing and error when the domain couldn't be found from the session, this was throwing and exception before it could return a401 - unauthorized
response.LoginProtection#current_shopify_domain
This changes a few things that I'll want to make sure are acceptable design changes:
current_shopify_domain
is allowed to be nil withinLoginProtection
current_shopify_domain
is required for302 - redirect
s inLoginProtection
we will move responsibility for raising and error to those redirect calls.Fetch requests don't evaluate to true with the
requirest.hr?
helperThe other problem preventing us from returning
401 - unauthorized
was that we were doing a full page redirect when the current session wasn't found. Our generatedhome/index.html.erb
used the fetch API andLoginProtection
was only looking forxhr
requests to handle JS requests 🤦 .requseted_by_javascript?
conditional to better determine API requests vs browser requests. MDN indicates the official MIME type is text/javascript though we'll support the legacy application/javascript as well.home_controller/index.html.erb
to add the correct content type header to act as a better example.Reviewer's guide to testing
Content-Type: "text/javascript"
header to/fetch
request inhome_controller/index.html.erb
401
instead of500
with bad tokens.Things to focus on
Is changing the raise behavior in
current_shopify_domain
acceptable? Or is this too big of a breaking change? If so, we can rescue inFrameAncestors
and use our wildcard fallback domain.Checklist
Before submitting the PR, please consider if any of the following are needed:
CHANGELOG.md
if the changes would impact usersREADME.md
, if appropriate./docs
, if necessary