From 24c7ae0ef2882a892382a7694e5fb0ed248f89dd Mon Sep 17 00:00:00 2001 From: Nelson Wittwer Date: Mon, 14 Nov 2022 15:38:17 -0500 Subject: [PATCH 1/6] allow current_shopify_domain to be nil in LoginProtection --- .../controller_concerns/login_protection.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/shopify_app/controller_concerns/login_protection.rb b/lib/shopify_app/controller_concerns/login_protection.rb index 980cce04c..e229bdec6 100644 --- a/lib/shopify_app/controller_concerns/login_protection.rb +++ b/lib/shopify_app/controller_concerns/login_protection.rb @@ -182,6 +182,8 @@ def return_to_param_required? def fullpage_redirect_to(url) if ShopifyApp.configuration.embedded_app? + raise ::ShopifyApp::ShopifyDomainNotFound if current_shopify_domain.nil? + render("shopify_app/shared/redirect", layout: false, locals: { url: url, current_shopify_domain: current_shopify_domain }) else @@ -190,14 +192,12 @@ def fullpage_redirect_to(url) end def current_shopify_domain - shopify_domain = sanitized_shop_name || current_shopify_session&.shop - - return shopify_domain if shopify_domain.present? - - raise ::ShopifyApp::ShopifyDomainNotFound + sanitized_shop_name || current_shopify_session&.shop end def return_address + raise ::ShopifyApp::ShopifyDomainNotFound if current_shopify_domain.nil? + return_address_with_params(shop: current_shopify_domain, host: host) rescue ::ShopifyApp::ShopifyDomainNotFound, ::ShopifyApp::ShopifyHostNotFound base_return_address From 3b01e97cc2dc29c22b5c9df059c0d56d7cc6f629 Mon Sep 17 00:00:00 2001 From: Nelson Wittwer Date: Tue, 15 Nov 2022 09:52:49 -0500 Subject: [PATCH 2/6] better helper to determine if JS requested action --- lib/shopify_app/controller_concerns/login_protection.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/shopify_app/controller_concerns/login_protection.rb b/lib/shopify_app/controller_concerns/login_protection.rb index e229bdec6..568d34443 100644 --- a/lib/shopify_app/controller_concerns/login_protection.rb +++ b/lib/shopify_app/controller_concerns/login_protection.rb @@ -103,7 +103,7 @@ def host end def redirect_to_login - if request.xhr? + if requested_by_javascript? add_top_level_redirection_headers(ignore_response_code: true) head(:unauthorized) else @@ -242,5 +242,9 @@ def user_session_expected? online_token_configured? end + + def requested_by_javascript? + request.xhr? || request.content_type == "application/javascript" + end end end From 82539a7f4845ebc9d675ac133c1bb767b82c7be1 Mon Sep 17 00:00:00 2001 From: Nelson Wittwer Date: Tue, 15 Nov 2022 10:17:41 -0500 Subject: [PATCH 3/6] add content-type header to fetch --- .../shopify_app/home_controller/templates/index.html.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/generators/shopify_app/home_controller/templates/index.html.erb b/lib/generators/shopify_app/home_controller/templates/index.html.erb index 752f63cee..52b9e0523 100644 --- a/lib/generators/shopify_app/home_controller/templates/index.html.erb +++ b/lib/generators/shopify_app/home_controller/templates/index.html.erb @@ -24,7 +24,7 @@ }); var fetchProducts = function() { - var headers = new Headers({ "Authorization": "Bearer " + window.sessionToken }); + var headers = new Headers({ "Content-Type": "application/javascript", "Authorization": "Bearer " + window.sessionToken }); return fetch("/products", { headers }) .then(response => response.json()) .then(data => { From 2006e2b50d3f4a1015d278a332aa7c98a2514853 Mon Sep 17 00:00:00 2001 From: Nelson Wittwer Date: Tue, 15 Nov 2022 12:53:44 -0500 Subject: [PATCH 4/6] cleaner return_address refactor --- lib/shopify_app/controller_concerns/login_protection.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/shopify_app/controller_concerns/login_protection.rb b/lib/shopify_app/controller_concerns/login_protection.rb index 568d34443..77a3a5b26 100644 --- a/lib/shopify_app/controller_concerns/login_protection.rb +++ b/lib/shopify_app/controller_concerns/login_protection.rb @@ -196,7 +196,7 @@ def current_shopify_domain end def return_address - raise ::ShopifyApp::ShopifyDomainNotFound if current_shopify_domain.nil? + return base_return_address if current_shopify_domain.nil? return_address_with_params(shop: current_shopify_domain, host: host) rescue ::ShopifyApp::ShopifyDomainNotFound, ::ShopifyApp::ShopifyHostNotFound From 0da581f150580cfa7b744a65d48f83aa4c411d4f Mon Sep 17 00:00:00 2001 From: Nelson Wittwer Date: Tue, 15 Nov 2022 13:30:28 -0500 Subject: [PATCH 5/6] use text/javascript per MDN --- .../shopify_app/home_controller/templates/index.html.erb | 2 +- lib/shopify_app/controller_concerns/login_protection.rb | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/generators/shopify_app/home_controller/templates/index.html.erb b/lib/generators/shopify_app/home_controller/templates/index.html.erb index 52b9e0523..98a817239 100644 --- a/lib/generators/shopify_app/home_controller/templates/index.html.erb +++ b/lib/generators/shopify_app/home_controller/templates/index.html.erb @@ -24,7 +24,7 @@ }); var fetchProducts = function() { - var headers = new Headers({ "Content-Type": "application/javascript", "Authorization": "Bearer " + window.sessionToken }); + var headers = new Headers({ "Content-Type": "text/javascript", "Authorization": "Bearer " + window.sessionToken }); return fetch("/products", { headers }) .then(response => response.json()) .then(data => { diff --git a/lib/shopify_app/controller_concerns/login_protection.rb b/lib/shopify_app/controller_concerns/login_protection.rb index 77a3a5b26..f923964ef 100644 --- a/lib/shopify_app/controller_concerns/login_protection.rb +++ b/lib/shopify_app/controller_concerns/login_protection.rb @@ -244,7 +244,9 @@ def user_session_expected? end def requested_by_javascript? - request.xhr? || request.content_type == "application/javascript" + request.xhr? || + request.content_type == "text/javascript" || + request.content_type == "application/javascript" end end end From 8f343bfcd8b37d9ce78cbf692f290c16207c905d Mon Sep 17 00:00:00 2001 From: Nelson Wittwer Date: Tue, 15 Nov 2022 13:44:15 -0500 Subject: [PATCH 6/6] changelog + upgrading docs --- CHANGELOG.md | 1 + docs/Upgrading.md | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f9cb771b2..e823f33e9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Unreleased ---------- * Fixes a bug with `EnsureAuthenticatedLinks` causing deep links to not work [#1549](https://github.com/Shopify/shopify_app/pull/1549) * Ensure online token is properly used when using `current_shopify_session` [#1566](https://github.com/Shopify/shopify_app/pull/1566) +* Fixes bug with expired sessions for embedded apps returning a 500 instead of 401 [#1580](https://github.com/Shopify/shopify_app/pull/1580) 21.2.0 (Oct 25, 2022) ---------- diff --git a/docs/Upgrading.md b/docs/Upgrading.md index 87f43cee6..145264fa2 100644 --- a/docs/Upgrading.md +++ b/docs/Upgrading.md @@ -6,6 +6,8 @@ This file documents important changes needed to upgrade your app's Shopify App v [General Advice](#general-advice) +[Upgrading to `v20.3.0`](#upgrading-to-v2030) + [Upgrading to `v20.2.0`](#upgrading-to-v2020) [Upgrading to `v20.1.0`](#upgrading-to-v2010) @@ -34,6 +36,9 @@ We also recommend the use of a staging site which matches your production enviro If you do run into issues, we recommend looking at our [debugging tips.](https://github.com/Shopify/shopify_app/blob/main/docs/Troubleshooting.md#debugging-tips) +## Upgrading to `v20.3.0` +Calling `LoginProtection#current_shopify_domain` will no longer raise an error if there is no active session. It will now return a nil value. The internal behavior of raising an error on OAuth redirect is still in place, however. If you were calling `current_shopify_domain` in authenticated actions and expecting an error if nil, you'll need to do a presence check and raise that error within your app. + ## Upgrading to `v20.2.0` All custom errors defined inline within the `ShopifyApp` gem have been moved to `lib/shopify_app/errors.rb`.