Allow for current_shopify_domain to be nil with authenticated requests

CHANGELOG.md

@@ -4,6 +4,7 @@ Unreleased
 * Ensure online token is properly used when using `current_shopify_session` [#1566](https://github.com/Shopify/shopify_app/pull/1566)
 * Emit a deprecation notice for wrongly-rescued exceptions [#1530](https://github.com/Shopify/shopify_app/pull/1530)
 * Log a deprecation warning for the use of incompatible controller concerns [#1560](https://github.com/Shopify/shopify_app/pull/1560)
+* Fixes bug with expired sessions for embedded apps returning a 500 instead of 401 [#1580](https://github.com/Shopify/shopify_app/pull/1580)
 
 21.2.0 (Oct 25, 2022)
 ----------

docs/Upgrading.md

@@ -6,6 +6,8 @@ This file documents important changes needed to upgrade your app's Shopify App v
 
 [General Advice](#general-advice)
 
+[Upgrading to `v20.3.0`](#upgrading-to-v2030)
+
 [Upgrading to `v20.2.0`](#upgrading-to-v2020)
 
 [Upgrading to `v20.1.0`](#upgrading-to-v2010)
@@ -34,6 +36,9 @@ We also recommend the use of a staging site which matches your production enviro
 
 If you do run into issues, we recommend looking at our [debugging tips.](https://github.com/Shopify/shopify_app/blob/main/docs/Troubleshooting.md#debugging-tips)
 
+## Upgrading to `v20.3.0`
+Calling `LoginProtection#current_shopify_domain` will no longer raise an error if there is no active session. It will now return a nil value. The internal behavior of raising an error on OAuth redirect is still in place, however. If you were calling `current_shopify_domain` in authenticated actions and expecting an error if nil, you'll need to do a presence check and raise that error within your app.
+
 ## Upgrading to `v20.2.0`
 
 All custom errors defined inline within the `ShopifyApp` gem have been moved to `lib/shopify_app/errors.rb`.

lib/generators/shopify_app/home_controller/templates/index.html.erb

@@ -24,7 +24,7 @@
           });
 
           var fetchProducts = function() {
-            var headers = new Headers({ "Authorization": "Bearer " + window.sessionToken });
+            var headers = new Headers({ "Content-Type": "text/javascript", "Authorization": "Bearer " + window.sessionToken });
             return fetch("/products", { headers })
               .then(response => response.json())
               .then(data => {

lib/shopify_app/controller_concerns/login_protection.rb

@@ -110,7 +110,7 @@ def host
     end
 
     def redirect_to_login
-      if request.xhr?
+      if requested_by_javascript?
         add_top_level_redirection_headers(ignore_response_code: true)
         head(:unauthorized)
       else
@@ -189,6 +189,8 @@ def return_to_param_required?
 
     def fullpage_redirect_to(url)
       if ShopifyApp.configuration.embedded_app?
+        raise ::ShopifyApp::ShopifyDomainNotFound if current_shopify_domain.nil?
+
         render("shopify_app/shared/redirect", layout: false,
           locals: { url: url, current_shopify_domain: current_shopify_domain })
       else
@@ -197,14 +199,12 @@ def fullpage_redirect_to(url)
     end
 
     def current_shopify_domain
-      shopify_domain = sanitized_shop_name || current_shopify_session&.shop
-
-      return shopify_domain if shopify_domain.present?
-
-      raise ::ShopifyApp::ShopifyDomainNotFound
+      sanitized_shop_name || current_shopify_session&.shop
     end
 
     def return_address
+      return base_return_address if current_shopify_domain.nil?
+
       return_address_with_params(shop: current_shopify_domain, host: host)
     rescue ::ShopifyApp::ShopifyDomainNotFound, ::ShopifyApp::ShopifyHostNotFound
       base_return_address
@@ -249,5 +249,11 @@ def user_session_expected?
 
       online_token_configured?
     end
+
+    def requested_by_javascript?
+      request.xhr? ||
+        request.content_type == "text/javascript" ||
+        request.content_type == "application/javascript"
+    end
   end
 end