Validate store sessions

app/controllers/concerns/shopify_app/ensure_installed.rb

@@ -17,6 +17,7 @@ module EnsureInstalled
 
       before_action :check_shop_domain
       before_action :check_shop_known
+      before_action :validate_emebedded_session_is_active, if: :embedded_param?
     end
 
     def current_shopify_domain
@@ -30,6 +31,10 @@ def current_shopify_domain
       @shopify_domain
     end
 
+    def installed_shop_session
+      @installed_shop_session ||= @shop
+    end
+
     private
 
     def check_shop_domain
@@ -58,5 +63,12 @@ def shop_login
 
       url.to_s
     end
+
+    def validate_emebedded_session_is_active
+      client = ShopifyAPI::Clients::Rest::Admin.new(session: installed_shop_session)
+      client.get(path: "shop")
+    rescue ShopifyAPI::Errors::HttpResponseError
+      redirect_for_embedded
+    end
   end
 end

test/controllers/concerns/ensure_installed_test.rb

@@ -87,4 +87,26 @@ def index
 
     assert_within_deprecation_schedule(version)
   end
+
+  test "redirects to redirect_for_embedded if app is no longer installed according to the API but not the session repository" do
+    session = mock
+    ShopifyApp::SessionRepository.stubs(:retrieve_shop_session_by_shopify_domain).returns(session)
+
+    client = mock
+    ShopifyAPI::Clients::Rest::Admin.expects(:new).with(session: session).returns(client)
+    uninstalled_http_error = ShopifyAPI::Errors::HttpResponseError.new(
+      response: ShopifyAPI::Clients::HttpResponse.new(
+        code: 404,
+        headers: {},
+        body: "Invalid API key or access token (unrecognized login or wrong password)",
+      ),
+    )
+    client.expects(:get).with(path: "shop").raises(uninstalled_http_error)
+
+    embedded_redirect_url = "reverse_card_on_reverse_card.embedded.joke"
+    ShopifyApp.configuration.stubs(:embedded_redirect_url).returns(embedded_redirect_url)
+
+    @controller.expects(:redirect_for_embedded)
+    get :index, params: { shop: "shop1.myshopify.com", embedded: "1" }
+  end
 end