Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Properly handle 401 errors in XHR requests with LoginProtection #1787

Merged
merged 2 commits into from
Feb 9, 2024
Merged

Properly handle 401 errors in XHR requests with LoginProtection #1787

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5cb6dc0
Use a 401 with headers for login redirect
paulomarg Feb 8, 2024
55b9ea5
Adding tests for new 401 handling
paulomarg Feb 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
Unreleased
----------
* Make type param for webhooks route optional. This will fix a bug with CLI initiated webhooks.[1786](https://github.com/Shopify/shopify_app/pull/1786)
* Fix redirecting to login when we catch a 401 response from Shopify, so that it can also handle cases where the app is already embedded when that happens.[1787](https://github.com/Shopify/shopify_app/pull/1787)

21.10.0 (January 24, 2024)
----------
Expand Down
7 changes: 4 additions & 3 deletions lib/shopify_app/controller_concerns/login_protection.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,10 +147,11 @@ def redirect_to_login
end

def close_session
clear_shopify_session
ShopifyApp::Logger.debug("Closing session")
ShopifyApp::Logger.debug("Redirecting to #{login_url_with_optional_shop}")
redirect_to(login_url_with_optional_shop)
clear_shopify_session

ShopifyApp::Logger.debug("Redirecting to login")
redirect_to_login
end

def handle_http_error(error)
Expand Down
13 changes: 12 additions & 1 deletion test/shopify_app/controller_concerns/login_protection_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -409,11 +409,22 @@ class LoginProtectionControllerTest < ActionController::TestCase
cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME] = "cookie"

get :raise_unauthorized, params: { shop: "foobar" }
assert_redirected_to "/login?shop=foobar.myshopify.com"
assert_redirected_to(
"/login?return_to=%2Fraise_unauthorized%3Fshop%3Dfoobar.myshopify.com&shop=foobar.myshopify.com",
)
assert_nil cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME]
end
end

test "#activate_shopify_session when rescuing from unauthorized access, breaks out of iframe in XHR requests" do
with_application_test_routes do
get :raise_unauthorized, params: { shop: "foobar" }, xhr: true
assert_equal 401, response.status
assert_match "1", response.headers["X-Shopify-API-Request-Failure-Reauthorize"]
assert_match "/login?shop=foobar", response.headers["X-Shopify-API-Request-Failure-Reauthorize-Url"]
end
end

test "#activate_shopify_session when rescuing from non 401 errors, does not close session" do
with_application_test_routes do
cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME] = "cookie"
Expand Down
Loading