From 62f3f80dc3aedcb9b950f0ed8b496de79b89af83 Mon Sep 17 00:00:00 2001 From: Kirill Platonov Date: Thu, 4 Jul 2024 12:40:52 +0200 Subject: [PATCH] Improve embedded requests detection with Sec-Fetch-Dest header --- CHANGELOG.md | 1 + lib/shopify_app/controller_concerns/token_exchange.rb | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8079c99b4..b657fae36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ Unreleased - Remove old translation keys for `enable_cookies_*`, `top_level_interaction_*` and `request_storage_access_*` [#1865](https://github.com/Shopify/shopify_app/pull/1865) - Add invalid id token handling for `current_shopify_domain` method [#1868](https://github.com/Shopify/shopify_app/pull/1868) - Keep original path and params when redirecting deep links to embed [#1869](https://github.com/Shopify/shopify_app/pull/1869) +- Improve embedded requests detection with `Sec-Fetch-Dest` header [#1873](https://github.com/Shopify/shopify_app/pull/1873) 22.2.1 (May 6,2024) ---------- diff --git a/lib/shopify_app/controller_concerns/token_exchange.rb b/lib/shopify_app/controller_concerns/token_exchange.rb index e3321c535..8959a09b1 100644 --- a/lib/shopify_app/controller_concerns/token_exchange.rb +++ b/lib/shopify_app/controller_concerns/token_exchange.rb @@ -64,10 +64,10 @@ def respond_to_invalid_shopify_id_token(error) return if performed? if request.headers["HTTP_AUTHORIZATION"].blank? - if missing_embedded_param? - redirect_to_embed_app_in_admin - else + if embedded? redirect_to_bounce_page + else + redirect_to_embed_app_in_admin end else ShopifyApp::Logger.debug("Responding to invalid Shopify ID token with unauthorized response") @@ -94,8 +94,8 @@ def redirect_to_bounce_page ) end - def missing_embedded_param? - !params[:embedded].present? || params[:embedded] != "1" + def embedded? + params[:embedded] == "1" || request.env["HTTP_SEC_FETCH_DEST"] == "iframe" end def online_token_configured?