Module: ShopifyApp::LoginProtection

Extended by:

ActiveSupport::Concern

Includes:

Itp

Included in:

CallbackController, SessionsController

Defined in:

lib/shopify_app/controller_concerns/login_protection.rb

Defined Under Namespace

Classes: ShopifyDomainNotFound, ShopifyHostNotFound

Constant Summary

ACCESS_TOKEN_REQUIRED_HEADER =

'X-Shopify-API-Request-Failure-Unauthorized'

Instance Method Summary

• #activate_shopify_session ⇒ Object
• #current_shopify_session ⇒ Object
• #login_again_if_different_user_or_shop ⇒ Object
• #shop_session ⇒ Object
• #shop_session_by_cookie ⇒ Object
• #shop_session_by_jwt ⇒ Object
• #signal_access_token_required ⇒ Object
• #user_session ⇒ Object
• #user_session_by_cookie ⇒ Object
• #user_session_by_jwt ⇒ Object

Instance Method Details

#activate_shopify_session ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 21

def activate_shopify_session
  if user_session_expected? && user_session.blank?
    signal_access_token_required
    return redirect_to_login
  end

  return redirect_to_login if current_shopify_session.blank?

  clear_top_level_oauth_cookie

  begin
    ShopifyAPI::Base.activate_session(current_shopify_session)
    yield
  ensure
    ShopifyAPI::Base.clear_session
  end
end

#current_shopify_session ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 39

def current_shopify_session
  @current_shopify_session ||= begin
    user_session || shop_session
  end
end

#login_again_if_different_user_or_shop ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 77

def login_again_if_different_user_or_shop
  if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
    clear_session = session[:user_session] != params[:session] # current user is different from stored user
  end

  if current_shopify_session &&
    params[:shop] && params[:shop].is_a?(String) &&
    (current_shopify_session.domain != params[:shop])
    clear_session = true
  end

  if clear_session
    clear_shopify_session
    redirect_to_login
  end
end

#shop_session ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 61

def shop_session
  shop_session_by_jwt || shop_session_by_cookie
end

#shop_session_by_cookie ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 71

def shop_session_by_cookie
  return unless ShopifyApp.configuration.allow_cookie_authentication
  return unless session[:shop_id].present?
  ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
end

#shop_session_by_jwt ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 65

def shop_session_by_jwt
  return unless ShopifyApp.configuration.allow_jwt_authentication
  return unless jwt_shopify_domain
  ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
end

#signal_access_token_required ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 94

def signal_access_token_required
  response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, "true")
end

#user_session ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 45

def user_session
  user_session_by_jwt || user_session_by_cookie
end

#user_session_by_cookie ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 55

def user_session_by_cookie
  return unless ShopifyApp.configuration.allow_cookie_authentication
  return unless session[:user_id].present?
  ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
end

#user_session_by_jwt ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 49

def user_session_by_jwt
  return unless ShopifyApp.configuration.allow_jwt_authentication
  return unless jwt_shopify_user_id
  ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
end