Module: ShopifyApp::LoginProtection

Extended by:

ActiveSupport::Concern

Includes:

Itp, SanitizedParams

Included in:

CallbackController, SessionsController

Defined in:

lib/shopify_app/controller_concerns/login_protection.rb

Constant Summary

ACCESS_TOKEN_REQUIRED_HEADER =

"X-Shopify-API-Request-Failure-Unauthorized"

Instance Method Summary

• #activate_shopify_session ⇒ Object
• #add_top_level_redirection_headers(url: nil, ignore_response_code: false) ⇒ Object
• #current_shopify_session ⇒ Object
• #jwt_expire_at ⇒ Object
• #login_again_if_different_user_or_shop ⇒ Object
• #signal_access_token_required ⇒ Object

Instance Method Details

#activate_shopify_session ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 18

def activate_shopify_session
  if current_shopify_session.blank?
    signal_access_token_required
    return redirect_to_login
  end

  unless current_shopify_session.scope.to_a.empty? ||
      current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)

    clear_shopify_session
    return redirect_to_login
  end

  begin
    ShopifyAPI::Context.activate_session(current_shopify_session)
    yield
  ensure
    ShopifyAPI::Context.deactivate_session
  end
end

#add_top_level_redirection_headers(url: nil, ignore_response_code: false) ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 72

def add_top_level_redirection_headers(url: nil, ignore_response_code: false)
  if request.xhr? && (ignore_response_code || response.code.to_i == 401)
    # Make sure the shop is set in the redirection URL
    unless params[:shop]
      params[:shop] = if current_shopify_session
        current_shopify_session.shop
      elsif (matches = request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/))
        jwt_payload = ShopifyAPI::Auth::JwtPayload.new(T.must(matches[1]))
        jwt_payload.shop
      end
    end

    url ||= login_url_with_optional_shop

    response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
    response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", url)
  end
end

#current_shopify_session ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 39

def current_shopify_session
  @current_shopify_session ||= begin
    cookie_name = ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME
    ShopifyAPI::Utils::SessionUtils.load_current_session(
      auth_header: request.headers["HTTP_AUTHORIZATION"],
      cookies: { cookie_name => cookies.encrypted[cookie_name] },
      is_online: user_session_expected?,
    )
  rescue ShopifyAPI::Errors::CookieNotFoundError
    nil
  rescue ShopifyAPI::Errors::InvalidJwtTokenError
    nil
  end
end

#jwt_expire_at ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 65

def jwt_expire_at
  expire_at = request.env["jwt.expire_at"]
  return unless expire_at

  expire_at - 5.seconds # 5s gap to start fetching new token in advance
end

#login_again_if_different_user_or_shop ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 54

def login_again_if_different_user_or_shop
  return unless session_id_conflicts_with_params || session_shop_conflicts_with_params

  clear_shopify_session
  redirect_to_login
end

#signal_access_token_required ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 61

def signal_access_token_required
  response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, "true")
end