ruby_shopify_app 1.3.1 → 1.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/lib/ruby_shopify_app/controller_concerns/login_protection.rb +28 -15
- data/lib/ruby_shopify_app/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cc9eee8b1899a69aa9a93c647372ba6355f5631ab6abf0b4e96a050d91d3f3a6
|
4
|
+
data.tar.gz: e997285d216f48ba365ee9e7eb91add73e38c7a831356842f6d4053e0787ff70
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fb7655a30f1b2b66d496deb06be8ad7ea473de55ed0968afd036385666cdb51c3578abda2045ecce5fd8d387d7d4c3b15fe61b2207b4595cc65ed8490e3d5848
|
7
|
+
data.tar.gz: 0501dc206c10c78f02f1406d846837f8587fb61b830e209ff0d1caccccec7e053fd1615e5e8fbb259cac6e5d992c103e894203be390a1d07e09f0e7677e36961
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require
|
3
|
+
require "browser_sniffer"
|
4
4
|
|
5
5
|
module ShopifyApp
|
6
6
|
module LoginProtection
|
@@ -16,7 +16,7 @@ module ShopifyApp
|
|
16
16
|
rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
|
17
17
|
end
|
18
18
|
|
19
|
-
ACCESS_TOKEN_REQUIRED_HEADER =
|
19
|
+
ACCESS_TOKEN_REQUIRED_HEADER = "X-Shopify-API-Request-Failure-Unauthorized"
|
20
20
|
|
21
21
|
def activate_shopify_session
|
22
22
|
if user_session_expected? && user_session.blank?
|
@@ -37,9 +37,7 @@ module ShopifyApp
|
|
37
37
|
end
|
38
38
|
|
39
39
|
def current_shopify_session
|
40
|
-
@current_shopify_session ||=
|
41
|
-
user_session || shop_session
|
42
|
-
end
|
40
|
+
@current_shopify_session ||= user_session || shop_session
|
43
41
|
end
|
44
42
|
|
45
43
|
def user_session
|
@@ -49,12 +47,14 @@ module ShopifyApp
|
|
49
47
|
def user_session_by_jwt
|
50
48
|
return unless ShopifyApp.configuration.allow_jwt_authentication
|
51
49
|
return unless jwt_shopify_user_id
|
50
|
+
|
52
51
|
ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
|
53
52
|
end
|
54
53
|
|
55
54
|
def user_session_by_cookie
|
56
55
|
return unless ShopifyApp.configuration.allow_cookie_authentication
|
57
56
|
return unless session[:user_id].present?
|
57
|
+
|
58
58
|
ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
|
59
59
|
end
|
60
60
|
|
@@ -65,12 +65,14 @@ module ShopifyApp
|
|
65
65
|
def shop_session_by_jwt
|
66
66
|
return unless ShopifyApp.configuration.allow_jwt_authentication
|
67
67
|
return unless jwt_shopify_domain
|
68
|
+
|
68
69
|
ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
|
69
70
|
end
|
70
71
|
|
71
72
|
def shop_session_by_cookie
|
72
73
|
return unless ShopifyApp.configuration.allow_cookie_authentication
|
73
74
|
return unless session[:shop_id].present?
|
75
|
+
|
74
76
|
ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
|
75
77
|
end
|
76
78
|
|
@@ -80,8 +82,8 @@ module ShopifyApp
|
|
80
82
|
end
|
81
83
|
|
82
84
|
if current_shopify_session &&
|
83
|
-
|
84
|
-
|
85
|
+
params[:shop] && params[:shop].is_a?(String) &&
|
86
|
+
(current_shopify_session.domain != params[:shop])
|
85
87
|
clear_session = true
|
86
88
|
end
|
87
89
|
|
@@ -96,19 +98,20 @@ module ShopifyApp
|
|
96
98
|
end
|
97
99
|
|
98
100
|
def jwt_expire_at
|
99
|
-
expire_at = request.env[
|
101
|
+
expire_at = request.env["jwt.expire_at"]
|
100
102
|
return unless expire_at
|
103
|
+
|
101
104
|
expire_at - 5.seconds # 5s gap to start fetching new token in advance
|
102
105
|
end
|
103
106
|
|
104
107
|
protected
|
105
108
|
|
106
109
|
def jwt_shopify_domain
|
107
|
-
request.env[
|
110
|
+
request.env["jwt.shopify_domain"]
|
108
111
|
end
|
109
112
|
|
110
113
|
def jwt_shopify_user_id
|
111
|
-
request.env[
|
114
|
+
request.env["jwt.shopify_user_id"]
|
112
115
|
end
|
113
116
|
|
114
117
|
def host
|
@@ -116,7 +119,7 @@ module ShopifyApp
|
|
116
119
|
end
|
117
120
|
|
118
121
|
def redirect_to_login
|
119
|
-
if
|
122
|
+
if requested_by_javascript?
|
120
123
|
head(:unauthorized)
|
121
124
|
else
|
122
125
|
if request.get?
|
@@ -179,14 +182,17 @@ module ShopifyApp
|
|
179
182
|
end
|
180
183
|
|
181
184
|
def return_to_param_required?
|
182
|
-
native_params =
|
183
|
-
request.path !=
|
185
|
+
native_params = [:shop, :hmac, :timestamp, :locale, :protocol, :return_to]
|
186
|
+
request.path != "/" || sanitized_params.except(*native_params).any?
|
184
187
|
end
|
185
188
|
|
186
189
|
def fullpage_redirect_to(url)
|
187
190
|
if ShopifyApp.configuration.embedded_app?
|
188
|
-
render(
|
189
|
-
|
191
|
+
render(
|
192
|
+
"shopify_app/shared/redirect",
|
193
|
+
layout: false,
|
194
|
+
locals: { url: url, current_shopify_domain: current_shopify_domain },
|
195
|
+
)
|
190
196
|
else
|
191
197
|
redirect_to(url)
|
192
198
|
end
|
@@ -219,6 +225,7 @@ module ShopifyApp
|
|
219
225
|
|
220
226
|
def sanitize_shop_param(params)
|
221
227
|
return unless params[:shop].present?
|
228
|
+
|
222
229
|
ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
|
223
230
|
end
|
224
231
|
|
@@ -255,5 +262,11 @@ module ShopifyApp
|
|
255
262
|
def user_session_expected?
|
256
263
|
!ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
|
257
264
|
end
|
265
|
+
|
266
|
+
def requested_by_javascript?
|
267
|
+
request.xhr? ||
|
268
|
+
request.media_type == "text/javascript" ||
|
269
|
+
request.media_type == "application/javascript"
|
270
|
+
end
|
258
271
|
end
|
259
272
|
end
|