shopify_app 22.0.1 → 22.2.0

data/docs/shopify_app/sessions.md

@@ -3,12 +3,11 @@
 Sessions are used to make contextual API calls for either a shop (offline session) or a user (online session). This gem has ownership of session persistence.
 
 #### Table of contents
-
 - [Sessions](#sessions)
       - [Table of contents](#table-of-contents)
   - [Sessions](#sessions-1)
-      - [Types of session tokens](#types-of-session-tokens)
-      - [Session token storage](#session-token-storage)
+      - [Types of access tokens (sessions)](#types-of-access-tokens-sessions)
+      - [Access token storage (session)](#access-token-storage-session)
         - [Shop (offline) token storage](#shop-offline-token-storage)
         - [User (online) token storage](#user-online-token-storage)
         - [In-memory Session Storage for testing](#in-memory-session-storage-for-testing)
@@ -20,6 +19,7 @@ Sessions are used to make contextual API calls for either a shop (offline sessio
         - [**Shop Sessions - `EnsureInstalled`**](#shop-sessions---ensureinstalled)
         - [User Sessions - `EnsureHasSession`](#user-sessions---ensurehassession)
       - [Getting sessions from a Shop or User model record - 'with\_shopify\_session'](#getting-sessions-from-a-shop-or-user-model-record---with_shopify_session)
+      - [Re-fetching an access token when API returns Unauthorized](#re-fetching-an-access-token-when-api-returns-unauthorized)
   - [Access scopes](#access-scopes)
     - [`ShopifyApp::ShopSessionStorageWithScopes`](#shopifyappshopsessionstoragewithscopes)
     - [`ShopifyApp::UserSessionStorageWithScopes`](#shopifyappusersessionstoragewithscopes)
@@ -27,18 +27,16 @@ Sessions are used to make contextual API calls for either a shop (offline sessio
   - [Migrating from `ShopifyApi::Auth::SessionStorage` to `ShopifyApp::SessionStorage`](#migrating-from-shopifyapiauthsessionstorage-to-shopifyappsessionstorage)
 
 ## Sessions
-#### Types of session tokens
-- **Shop** ([offline access](https://shopify.dev/docs/apps/auth/oauth/access-modes#offline-access))
+#### Types of access tokens (sessions)
+- **Shop** ([offline access](https://shopify.dev/docs/apps/auth/access-token-types/offline))
   - Access token is linked to the store
   - Meant for long-term access to a store, where no user interaction is involved
   - Ideal for background jobs or maintenance work
-- **User** ([online access](https://shopify.dev/docs/apps/auth/oauth/access-modes#online-access))
+- **User** ([online access](https://shopify.dev/docs/apps/auth/access-token-types/online))
   - Access token is linked to an individual user on a store
   - Meant to be used when a user is interacting with your app through the web
 
-⚠️  [Read more about Online vs. Offline access here](https://shopify.dev/apps/auth/oauth/access-modes).
-
-#### Session token storage
+#### Access token storage (session)
 ##### Shop (offline) token storage
 ⚠️ All apps must have a shop session storage, if you started from the [Ruby App Template](https://github.com/Shopify/shopify-app-template-ruby), it's already configured to have a Shop model by default.
 
@@ -50,7 +48,7 @@ If you don't already have a repository to store the access tokens:
 rails generate shopify_app:shop_model
 ```
 
-2. Configure `config/initializers/shopify_app.rb` to enable shop session token persistance:
+2. Configure `config/initializers/shopify_app.rb` to enable shop access token persistance:
 
 ```ruby
 config.shop_session_repository = 'Shop'
@@ -66,7 +64,7 @@ If your app has user interactions and would like to control permission based on
 rails generate shopify_app:user_model
 ```
 
-2. Configure `config/initializers/shopify_app.rb` to enable user session token persistance:
+2. Configure `config/initializers/shopify_app.rb` to enable user access token persistance:
 
 ```ruby
 config.user_session_repository = 'User'
@@ -74,6 +72,8 @@ config.user_session_repository = 'User'
 
 The current Shopify user will be stored in the rails session at `session[:shopify_user]`
 
+You should also enable the [check for session expiry](#expiry-date) so that a new access token can be fetched before being used for an API operation.
+
 ##### In-memory Session Storage for testing
 The `ShopifyApp` gem includes methods for in-memory storage for both shop and user sessions. In-memory storage is intended to be used in a testing environment, please use a persistent storage for your application.
 - [InMemoryShopSessionStore](https://github.com/Shopify/shopify_app/blob/main/lib/shopify_app/session/in_memory_shop_session_store.rb)
@@ -152,7 +152,7 @@ class MyController < ApplicationController
 
     client = ShopifyAPI::Clients::Graphql::Admin.new(session: current_session)
     client.query(
-    #...
+      # ...
     )
   end
 end
@@ -171,7 +171,7 @@ class MyController < ApplicationController
 
     client = ShopifyAPI::Clients::Graphql::Admin.new(session: current_session)
     client.query(
-    #...
+      # ...
     )
   end
 end
@@ -203,6 +203,100 @@ user.with_shopify_session do
 end
 ```
 
+#### Re-fetching an access token when API returns Unauthorized
+
+When using `ShopifyApp::EnsureHasSession` and the `new_embedded_auth_strategy` configuration, any **unhandled** Unauthorized `ShopifyAPI::Errors::HttpResponseError` will cause the app to perform token exchange to fetch a new access token from Shopify and the action to be executed again. This will update and store the new access token to the current session instance.
+
+```ruby
+class MyController < ApplicationController
+  include ShopifyApp::EnsureHasSession
+
+  def index
+    client = ShopifyAPI::Clients::Graphql::Admin.new(session: current_shopify_session)
+
+    # If this call raises an Unauthorized error from Shopify, EnsureHasSession
+    # will execute the action again after performing token exchange.
+    # It will store and use the newly retrieved access token for this and any subsequent calls.
+    client.query(options)
+  end
+end
+```
+
+If the error is being rescued in the action, it's still possible to make use of `with_token_refetch` provided by `EnsureHasSession` so that a new access token is fetched and the code is executed again with it. This will also update the session parameter with the new attributes.
+This block should be used to wrap the code that makes API queries, so your business logic won't be retried.
+
+```ruby
+class MyController < ApplicationController
+  include ShopifyApp::EnsureHasSession
+
+  def index
+    # Your app's business logic
+    with_token_refetch(current_shopify_session, shopify_id_token) do
+      # Unauthorized errors raised within this block will initiate token exchange.
+      # `with_token_refetch` will store the new access token and use it
+      # to execute this block again.
+      # Any subsequent calls using the same session instance will have the new token.
+      client = ShopifyAPI::Clients::Graphql::Admin.new(session: current_shopify_session)
+      client.query(options)
+    end
+    # Your app's business logic continues
+  rescue => error
+    # app's specific error handling
+  end
+end
+```
+
+It's also possible to use `with_token_refetch` on classes other than the controller by including the `ShopifyApp::AdminAPI::WithTokenRefetch` module and passing in the session along with the current request's `shopify_id_token`, which is provided by `ShopifyApp::EnsureHasSession`. This will also update the session parameter with the new attributes.
+
+```ruby
+# my_controller.rb
+class MyController < ApplicationController
+  include ShopifyApp::EnsureHasSession
+
+  def index
+    # shopify_id_token is a method provided by EnsureHasSession
+    MyClass.new.do_things(current_shopify_session, shopify_id_token)
+  end
+end
+
+# my_class.rb
+class MyClass
+  include ShopifyApp::AdminAPI::WithTokenRefetch
+
+  def do_things(session, shopify_id_token)
+    with_token_refetch(session, shopify_id_token) do
+      # Unauthorized errors raised within this block will initiate token exchange.
+      # `with_token_refetch` will store the new access token and use it
+      # to execute this block again.
+      # Any subsequent calls using the same session instance will have the new token.
+      client = ShopifyAPI::Clients::Graphql::Admin.new(session: session)
+      client.query(options)
+    end
+  rescue => error
+    # app's specific error handling
+  end
+end
+```
+
+If the retried block raises an `Unauthorized` error again, `with_token_refetch` will delete the current `session` from the database and raise the error again.
+
+```ruby
+class MyController < ApplicationController
+  include ShopifyApp::EnsureHasSession
+
+  def index
+    client = ShopifyAPI::Clients::Graphql::Admin.new(session: current_shopify_session)
+    with_token_refetch(current_shopify_session, shopify_id_token) do
+      # When this call raises Unauthorized a second time during retry,
+      # the `session` will be deleted from the database and the error raised
+      client.query(options)
+    end
+  rescue => error
+    # The Unauthorized error will reach this rescue
+  end
+end
+```
+
 ## Access scopes
 If you want to customize how access scopes are stored for shops and users, you can implement the `access_scopes` getters and setters in the models that include `ShopifyApp::ShopSessionStorageWithScopes` and `ShopifyApp::UserSessionStorageWithScopes` as shown:
 
@@ -240,6 +334,8 @@ When the configuration flag `check_session_expiry_date` is set to true, the user
 ## Migrating from shop-based to user-based token strategy
 
 1. Run the `user_model` generator as [mentioned above](#user-online-token-storage).
+  - The generator will ask whether you want to migrate the User model to include `access_scopes` and `expires_at` columns. `expires_at` field is useful for detecting when the user session has expired and trigger a re-auth before an operation. It can reduce
+   API failures for invalid access tokens. Configure the [expiry date check](#expiry-date) to complete this feature.
 2. Ensure that both your `Shop` model and `User` model includes the [necessary concerns](#available-activesupportconcerns-that-contains-implementation-of-the-above-methods)
 3. Update the configuration file to use the new session storage.
 
@@ -255,5 +351,5 @@ config.user_session_repository = {YOUR_USER_MODEL_CLASS}
 - Sessions storage are now handled with [ShopifyApp::SessionRepository](https://github.com/Shopify/shopify_app/blob/main/lib/shopify_app/session/session_repository.rb)
 - To migrate and specify your shop or user session storage method:
   1. Remove `session_storage` configuration from `config/initializers/shopify_app.rb`
-  2. Follow ["Session Token Storage" instructions](#session-token-storage) to specify the storage repository for shop and user sessions.
+  2. Follow ["Access Token Storage" instructions](#access-token-storage-session) to specify the storage repository for shop and user sessions.
      - [Customizing session storage](#customizing-session-storage-with-shopifyappsessionrepository)

data/docs/shopify_app/webhooks.md

@@ -18,7 +18,7 @@ ShopifyApp.configure do |config|
 end
 ```
 
-When the [OAuth callback](/docs/shopify_app/authentication.md#oauth-callback) is completed successfully, ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every OAuth callback, it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
+When the [OAuth callback](/docs/shopify_app/authentication.md#oauth-callback) or token exchange is completed successfully, ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every OAuth callback, it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
 
 ShopifyApp also provides a [WebhooksController](/app/controllers/shopify_app/webhooks_controller.rb) that receives webhooks and queues a job based on the received topic. For example, if you register the webhook from above, then all you need to do is create a job called `CartsUpdateJob`. The job will be queued with 2 params: `shop_domain` and `webhook` (which is the webhook body).
 

data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt

@@ -4,6 +4,8 @@ ShopifyApp.configure do |config|
   config.scope = "<%= @scope %>" # Consult this page for more scope options:
                                   # https://help.shopify.com/en/api/getting-started/authentication/oauth/scopes
   config.embedded_app = <%= embedded_app? %>
+  config.new_embedded_auth_strategy = <%= embedded_app? %>
+
   config.after_authenticate_job = false
   config.api_version = "<%= @api_version %>"
   config.shop_session_repository = 'Shop'

data/lib/shopify_app/admin_api/with_token_refetch.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module AdminAPI
+    module WithTokenRefetch
+      def with_token_refetch(session, shopify_id_token)
+        retrying = false if retrying.nil?
+        yield
+      rescue ShopifyAPI::Errors::HttpResponseError => error
+        if error.code != 401
+          ShopifyApp::Logger.debug("Encountered error: #{error.code} - #{error.response.inspect}, re-raising")
+        elsif retrying
+          ShopifyApp::Logger.debug("Shopify API returned a 401 Unauthorized error that was not corrected " \
+            "with token exchange, deleting current session and re-raising")
+          ShopifyApp::SessionRepository.delete_session(session.id)
+        else
+          retrying = true
+          ShopifyApp::Logger.debug("Shopify API returned a 401 Unauthorized error, exchanging token and " \
+            "retrying with new session")
+          new_session = ShopifyApp::Auth::TokenExchange.perform(shopify_id_token)
+          session.copy_attributes_from(new_session)
+          retry
+        end
+        raise
+      end
+    end
+  end
+end

data/lib/shopify_app/auth/post_authenticate_tasks.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module Auth
+    class PostAuthenticateTasks
+      class << self
+        def perform(session)
+          ShopifyApp::Logger.debug("Performing post authenticate tasks")
+          # Ensure we use the shop session to install webhooks
+          session_for_shop = session.online? ? shop_session(session) : session
+
+          install_webhooks(session_for_shop)
+
+          perform_after_authenticate_job(session)
+        end
+
+        private
+
+        def shop_session(session)
+          ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(session.shop)
+        end
+
+        def install_webhooks(session)
+          ShopifyApp::Logger.debug("PostAuthenticateTasks: Installing webhooks")
+          return unless ShopifyApp.configuration.has_webhooks?
+
+          WebhooksManager.queue(session.shop, session.access_token)
+        end
+
+        def perform_after_authenticate_job(session)
+          ShopifyApp::Logger.debug("PostAuthenticateTasks: Performing after_authenticate_job")
+          config = ShopifyApp.configuration.after_authenticate_job
+
+          return unless config && config[:job].present?
+
+          job = config[:job]
+          job = job.constantize if job.is_a?(String)
+
+          if config[:inline] == true
+            job.perform_now(shop_domain: session.shop)
+          else
+            job.perform_later(shop_domain: session.shop)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/auth/token_exchange.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module Auth
+    class TokenExchange
+      attr_reader :id_token
+
+      def self.perform(id_token)
+        new(id_token).perform
+      end
+
+      def initialize(id_token)
+        @id_token = id_token
+      end
+
+      def perform
+        domain = ShopifyAPI::Auth::JwtPayload.new(id_token).shopify_domain
+
+        Logger.info("Performing Token Exchange for [#{domain}] - (Offline)")
+        session = exchange_token(
+          shop: domain,
+          id_token: id_token,
+          requested_token_type: ShopifyAPI::Auth::TokenExchange::RequestedTokenType::OFFLINE_ACCESS_TOKEN,
+        )
+
+        if online_token_configured?
+          Logger.info("Performing Token Exchange for [#{domain}] - (Online)")
+          session = exchange_token(
+            shop: domain,
+            id_token: id_token,
+            requested_token_type: ShopifyAPI::Auth::TokenExchange::RequestedTokenType::ONLINE_ACCESS_TOKEN,
+          )
+        end
+
+        ShopifyApp.configuration.post_authenticate_tasks.perform(session)
+
+        session
+      end
+
+      private
+
+      def exchange_token(shop:, id_token:, requested_token_type:)
+        session = ShopifyAPI::Auth::TokenExchange.exchange_token(
+          shop: shop,
+          session_token: id_token,
+          requested_token_type: requested_token_type,
+        )
+
+        SessionRepository.store_session(session)
+
+        session
+      rescue ShopifyAPI::Errors::InvalidJwtTokenError
+        Logger.error("Invalid id token '#{id_token}' during token exchange")
+        raise
+      rescue ShopifyAPI::Errors::HttpResponseError => error
+        Logger.error(
+          "A #{error.code} error (#{error.class}) occurred during the token exchange. Response: #{error.response.body}",
+        )
+        raise
+      rescue ActiveRecord::RecordNotUnique
+        Logger.debug("Session not stored due to concurrent token exchange calls")
+        session
+      rescue => error
+        Logger.error("An error occurred during the token exchange: [#{error.class}] #{error.message}")
+        raise
+      end
+
+      def online_token_configured?
+        ShopifyApp.configuration.online_token_configured?
+      end
+    end
+  end
+end

data/lib/shopify_app/configuration.rb

@@ -29,6 +29,9 @@ module ShopifyApp
     attr_writer :login_callback_url
     attr_accessor :embedded_redirect_url
 
+    # customize post authenticate tasks
+    attr_accessor :custom_post_authenticate_tasks
+
     # customise ActiveJob queue names
     attr_accessor :scripttags_manager_queue_name
     attr_accessor :webhooks_manager_queue_name
@@ -45,8 +48,8 @@ module ShopifyApp
     # takes a ShopifyApp::BillingConfiguration object
     attr_accessor :billing
 
-    # Work in Progress: enables token exchange authentication flow
-    attr_accessor :wip_new_embedded_auth_strategy
+    # Enables new authorization flow using token exchange
+    attr_accessor :new_embedded_auth_strategy
 
     def initialize
       @root_url = "/"
@@ -54,6 +57,8 @@ module ShopifyApp
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
       @disable_webpacker = ENV["SHOPIFY_APP_DISABLE_WEBPACKER"].present?
+
+      log_callback_controller_method_deprecation
     end
 
     def login_url
@@ -124,7 +129,53 @@ module ShopifyApp
     end
 
     def use_new_embedded_auth_strategy?
-      wip_new_embedded_auth_strategy && embedded_app?
+      new_embedded_auth_strategy && embedded_app?
+    end
+
+    def online_token_configured?
+      !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
+    end
+
+    def post_authenticate_tasks
+      @post_authenticate_tasks || begin
+        if custom_post_authenticate_tasks
+          custom_class = if custom_post_authenticate_tasks.respond_to?(:safe_constantize)
+            custom_post_authenticate_tasks.safe_constantize
+          else
+            custom_post_authenticate_tasks
+          end
+        end
+
+        task_class = custom_class || ShopifyApp::Auth::PostAuthenticateTasks
+
+        [
+          :perform,
+        ].each do |method|
+          raise(
+            ::ShopifyApp::ConfigurationError,
+            "Missing method - '#{method}' for custom_post_authenticate_tasks",
+          ) unless task_class.respond_to?(method)
+        end
+
+        task_class
+      end
+    end
+
+    private
+
+    def log_callback_controller_method_deprecation
+      return unless Rails.env.development?
+
+      # TODO: Remove this before releasing v23.0.0
+      message = <<~EOS
+        ================================================
+        => Upcoming deprecation in v23.0:
+        * 'CallbackController::perform_after_authenticate_job' and related methods 'install_webhooks', 'perform_after_authenticate_job'
+        * will be deprecated from CallbackController in the next major release. If you need to customize
+        * post authentication tasks, see https://github.com/Shopify/shopify_app/blob/main/docs/shopify_app/authentication.md#post-authenticate-tasks
+        ================================================
+      EOS
+      puts message
     end
   end
 

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -9,7 +9,7 @@ module ShopifyApp
     end
 
     def verify_proxy_request
-      return head(:forbidden) unless query_string_valid?(request.query_string)
+      head(:forbidden) unless query_string_valid?(request.query_string)
     end
 
     private

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -5,6 +5,7 @@ module ShopifyApp
     extend ActiveSupport::Concern
 
     include ShopifyApp::FrameAncestors
+    include ShopifyApp::SanitizedParams
 
     included do
       layout :embedded_app_layout
@@ -13,6 +14,22 @@ module ShopifyApp
 
     protected
 
+    def redirect_to_embed_app_in_admin
+      ShopifyApp::Logger.debug("Redirecting to embed app in admin")
+
+      host = if params[:host]
+        params[:host]
+      elsif params[:shop]
+        Base64.encode64("#{sanitized_shop_name}/admin")
+      else
+        return redirect_to(ShopifyApp.configuration.login_url)
+      end
+
+      redirect_path = ShopifyAPI::Auth.embedded_app_url(host)
+      redirect_path = ShopifyApp.configuration.root_url if deduced_phishing_attack?(redirect_path)
+      redirect_to(redirect_path, allow_other_host: true)
+    end
+
     def use_embedded_app_layout?
       ShopifyApp.configuration.embedded_app?
     end
@@ -27,5 +44,15 @@ module ShopifyApp
       response.set_header("P3P", 'CP="Not used"')
       response.headers.except!("X-Frame-Options")
     end
+
+    def deduced_phishing_attack?(decoded_host)
+      sanitized_host = ShopifyApp::Utils.sanitize_shop_domain(decoded_host)
+      if sanitized_host.nil?
+        message = "Host param for redirect to embed app in admin is not from a trusted domain, " \
+          "redirecting to root as this is likely a phishing attack."
+        ShopifyApp::Logger.info(message)
+      end
+      sanitized_host.nil?
+    end
   end
 end

data/lib/shopify_app/controller_concerns/ensure_billing.rb

@@ -27,7 +27,7 @@ module ShopifyApp
 
       unless has_payment
         if request.xhr?
-          add_top_level_redirection_headers(url: confirmation_url, ignore_response_code: true)
+          RedirectForEmbedded.add_app_bridge_redirect_url_header(confirmation_url, response)
           ShopifyApp::Logger.debug("Responding with 401 unauthorized")
           head(:unauthorized)
         elsif ShopifyApp.configuration.embedded_app?
@@ -45,8 +45,16 @@ module ShopifyApp
     end
 
     def handle_billing_error(error)
-      logger.info("#{error.message}: #{error.errors}")
-      redirect_to_login
+      ShopifyApp::Logger.warn("Encountered billing error - #{error.message}: #{error.errors}\n" \
+        "Redirecting to login page")
+
+      login_url = ShopifyApp.configuration.login_url
+      if request.xhr?
+        RedirectForEmbedded.add_app_bridge_redirect_url_header(login_url, response)
+        head(:unauthorized)
+      else
+        fullpage_redirect_to(login_url)
+      end
     end
 
     def has_active_payment?(session)

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -16,6 +16,7 @@ module ShopifyApp
       end
 
       rescue_from ShopifyAPI::Errors::HttpResponseError, with: :handle_http_error
+      include ShopifyApp::WithShopifyIdToken
     end
 
     ACCESS_TOKEN_REQUIRED_HEADER = "X-Shopify-API-Request-Failure-Unauthorized"
@@ -53,7 +54,7 @@ module ShopifyApp
       @current_shopify_session ||= begin
         cookie_name = ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME
         load_current_session(
-          auth_header: request.headers["HTTP_AUTHORIZATION"],
+          shopify_id_token: shopify_id_token,
           cookies: { cookie_name => cookies.encrypted[cookie_name] },
           is_online: online_token_configured?,
         )
@@ -78,13 +79,6 @@ module ShopifyApp
       response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, "true")
     end
 
-    def jwt_expire_at
-      expire_at = request.env["jwt.expire_at"]
-      return unless expire_at
-
-      expire_at - 5.seconds # 5s gap to start fetching new token in advance
-    end
-
     def add_top_level_redirection_headers(url: nil, ignore_response_code: false)
       if request.xhr? && (ignore_response_code || response.code.to_i == 401)
         ShopifyApp::Logger.debug("Adding top level redirection headers")
@@ -94,8 +88,8 @@ module ShopifyApp
           params[:shop] = if current_shopify_session
             current_shopify_session.shop
 
-          elsif (matches = request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/))
-            jwt_payload = ShopifyAPI::Auth::JwtPayload.new(T.must(matches[1]))
+          elsif shopify_id_token
+            jwt_payload = ShopifyAPI::Auth::JwtPayload.new(shopify_id_token)
             jwt_payload.shop
           end
         end
@@ -103,21 +97,12 @@ module ShopifyApp
         url ||= login_url_with_optional_shop
 
         ShopifyApp::Logger.debug("Setting Reauthorize-Url to #{url}")
-        response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
-        response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", url)
+        RedirectForEmbedded.add_app_bridge_redirect_url_header(url, response)
       end
     end
 
     protected
 
-    def jwt_shopify_domain
-      request.env["jwt.shopify_domain"]
-    end
-
-    def jwt_shopify_user_id
-      request.env["jwt.shopify_user_id"]
-    end
-
     def host
       params[:host]
     end
@@ -263,7 +248,7 @@ module ShopifyApp
     end
 
     def online_token_configured?
-      !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
+      ShopifyApp.configuration.online_token_configured?
     end
 
     def user_session_expected?
@@ -273,10 +258,10 @@ module ShopifyApp
       online_token_configured?
     end
 
-    def load_current_session(auth_header: nil, cookies: nil, is_online: false)
+    def load_current_session(shopify_id_token: nil, cookies: nil, is_online: false)
       return ShopifyAPI::Context.load_private_session if ShopifyAPI::Context.private?
 
-      session_id = ShopifyAPI::Utils::SessionUtils.current_session_id(auth_header, cookies, is_online)
+      session_id = ShopifyAPI::Utils::SessionUtils.current_session_id(shopify_id_token, cookies, is_online)
       return nil unless session_id
 
       ShopifyApp::SessionRepository.load_session(session_id)

data/lib/shopify_app/controller_concerns/redirect_for_embedded.rb

@@ -4,6 +4,11 @@ module ShopifyApp
   module RedirectForEmbedded
     include ShopifyApp::SanitizedParams
 
+    def self.add_app_bridge_redirect_url_header(url, response)
+      response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
+      response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", url)
+    end
+
     private
 
     def embedded_redirect_url?