redirect to param[:host] after sanitization

app/controllers/shopify_app/callback_controller.rb

@@ -70,26 +70,25 @@ def update_rails_cookie(api_session, cookie)
 
     def redirect_to_app
       if ShopifyAPI::Context.embedded?
-        return_to = "#{sanitized_host}#{session.delete(:return_to)}"
+        return_to = "#{decoded_host}#{session.delete(:return_to)}"
         return_to = ShopifyApp.configuration.root_url if deduced_phishing_attack?
         redirect_to(return_to, allow_other_host: true)
       else
         redirect_to(return_address)
       end
     end
 
+    def decoded_host
+      @decoded_hots ||= ShopifyAPI::Auth.embedded_app_url(params[:host])
+    end
+
+    # host param doesn't match the configured myshopify_domain
     def deduced_phishing_attack?
-      # host param doesn't match the configured myshopify_domain
+      sanitized_host = ShopifyApp::Utils.sanitize_shop_domain(URI(decoded_host).host)
       sanitized_host.nil?
     end
 
     def sanitized_host
-      @sanitized_host ||= begin
-        decoded_host = ShopifyAPI::Auth.embedded_app_url(params[:host])
-        ShopifyApp::Utils.sanitize_shop_domain(decoded_host)
-      end
-    end
-
     def respond_with_error
       flash[:error] = I18n.t("could_not_log_in")
       redirect_to(login_url_with_optional_shop)

test/controllers/callback_controller_test.rb

@@ -256,10 +256,9 @@ class CallbackControllerTest < ActionController::TestCase
     test "#callback redirects to the embedded app url for embedded" do
       mock_oauth
 
-      @controller.stubs(:session).returns({ return_to: "/admin/apps/key" })
       get :callback, params: @callback_params # host is required for App Bridge 2.0
 
-      assert_redirected_to "#{@host}/admin/apps/key"
+      assert_redirected_to "https://#{@host}/admin/apps/key"
     end
 
     test "#callback performs install_webhook job after authentication" do