diff --git a/app/controllers/shopify_app/callback_controller.rb b/app/controllers/shopify_app/callback_controller.rb index f171ebeef..9a6a9cdf5 100644 --- a/app/controllers/shopify_app/callback_controller.rb +++ b/app/controllers/shopify_app/callback_controller.rb @@ -70,7 +70,7 @@ def update_rails_cookie(api_session, cookie) def redirect_to_app if ShopifyAPI::Context.embedded? - return_to = "#{sanitized_host}#{session.delete(:return_to)}" + return_to = "#{decoded_host}#{session.delete(:return_to)}" return_to = ShopifyApp.configuration.root_url if deduced_phishing_attack? redirect_to(return_to, allow_other_host: true) else @@ -78,18 +78,17 @@ def redirect_to_app end end + def decoded_host + @decoded_hots ||= ShopifyAPI::Auth.embedded_app_url(params[:host]) + end + + # host param doesn't match the configured myshopify_domain def deduced_phishing_attack? - # host param doesn't match the configured myshopify_domain + sanitized_host = ShopifyApp::Utils.sanitize_shop_domain(URI(decoded_host).host) sanitized_host.nil? end def sanitized_host - @sanitized_host ||= begin - decoded_host = ShopifyAPI::Auth.embedded_app_url(params[:host]) - ShopifyApp::Utils.sanitize_shop_domain(decoded_host) - end - end - def respond_with_error flash[:error] = I18n.t("could_not_log_in") redirect_to(login_url_with_optional_shop) diff --git a/test/controllers/callback_controller_test.rb b/test/controllers/callback_controller_test.rb index cf2ac032a..b782d7439 100644 --- a/test/controllers/callback_controller_test.rb +++ b/test/controllers/callback_controller_test.rb @@ -256,10 +256,9 @@ class CallbackControllerTest < ActionController::TestCase test "#callback redirects to the embedded app url for embedded" do mock_oauth - @controller.stubs(:session).returns({ return_to: "/admin/apps/key" }) get :callback, params: @callback_params # host is required for App Bridge 2.0 - assert_redirected_to "#{@host}/admin/apps/key" + assert_redirected_to "https://#{@host}/admin/apps/key" end test "#callback performs install_webhook job after authentication" do