root address instead of 404

Shopify · Dec 8, 2022 · 7680031 · 7680031
1 parent 7a29a78
commit 7680031
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 5 deletions.
diff --git a/app/controllers/shopify_app/callback_controller.rb b/app/controllers/shopify_app/callback_controller.rb
@@ -70,10 +70,9 @@ def update_rails_cookie(api_session, cookie)
 
     def redirect_to_app
       if ShopifyAPI::Context.embedded?
-        return_to = session.delete(:return_to) || ""
-        return head(:not_found) if deduced_phishing_attack?
-
-        redirect_to(sanitized_host + return_to, allow_other_host: true)
+        return_to = "#{sanitized_host}#{session.delete(:return_to)}"
+        return_to = ShopifyApp.configuration.root_url if deduced_phishing_attack?
+        redirect_to(return_to, allow_other_host: true)
       else
         redirect_to(return_address)
       end

diff --git a/test/controllers/callback_controller_test.rb b/test/controllers/callback_controller_test.rb
@@ -108,7 +108,7 @@ class CallbackControllerTest < ActionController::TestCase
       })
 
       get :callback, params: hacker_params
-      assert_response 404
+      assert_redirected_to ShopifyApp.configuration.root_url
     end
 
     test "#callback sets the shopify_user_id in the Rails session when session is online" do