From 9336b4a07de2d0271a939243332d05cd28fe82d4 Mon Sep 17 00:00:00 2001
From: Nabeel Ahsen <nabeel.ahsen@shopify.com>
Date: Mon, 7 Dec 2020 14:24:08 -0500
Subject: [PATCH] Create concern to authenticate deep links using Turbolinks

---
 .../shopify_app/ensure_authenticated_links.rb | 22 +++++++
 .../shopify_app/turbolinks_authenticated.rb   | 22 +++++++
 .../ensure_authenticated_links_test.rb        | 58 +++++++++++++++++++
 .../concerns/turbolinks_authenticated_test.rb | 58 +++++++++++++++++++
 4 files changed, 160 insertions(+)
 create mode 100644 app/controllers/concerns/shopify_app/ensure_authenticated_links.rb
 create mode 100644 app/controllers/concerns/shopify_app/turbolinks_authenticated.rb
 create mode 100644 test/controllers/concerns/ensure_authenticated_links_test.rb
 create mode 100644 test/controllers/concerns/turbolinks_authenticated_test.rb

diff --git a/app/controllers/concerns/shopify_app/ensure_authenticated_links.rb b/app/controllers/concerns/shopify_app/ensure_authenticated_links.rb
new file mode 100644
index 000000000..acddeb537
--- /dev/null
+++ b/app/controllers/concerns/shopify_app/ensure_authenticated_links.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module EnsureAuthenticatedLinks
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :redirect_to_splash_page, if: :missing_expected_jwt?
+    end
+
+    private
+
+    def redirect_to_splash_page
+      splash_page_path = root_path(return_to: request.fullpath, shop: current_shopify_domain)
+      redirect_to(splash_page_path)
+    end
+
+    def missing_expected_jwt?
+      jwt_shopify_domain.blank?
+    end
+  end
+end
diff --git a/app/controllers/concerns/shopify_app/turbolinks_authenticated.rb b/app/controllers/concerns/shopify_app/turbolinks_authenticated.rb
new file mode 100644
index 000000000..f44d42ea4
--- /dev/null
+++ b/app/controllers/concerns/shopify_app/turbolinks_authenticated.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module TurbolinksAuthenticated
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :redirect_to_splash_page, if: :missing_expected_jwt?
+    end
+
+    private
+
+    def redirect_to_splash_page
+      splash_page_path = root_path(return_to: request.fullpath, shop: current_shopify_domain)
+      redirect_to(splash_page_path)
+    end
+
+    def missing_expected_jwt?
+      jwt_shopify_domain.blank?
+    end
+  end
+end
diff --git a/test/controllers/concerns/ensure_authenticated_links_test.rb b/test/controllers/concerns/ensure_authenticated_links_test.rb
new file mode 100644
index 000000000..f6f6231b2
--- /dev/null
+++ b/test/controllers/concerns/ensure_authenticated_links_test.rb
@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class EnsureAuthenticatedLinksTest < ActionController::TestCase
+  class TurbolinksTestController < ActionController::Base
+    include ShopifyApp::EnsureAuthenticatedLinks
+
+    def root
+      render(html: '<h1>Splash Page</ h1>')
+    end
+
+    def some_link
+      render(html: '<h1>Success</ h1>')
+    end
+
+    private
+
+    def jwt_shopify_domain
+      request.env['jwt.shopify_domain']
+    end
+
+    def current_shopify_domain
+      'test-shop.myshopify.com'
+    end
+  end
+
+  tests TurbolinksTestController
+
+  setup do
+    @shop_domain = 'test-shop.myshopify.com'
+
+    Rails.application.routes.draw do
+      root to: 'ensure_authenticated_links_test/turbolinks_test#root'
+      get '/some_link', to: 'ensure_authenticated_links_test/turbolinks_test#some_link'
+    end
+  end
+
+  teardown do
+    Rails.application.reload_routes!
+  end
+
+  test 'redirects to splash page with a return_to and shop param if no session token is present' do
+    get :some_link, params: { shop: @shop_domain }
+
+    expected_path = root_path(return_to: request.fullpath, shop: @shop_domain)
+
+    assert_redirected_to expected_path
+  end
+
+  test 'returns the requested resource if a valid session token exists' do
+    request.env['jwt.shopify_domain'] = @shop_domain
+
+    get :some_link, params: { shop: @shop_domain }
+
+    assert_response :ok
+  end
+end
diff --git a/test/controllers/concerns/turbolinks_authenticated_test.rb b/test/controllers/concerns/turbolinks_authenticated_test.rb
new file mode 100644
index 000000000..b3fa4f5ec
--- /dev/null
+++ b/test/controllers/concerns/turbolinks_authenticated_test.rb
@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class TurbolinksAuthenticatedTest < ActionController::TestCase
+  class TurbolinksTestController < ActionController::Base
+    include ShopifyApp::TurbolinksAuthenticated
+
+    def root
+      render(html: '<h1>Splash Page</ h1>')
+    end
+
+    def some_link
+      render(html: '<h1>Success</ h1>')
+    end
+
+    private
+
+    def jwt_shopify_domain
+      request.env['jwt.shopify_domain']
+    end
+
+    def current_shopify_domain
+      'test-shop.myshopify.com'
+    end
+  end
+
+  tests TurbolinksTestController
+
+  setup do
+    @shop_domain = 'test-shop.myshopify.com'
+
+    Rails.application.routes.draw do
+      root to: 'turbolinks_authenticated_test/turbolinks_test#root'
+      get '/some_link', to: 'turbolinks_authenticated_test/turbolinks_test#some_link'
+    end
+  end
+
+  teardown do
+    Rails.application.reload_routes!
+  end
+
+  test 'redirects to splash page with a return_to and shop param if no session token is present' do
+    get :some_link, params: { shop: @shop_domain }
+
+    expected_path = root_path(return_to: request.fullpath, shop: @shop_domain)
+
+    assert_redirected_to expected_path
+  end
+
+  test 'returns the requested resource if a valid session token exists' do
+    request.env['jwt.shopify_domain'] = @shop_domain
+
+    get :some_link, params: { shop: @shop_domain }
+
+    assert_response :ok
+  end
+end