Keep original path and params when redirecting deep links to embed

Shopify · Jun 23, 2024 · 9884d4c · 9884d4c
1 parent 59c5f1b
commit 9884d4c
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/lib/shopify_app/controller_concerns/embedded_app.rb b/lib/shopify_app/controller_concerns/embedded_app.rb
@@ -25,7 +25,11 @@ def redirect_to_embed_app_in_admin
         return redirect_to(ShopifyApp.configuration.login_url)
       end
 
-      redirect_path = ShopifyAPI::Auth.embedded_app_url(host)
+      original_path = request.path
+      original_params = request.query_parameters.except(:host, :shop, :id_token)
+      original_path += "?#{original_params.to_query}" if original_params.present?
+
+      redirect_path = ShopifyAPI::Auth.embedded_app_url(host) + original_path
       redirect_path = ShopifyApp.configuration.root_url if deduced_phishing_attack?(redirect_path)
       redirect_to(redirect_path, allow_other_host: true)
     end

diff --git a/test/controllers/concerns/embedded_app_test.rb b/test/controllers/concerns/embedded_app_test.rb
@@ -75,15 +75,23 @@ def redirect_to_embed
     shop = "my-shop.myshopify.com"
     host = Base64.encode64("#{shop}/admin")
     get :redirect_to_embed, params: { host: host }
-    assert_redirected_to "https://#{shop}/admin/apps/#{ShopifyApp.configuration.api_key}"
+    assert_redirected_to "https://#{shop}/admin/apps/#{ShopifyApp.configuration.api_key}/redirect_to_embed"
   end
 
   test "#redirect_to_embed_app_in_admin redirects to the embed app in the admin when the shop param is present" do
     ShopifyApp.configuration.embedded_app = true
 
     shop = "my-shop.myshopify.com"
     get :redirect_to_embed, params: { shop: shop }
-    assert_redirected_to "https://#{shop}/admin/apps/#{ShopifyApp.configuration.api_key}"
+    assert_redirected_to "https://#{shop}/admin/apps/#{ShopifyApp.configuration.api_key}/redirect_to_embed"
+  end
+
+  test "#redirect_to_embed_app_in_admin keeps original path and params when redirecting to the embed app" do
+    ShopifyApp.configuration.embedded_app = true
+
+    shop = "my-shop.myshopify.com"
+    get :redirect_to_embed, params: { shop: shop, foo: "bar" }
+    assert_redirected_to "https://#{shop}/admin/apps/#{ShopifyApp.configuration.api_key}/redirect_to_embed?foo=bar"
   end
 
   test "Redirect to login URL when host nor shop param is present" do