root address instead of 404

Shopify · Dec 8, 2022 · a19ac26 · a19ac26
1 parent 7a29a78
commit a19ac26
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 6 deletions.
diff --git a/app/controllers/shopify_app/callback_controller.rb b/app/controllers/shopify_app/callback_controller.rb
@@ -70,10 +70,9 @@ def update_rails_cookie(api_session, cookie)
 
     def redirect_to_app
       if ShopifyAPI::Context.embedded?
-        return_to = session.delete(:return_to) || ""
-        return head(:not_found) if deduced_phishing_attack?
-
-        redirect_to(sanitized_host + return_to, allow_other_host: true)
+        return_to = "#{sanitized_host}#{session.delete(:return_to)}"
+        return_to = ShopifyApp.configuration.root_url if deduced_phishing_attack?
+        redirect_to(return_to, allow_other_host: true)
       else
         redirect_to(return_address)
       end

diff --git a/test/controllers/callback_controller_test.rb b/test/controllers/callback_controller_test.rb
@@ -96,7 +96,7 @@ class CallbackControllerTest < ActionController::TestCase
       get :callback, params: @callback_params
     end
 
-    test "#callback returns not found if the host in the param doesn't match configuration indicating a potential phishing attack" do
+    test "#callback returns to root if the host in the param doesn't match configuration indicating a potential phishing attack" do
       host = "hackerman-evil-site.com/hide-yo-wife-hide-yo-kids"
       encoded_host = Base64.strict_encode64(host + "/admin")
       hacker_params = @callback_params.dup
@@ -108,7 +108,7 @@ class CallbackControllerTest < ActionController::TestCase
       })
 
       get :callback, params: hacker_params
-      assert_response 404
+      assert_redirected_to ShopifyApp.configuration.root_url
     end
 
     test "#callback sets the shopify_user_id in the Rails session when session is online" do