Module: ShopifyApp::LoginProtection

Extended by:

ActiveSupport::Concern

Includes:

Itp

Included in:

CallbackController, SessionsController

Defined in:

lib/shopify_app/controller_concerns/login_protection.rb

Defined Under Namespace

Classes: ShopifyDomainNotFound

Constant Summary

ACCESS_TOKEN_REQUIRED_HEADER =

'X-Shopify-API-Request-Failure-Unauthorized'

Instance Method Summary

• #activate_shopify_session ⇒ Object
• #current_shopify_session ⇒ Object
• #login_again_if_different_user_or_shop ⇒ Object
• #shop_session ⇒ Object
• #shop_session_by_cookie ⇒ Object
• #shop_session_by_jwt ⇒ Object
• #signal_access_token_required ⇒ Object
• #user_session ⇒ Object
• #user_session_by_cookie ⇒ Object
• #user_session_by_jwt ⇒ Object

Instance Method Details

#activate_shopify_session ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 19

def activate_shopify_session
  if user_session_expected? && user_session.blank?
    Rails.logger.debug("[ShopifyApp::LoginProtection] User session required. Redirecting to login...")
    signal_access_token_required
    return redirect_to_login
  end

  if current_shopify_session.blank?
    Rails.logger.debug("[ShopifyApp::LoginProtection] Current shopify session is blank. Redirecting to login...")
    return redirect_to_login
  end

  clear_top_level_oauth_cookie

  begin
    Rails.logger.debug("[ShopifyApp::LoginProtection] Activating session...")
    ShopifyAPI::Base.activate_session(current_shopify_session)
    yield
  ensure
    Rails.logger.debug("[ShopifyApp::LoginProtection] Clearing session...")
    ShopifyAPI::Base.clear_session
  end
end

#current_shopify_session ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 43

def current_shopify_session
  @current_shopify_session ||= begin
    user_session || shop_session
  end
end

#login_again_if_different_user_or_shop ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 79

def login_again_if_different_user_or_shop
  if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
    Rails.logger.debug("[ShopifyApp::LoginProtection] Session data was sent/stored correctly.")
    clear_session = session[:user_session] != params[:session] # current user is different from stored user
    if clear_session
      Rails.logger.debug("[ShopifyApp::LoginProtection] Current user is different from stored user.")
    end
    clear_session
  end

  if current_shopify_session &&
    params[:shop] && params[:shop].is_a?(String) &&
    (current_shopify_session.domain != params[:shop])
    clear_session = true
  end

  if clear_session
    Rails.logger.debug("[ShopifyApp::LoginProtection] Clearing shopify session and redirecting to login...")
    clear_shopify_session
    redirect_to_login
  end
end

#shop_session ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 64

def shop_session
  shop_session_by_jwt || shop_session_by_cookie
end

#shop_session_by_cookie ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 74

def shop_session_by_cookie
  return unless session[:shop_id].present?
  ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
end

#shop_session_by_jwt ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 68

def shop_session_by_jwt
  return unless ShopifyApp.configuration.allow_jwt_authentication
  return unless jwt_shopify_domain
  ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
end

#signal_access_token_required ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 102

def signal_access_token_required
  response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, true)
end

#user_session ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 49

def user_session
  user_session_by_jwt || user_session_by_cookie
end

#user_session_by_cookie ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 59

def user_session_by_cookie
  return unless session[:user_id].present?
  ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
end

#user_session_by_jwt ⇒ Object

# File 'lib/shopify_app/controller_concerns/login_protection.rb', line 53

def user_session_by_jwt
  return unless ShopifyApp.configuration.allow_jwt_authentication
  return unless jwt_shopify_user_id
  ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
end