Sha256: b795188497cb446fba6ab60e9953022bb4d55e3c8f32ef69bd7b20428c400ced
Contents?: true
Size: 1.81 KB
Versions: 6
Compression:
Stored size: 1.81 KB
Contents
# frozen_string_literal: true
module ShopifyApp
module EmbeddedApp
extend ActiveSupport::Concern
include ShopifyApp::FrameAncestors
include ShopifyApp::SanitizedParams
included do
layout :embedded_app_layout
after_action :set_esdk_headers, if: -> { ShopifyApp.configuration.embedded_app? }
end
protected
def redirect_to_embed_app_in_admin
ShopifyApp::Logger.debug("Redirecting to embed app in admin")
host = if params[:host]
params[:host]
elsif params[:shop]
Base64.encode64("#{sanitized_shop_name}/admin")
else
return redirect_to(ShopifyApp.configuration.login_url)
end
original_path = request.path
original_params = request.query_parameters.except(:host, :shop, :id_token)
original_path += "?#{original_params.to_query}" if original_params.present?
redirect_path = ShopifyAPI::Auth.embedded_app_url(host) + original_path.to_s
redirect_path = ShopifyApp.configuration.root_url if deduced_phishing_attack?(redirect_path)
redirect_to(redirect_path, allow_other_host: true)
end
def use_embedded_app_layout?
ShopifyApp.configuration.embedded_app?
end
private
def embedded_app_layout
"embedded_app" if use_embedded_app_layout?
end
def set_esdk_headers
response.set_header("P3P", 'CP="Not used"')
response.headers.except!("X-Frame-Options")
end
def deduced_phishing_attack?(decoded_host)
sanitized_host = ShopifyApp::Utils.sanitize_shop_domain(decoded_host)
if sanitized_host.nil?
message = "Host param for redirect to embed app in admin is not from a trusted domain, " \
"redirecting to root as this is likely a phishing attack."
ShopifyApp::Logger.info(message)
end
sanitized_host.nil?
end
end
end
Version data entries
6 entries across 6 versions & 1 rubygems