Skip to content

Handle invalid token when adding redirection headers #1945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 26, 2025

Conversation

randyabson
Copy link
Contributor

@randyabson randyabson commented Mar 5, 2025

What this PR does

Currently, while decoding a token while redirecting to login, it's possible for errors to occur. Example error: Signature has expired.

This PR rescues token decoding errors and handles them gracefully. The login url will not include the shop param in this scenario.

Exception:

gems/shopify_api-14.8.0/lib/shopify_api/auth/jwt_payload.rb:87:in `rescue in decode_token': Error decoding session token: Signature has expired (ShopifyAPI::Errors::InvalidJwtTokenError)
    from gems/shopify_api-14.8.0/lib/shopify_api/auth/jwt_payload.rb:84:in `decode_token'
    from gems/shopify_api-14.8.0/lib/shopify_api/auth/jwt_payload.rb:23:in `initialize'
    from gems/shopify_app-22.5.1/lib/shopify_app/controller_concerns/login_protection.rb:92:in `new'
    from gems/shopify_app-22.5.1/lib/shopify_app/controller_concerns/login_protection.rb:92:in `add_top_level_redirection_headers'
    from gems/shopify_app-22.5.1/lib/shopify_app/controller_concerns/login_protection.rb:112:in `redirect_to_login'

Reviewer's guide to testing

The test covers this scenario by simulating an error decoding the session token, in this case the error is Not enough or too many segments but it covers any error while decoding tokens.

Things to focus on

I'm unfamiliar with this repo so please ensure the way that the exception is handled won't cause issues in the redirect.

Checklist

Before submitting the PR, please consider if any of the following are needed:

  • Update CHANGELOG.md if the changes would impact users
  • Update README.md, if appropriate.
  • Update any relevant pages in /docs, if necessary
  • For security fixes, the Disclosure Policy must be followed.

@randyabson randyabson force-pushed the randy/handle-invalid-token branch from 2fd002d to b79036c Compare March 6, 2025 15:22
@randyabson randyabson force-pushed the randy/handle-invalid-token branch from b4a06b4 to a31fe87 Compare March 21, 2025 13:46
@randyabson randyabson marked this pull request as ready for review March 21, 2025 13:47
@randyabson randyabson requested a review from a team as a code owner March 21, 2025 13:47
@randyabson randyabson requested review from ltribolet and andru-h March 21, 2025 13:48
Copy link

@andru-h andru-h left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with my limited context on the gem

Copy link
Contributor

@lizkenyon lizkenyon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this looks good!

I am just going to flag this with the App Access team for a quick once over.

Could you please add a note in the CHANGELOG.md

@lizkenyon lizkenyon requested a review from zzooeeyy March 25, 2025 20:30
Copy link
Contributor

@zzooeeyy zzooeeyy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! The changes makes sense to me, I just had a few questions about the test setup.

Copy link
Contributor

@lizkenyon lizkenyon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving so you can merge, once Zoey's questions are answered.

@randyabson randyabson force-pushed the randy/handle-invalid-token branch from b670160 to d81cc9b Compare March 26, 2025 15:54
@randyabson randyabson force-pushed the randy/handle-invalid-token branch from d81cc9b to 8c3e282 Compare March 26, 2025 15:55
@randyabson randyabson merged commit 6c8cec1 into main Mar 26, 2025
7 checks passed
@randyabson randyabson deleted the randy/handle-invalid-token branch March 26, 2025 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants